Jump to content


Photo

Homepage Hijack- ewizard.cc PLEASE HELP.


  • Please log in to reply
3 replies to this topic

#1 Dazarooni

Dazarooni

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 June 2004 - 07:44 AM

Hello.
Could someone please help me with an ongoing issue that i have. My webpage was Hijacked about 3 weeks ago and i have downloaded Spybot-s&d, webroot, and a few other Programs but none of them have solved my problem. One program that i did download detected the homepage hijack and i became excited that finally i could get rid of it, but to my horror- it said i needed to purchase the product if i wanted it removed!!!! i couldn't believe it! :(. Anyways i have downloaded HijackThis and the R1 and R0 settings are coming up as Obfuscated? I read the tutorial and thought i would be able to delete the right areas to solve the problem, but when i deleted them, rebooted and opened up IE, the problem was back!

the home page keeps getting set as home:blank and is coming up as a search portal. Popups then follow and they are coming from c1dcon.ewizard.com.

I am currently at work and will post my Log as soon as i get on my Laptop at home and im on XP home. I would be very very grateful if someone could help me with this nasty piece of crap, it is driving me mad!!

Will someone kindly help me with my problem? i will post my log in about 4-5 hours from now when i finish work and return home.

Thank you :)

#2 Dazarooni

Dazarooni

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 June 2004 - 12:01 PM

hello again
OK here is my log. I would be very grateful if some of you Knowledgable folk could give me some advice on this. It really is driving me crazy. Like i said, about:bank comes up with a search portal and pop-ups follow, coming from c1dcon.ewizard.cc

Here it is! :)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\necmfk\necmfk.exe
C:\ATI Control Panel\atiptaxx.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lkongb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lkongb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lkongb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lkongb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lkongb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lkongb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6F060838-CF62-4A68-B1CB-EB6FB4D0E236} - C:\WINDOWS\System32\lkongb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Packard Bell (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5....v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest....tivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E403DE1C-C4E0-47C8-B75E-6E405DAD9455}: NameServer = 62.55.80.67 193.189.244.197

#3 Dazarooni

Dazarooni

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 08:55 AM

hmmmm :whistle:

#4 Dazarooni

Dazarooni

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 June 2004 - 09:15 AM

:wave: hello? anyone see me? lol.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button