system
February 3, 2004, 11:22pm
1
I’ve just had Avast recognise the Win32:Esepor trojan. I’ve deleted the relevant files and removed registry entries as advised by other websites…no problem with that…
My problem is that since this virus, my IE homepage has been set to www.magicsearch.ws and all attempts to reset my homepage have failed (it simply changes itself back to www.magicsearch.ws).
I’ve even tried searching the registry for “magicsearch” which crops up quite a lot. Again, trying to delete the setting in the registry (or changing the reference to magicsearch) only results in it resetting itself back to magicsearch on reopening the registry!!
Anyone have any ideas? I don’t really want to reformat, but thats looking like my only option at the moment.
Many thanks.
Keith.
PS…re-scanning with Avast now shows that I have no viruses.
Mac
February 3, 2004, 11:28pm
2
have you scanned with ad-aware or spybot to see it it left any spyware componets?
system
February 3, 2004, 11:57pm
3
Yes, I’ve tried both with no success.
system
February 4, 2004, 12:01am
4
Hi,
try cwshredder
and/or post a log of Hijackthis
Links: www.merijn.org → Downloads
system
February 4, 2004, 12:48am
5
Couldn’t use the link you provided, got there using 216.180.233.153
CWShredder found the problem and fixed it, but on opening IE the problem returned!!
Logfile of HijackThis v1.97.7
Scan saved at 00:45:33, on 04/02/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Windows\system\time.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Keith Bonney\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM..\Run: [AGNTDK] C:\WINDOWS\AGNTDK.exe
O4 - HKLM..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [MicrosoftWindows] C:\Windows\system\time.exe
O4 - HKCU..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MicrosoftWindows] C:\Windows\system\time.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://magicsearch.ws/?q=
O13 - WWW Prefix: http://magicsearch.ws/?q=
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://cdn.climaxbucks.com/internet-optimizer/080703/UniDistIOcrack.CAB
O17 - HKLM\System\CCS\Services\Tcpip..{A3E5D502-5A05-42A8-96BB-2C5A03CF24D7}: NameServer = 193.38.113.3 194.117.157.4
Mac
February 4, 2004, 1:10am
6
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
looks like the problem
system
February 4, 2004, 11:48am
7
Also:
Belt
Belt.exe
Abetterinternet adware related
http://www.sysinfo.org/startuplist.php?filter=belt&count=&type=
AGNTDK.exe & UniDistIOcrack.CAB what are these ?
did you close all browser windows before scanning with ad-aware, spybot, cwshredder ? did you update the progs after installing ?
fix all entries in HJT that contain magicsearch
system
February 4, 2004, 8:19pm
8
Yes closed all programs.
Did a HD search for AGNTDK, came up with AGNTDK.EXE-01BAE163.pf found in C:/ Windows/prefetch
Also did a search for UniDistIOcrack, found nothing but doesn’t cdn.climaxbucks.com sound iffy?
system
February 4, 2004, 8:20pm
9
Mac
February 4, 2004, 8:32pm
10
oops forgot those they need to be fixed too