My Browser was hijacked

Discussion in 'adware, spyware & hijack cleaning' started by rotchi, Dec 1, 2003.

Thread Status:
Not open for further replies.
  1. rotchi

    rotchi Guest

    My browser is loading a page t.rack.cc/hp.php or variation of this page.
    Another page which is sometimes loaded is search-aid.com/search.php?qq

    If I set my default page to Blank it will stay that way for few hours and then switch back to the above page.

    I am using Ad-Aware 6 for a long time and it always finds Cydoor that returns even when I remove it again and again but this one is new and I am not sure if it's related to Cydoor.

    I will appreciate any advice you can give me.

    Thanks,
    Rotchi

    I have used Ad-Aware 6 and then HijackThis:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:20:44 AM, on 12/1/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\Hummbird\inetd32.exe
    C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\EPOAgent\naimas32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\EPOAgent\naimag32.exe
    C:\WINNT\ms\sms\Core\Bin\Launch32.exe
    C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
    C:\PROGRA~1\Zinio\ZDLM.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Babylon\babylon.exe
    C:\Program Files\EMC\SymmRemote\SRPerfTool.exe
    C:\EMCSoftware\EMCSIUser.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
    C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Copernic Agent\CopernicAgent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\ron\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EMC Corp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = slipgate.us.dg.com:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 128.221.*.*;128.222.*.*;152.62.*.*;199.245.235.*;*.dg.com;*.clariion.com;infolibs;*.*.emc.com;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/hp.php
    R3 - URLSearchHook: ViewSource Class - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\ron\Application Data\winshow\winshow.dll
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINNT\msfpfd.dll
    O2 - BHO: (no name) - {35EB9C91-1CA6-11d5-8B2B-00C04F779127} - C:\PROGRA~1\INS\VITALA~1\Program\VAIEHE~1.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\ms\sms\Core\Bin\Launch32.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\babylon.exe
    O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe"
    O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\ipsecdialer.exe
    O4 - Global Startup: EMCRemote Performance Tool.lnk = C:\Program Files\EMC\SymmRemote\SRPerfTool.exe
    O4 - Global Startup: EMCSI.lnk = C:\EMCSoftware\EMCSIUser.exe
    O4 - Global Startup: Image Express Utility 1.0.lnk = C:\Program Files\NEC Projector User Supportware\Image Express Utility 1.0\PJSENDER.exe
    O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
    O4 - Global Startup: VitalAgent.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {69432678-2906-2705-1128-068943397621} -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37776.334525463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eng.emc.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eng.emc.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.emc.com,isus.emc.com,lss.emc.com,eng.emc.com,webo.dg.com,us.dg.com,rtp.dg.com,emc.com,legato.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eng.emc.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.emc.com,isus.emc.com,lss.emc.com,eng.emc.com,webo.dg.com,us.dg.com,rtp.dg.com,emc.com,legato.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.emc.com,isus.emc.com,lss.emc.com,eng.emc.com,webo.dg.com,us.dg.com,rtp.dg.com,emc.com,legato.com
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi rotchi,

    Please download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Could you please post a new log after a reboot?
    There is some more I'd like to have a closer look at, once the worst part is out of the way.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.