My Browser was hijacked

Discussion in 'adware, spyware & hijack cleaning' started by rotchi, Dec 1, 2003.

Thread Status:
Not open for further replies.
  1. rotchi

    rotchi Guest

    My browser is loading a page t.rack.cc/hp.php or variation of this page.
    Another page which is sometimes loaded is search-aid.com/search.php?qq

    If I set my default page to Blank it will stay that way for few hours and then switch back to the above page.

    I am using Ad-Aware 6 for a long time and it always finds Cydoor that returns even when I remove it again and again but this one is new and I am not sure if it's related to Cydoor.

    I will appreciate any advice you can give me.

    Thanks,
    Rotchi

    I have used Ad-Aware 6 and then HijackThis:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:20:44 AM, on 12/1/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\Hummbird\inetd32.exe
    C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\EPOAgent\naimas32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\EPOAgent\naimag32.exe
    C:\WINNT\ms\sms\Core\Bin\Launch32.exe
    C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
    C:\PROGRA~1\Zinio\ZDLM.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Babylon\babylon.exe
    C:\Program Files\EMC\SymmRemote\SRPerfTool.exe
    C:\EMCSoftware\EMCSIUser.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
    C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Copernic Agent\CopernicAgent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\ron\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EMC Corp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = slipgate.us.dg.com:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 128.221.*.*;128.222.*.*;152.62.*.*;199.245.235.*;*.dg.com;*.clariion.com;infolibs;*.*.emc.com;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/hp.php
    R3 - URLSearchHook: ViewSource Class - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\ron\Application Data\winshow\winshow.dll
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINNT\msfpfd.dll
    O2 - BHO: (no name) - {35EB9C91-1CA6-11d5-8B2B-00C04F779127} - C:\PROGRA~1\INS\VITALA~1\Program\VAIEHE~1.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\ms\sms\Core\Bin\Launch32.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\babylon.exe
    O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe"
    O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\ipsecdialer.exe
    O4 - Global Startup: EMCRemote Performance Tool.lnk = C:\Program Files\EMC\SymmRemote\SRPerfTool.exe
    O4 - Global Startup: EMCSI.lnk = C:\EMCSoftware\EMCSIUser.exe
    O4 - Global Startup: Image Express Utility 1.0.lnk = C:\Program Files\NEC Projector User Supportware\Image Express Utility 1.0\PJSENDER.exe
    O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
    O4 - Global Startup: VitalAgent.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {69432678-2906-2705-1128-068943397621} -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37776.334525463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eng.emc.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eng.emc.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.emc.com,isus.emc.com,lss.emc.com,eng.emc.com,webo.dg.com,us.dg.com,rtp.dg.com,emc.com,legato.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eng.emc.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.emc.com,isus.emc.com,lss.emc.com,eng.emc.com,webo.dg.com,us.dg.com,rtp.dg.com,emc.com,legato.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.emc.com,isus.emc.com,lss.emc.com,eng.emc.com,webo.dg.com,us.dg.com,rtp.dg.com,emc.com,legato.com
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi rotchi,

    Please download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Could you please post a new log after a reboot?
    There is some more I'd like to have a closer look at, once the worst part is out of the way.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.