|
|
#1
November 24th, 2003, 11:18 AM
|
|||
|
|||
my browser is hijacked
I have allready done a log file. Please analyze the file and give advice.
Thanks Logfile of HijackThis v1.97.7 Scan saved at 16:17:37, on 24.11.2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\atiptaxx.exe C:\Programme\Apoint2K\Apoint.exe C:\Programme\TOSHIBA\TouchPad\TPTray.exe C:\Programme\TOSHIBA\Power Management\CePMTray.exe C:\Programme\TOSHIBA\E-KEY\CeEKey.exe C:\Programme\Microsoft Works\WksSb.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\ctfmon.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\System32\taskmgr.exe C:\WINDOWS\regedit.exe C:\Programme\Apoint2K\Apntex.exe C:\Programme\Apoint2K\Ezcapt.exe C:\Dokumente und Einstellungen\Georg Rübensam\Lokale Einstellungen\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?vwjuo (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?vwjuo (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-click.com/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?www.tiscali.de R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?vwjuo (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?vwjuo (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?vwjuo (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?vwjuo (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search-click.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-click.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search-click.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-click.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?vwjuo (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?vwjuo (obfuscated) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?vwjuo (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?vwjuo (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.rightfinder.net/search/ R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file) O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Programme\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOKUME~1\GEORGR~1\LOKALE~1\Temp\sqlfpok.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Programme\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Programme\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [CeEKEY] C:\Programme\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Programme\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe" O4 - HKLM\..\Run: [Soundmx] \soundmx.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe O4 - HKCU\..\Run: [WistererHX] "C:\Programme\Wisterer HX\wistererhx.exe" O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ? O4 - Global Startup: AOL 7.0 Tray-Symbol.lnk = C:\Programme\AOL 7.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Recherche-Assistent (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: CompuServe (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O13 - DefaultPrefix: http://ehttp.cc/? O13 - WWW Prefix: http://ehttp.cc/? O13 - WWW. Prefix: http://ehttp.cc/? O19 - User stylesheet: C:\WINDOWS\Web\win.def O19 - User stylesheet: C:\WINDOWS\default.css (HKLM) |
|
#2
November 24th, 2003, 12:13 PM
|
||||
|
||||
|
Re:my browser is hijacked
Hi Georg,
Download, unzip and run: http://www.spywareinfo.com/~merijn/files/cwshredder.zip Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file) O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Programme\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOKUME~1\GEORGR~1\LOKALE~1\Temp\sqlfpok.dll Then reboot and let us know if that solved your problem. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. Remove & Prevent spyware It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
