Search for... Home Search... Startpage hack :(

Discussion in 'adware, spyware & hijack cleaning' started by Geist, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. Geist

    Geist Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    9
    Hello,

    i had alot of luck getting startpages on both my notebook and my desktop pc. While CWShredder, Spybot and HijackThis didnt do their job getting my nice site removed i would really appreciate help.

    The first site i have is "Search for..." and on my adressbar i only can see "about:blank" and i wouldnt know how to remove thisone

    This my desktop PC HijackThis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:01:11, on 24.06.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Programme\QuickTime\qttask.exe
    C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Programme\ICQPlus\vplus.exe
    C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Programme\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Java\j2re1.4.2_04\bin\javaw.exe
    C:\Programme\Outlook Express\msimn.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\MyStuff\Programme\HijackThis.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\Daniel\LOKALE~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\Daniel\LOKALE~1\Temp\sp.html
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - (no file)
    O2 - BHO: (no name) - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ICQ Plus] "C:\Programme\ICQPlus\vplus.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.5721875
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab














    The second site i have is "Home Search..." and on my adressbar i only can see "res://ewwid.dll/index.html#37049" and i wouldnt know how to remove thisone

    And this is my Notebook Hijack THis Log

    Home Search
    res://ewwid.dll/index.html#37049


    Logfile of HijackThis v1.97.7
    Scan saved at 18:16:41, on 20.06.2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Programme\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Programme\winfax\WFXMOD32.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\nthj.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\TPWRTRAY.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\System32\Promon.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\System32\wfxsnt40.exe
    C:\WINNT\system32\sdkne.exe
    C:\WINNT\System32\internat.exe
    D:\Brkovic\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programme\TOSHIBA\NetDevSw\NetDevSW.exe
    C:\Programme\Nikon\NkView6\NkvMon.exe
    C:\Programme\winfax\WFXCTL32.EXE
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    D:\Brkovic\Sonstiges\rep\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.de/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewwid.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewwid.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewwid.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewwid.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ewwid.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ewwid.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von Coperion Waeschle GmbH & Co KG
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gg1/as.pac
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {30CB4B7D-9FCD-DDAB-5082-C38898BF818C} - C:\WINNT\ntlu.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programme\TOSHIBA\TME2\TMESRV2.EXE /logon
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [sdkne.exe] C:\WINNT\system32\sdkne.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Brkovic\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Network Device Switch.lnk = C:\Programme\TOSHIBA\NetDevSw\NetDevSW.exe
    O4 - Global Startup: NkvMon.exe.lnk = C:\Programme\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: Controller.LNK = C:\Programme\winfax\WFXCTL32.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.coperion.com/
    O15 - Trusted Zone: http://intranet.coperion.com
    O15 - Trusted Zone: http://intranet.wgt.de.coperion.com
    O15 - Trusted Zone: http://waeschlenet.waeschle.de
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Thanks for any help!
     
    Geist, Jun 27, 2004
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...