Author Topic: Win32:Esepor (Read 6062 times)

gallilleo · « **on:** February 04, 2004, 12:22:07 AM »

I've just had Avast recognise the Win32:Esepor trojan. I've deleted the relevant files and removed registry entries as advised by other websites........no problem with that........

My problem is that since this virus, my IE homepage has been set to www.magicsearch.ws and all attempts to reset my homepage have failed (it simply changes itself back to www.magicsearch.ws).

I've even tried searching the registry for "magicsearch" which crops up quite a lot. Again, trying to delete the setting in the registry (or changing the reference to magicsearch) only results in it resetting itself back to magicsearch on reopening the registry!!

Anyone have any ideas? I don't really want to reformat, but thats looking like my only option at the moment.

Many thanks.
Keith.

PS.......re-scanning with Avast now shows that I have no viruses.

.: Mac :. · « **Reply #1 on:** February 04, 2004, 12:28:35 AM »

have you scanned with ad-aware or spybot to see it it left any spyware componets?

gallilleo · « **Reply #2 on:** February 04, 2004, 12:57:45 AM »

Yes, I've tried both with no success.

whocares · « **Reply #3 on:** February 04, 2004, 01:01:40 AM »

Hi,

try cwshredder
and/or post a log of Hijackthis

Links: www.merijn.org -> Downloads

gallilleo · « **Reply #4 on:** February 04, 2004, 01:48:16 AM »

Couldn't use the link you provided, got there using 216.180.233.153

CWShredder found the problem and fixed it, but on opening IE the problem returned!!

Logfile of HijackThis v1.97.7
Scan saved at 00:45:33, on 04/02/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Windows\system\time.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Keith Bonney\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [AGNTDK] C:\WINDOWS\AGNTDK.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\time.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\time.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://magicsearch.ws/?q=
O13 - WWW Prefix: http://magicsearch.ws/?q=
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://cdn.climaxbucks.com/internet-optimizer/080703/UniDistIOcrack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E5D502-5A05-42A8-96BB-2C5A03CF24D7}: NameServer = 193.38.113.3 194.117.157.4

.: Mac :. · « **Reply #5 on:** February 04, 2004, 02:10:10 AM »

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=

looks like the problem

whocares · « **Reply #6 on:** February 04, 2004, 12:48:13 PM »

Also:
Belt
Belt.exe
Abetterinternet adware related
http://www.sysinfo.org/startuplist.php?filter=belt&count=&type=

AGNTDK.exe & UniDistIOcrack.CAB what are these ?

did you close all browser windows before scanning with ad-aware, spybot, cwshredder ? did you update the progs after installing ?
fix all entries in HJT that contain magicsearch

gallilleo · « **Reply #7 on:** February 04, 2004, 09:19:28 PM »

Yes closed all programs.

Did a HD search for AGNTDK, came up with AGNTDK.EXE-01BAE163.pf found in C:/ Windows/prefetch

Also did a search for UniDistIOcrack, found nothing but doesn't cdn.climaxbucks.com sound iffy?

gallilleo · « **Reply #8 on:** February 04, 2004, 09:20:10 PM »

Also what about:

O13 - DefaultPrefix: http://www.magicsearch.ws/?q=
O13 - WWW Prefix: http://www.magicsearch.ws/?q=

.: Mac :. · « **Reply #9 on:** February 04, 2004, 09:32:49 PM »

oops forgot those they need to be fixed too

Author Topic: Win32:Esepor (Read 6062 times)

gallilleo

Win32:Esepor

.: Mac :.

Re:Win32:Esepor

gallilleo

Re:Win32:Esepor

whocares

Re:Win32:Esepor

gallilleo

Re:Win32:Esepor

.: Mac :.

Re:Win32:Esepor

whocares

Re:Win32:Esepor

gallilleo

Re:Win32:Esepor

gallilleo

Re:Win32:Esepor

.: Mac :.

Re:Win32:Esepor