Computing.Net > Forums > Security and Virus > Hijacked browser? please help me.

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

Hijacked browser? please help me.

Reply to Message Icon
Original Message
Name: rents
Date: March 7, 2004 at 14:19:01 Pacific
Subject: Hijacked browser? please help me.
OS: WinXP Pro.
CPU/Ram: P4 2.6
Comment:

Hiya. Whenever I try to access certain websites I get this a light-blue site with a link "ENTER" that goes to http://links.verotel.com/cgi-bin/showsite....804000000515758
Other people tried to access the same sites, and they can do it properly. Therefore I reached the conclusion that my browser has been hijacked.

OS: WinXP Pro. (updated) Browser: Internet Explorer 6.
Anti spyware software installed:

- Ad-aware 6.0 professional edition. - Found nothing.
- Spybot (updated). - Found and fixed a few registry keys. (somaticab was one of them).
- Spywareblaster (updated).

I also scanned my computer with Norton AV 2004 Pro, PC-Cillin's online scanner and The Cleaner. Nothing was detected.

Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 06:29:28 p.m., on 07/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Norton Internet Security\NISUM.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\Wcgopsvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Norton AntiVirus\OPScan.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SetCacheMode] Rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CTStartup] C:\Archivos de programa\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Archivos de programa\SpyKiller\spykiller.exe /startup
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{455509BB-9F7D-4A9F-961E-F46A3CC7B25F}: NameServer = 200.51.254.238 200.51.208.21


By the way, I downloaded and scanned my computer with CWShredder, nothing was detected. Also.. I tried accessing these webpages via HTTP proxy, and the webpage loads properly.

This is the source code of the fake webpage:


</script>

</HTML>



Report Offensive Message For Removal


Response Number 1
Name: Wombat
Date: March 7, 2004 at 14:22:22 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

Go and post your hjt log here...

www.netrn.net/phpBB2/

Iligitimi non carborundum est


Report Offensive Follow Up For Removal

Response Number 2
Name: MrCharlie
Date: March 7, 2004 at 14:55:00 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

Put HJT in its own folder and with it only running, fix this one. See if that fixes it. You should also uninstall SpyKiller, it's junk and shouldn't be on your system.

O17 - HKLM\System\CCS\Services\Tcpip\..\{455509BB-9F7D-4A9F-961E-F46A3CC7B25F}: NameServer = 200.51.254.238 200.51.208.21



Report Offensive Follow Up For Removal

Response Number 3
Name: rents
Date: March 7, 2004 at 15:00:53 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

thanks that solved it!


Report Offensive Follow Up For Removal

Response Number 4
Name: rents
Date: March 7, 2004 at 15:03:04 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

wait.. that didn't solve it.. damn it. when i loaded the page, it loaded properly.. i tried again 5 seconds later and the same fake webpage was there again. :|

Logfile of HijackThis v1.97.7
Scan saved at 08:02:51 p.m., on 07/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Norton Internet Security\NISUM.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\Wcgopsvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.11.26.142:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SetCacheMode] Rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CTStartup] C:\Archivos de programa\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~2\AdvTools\ADVCHK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab



Report Offensive Follow Up For Removal

Response Number 5
Name: MrCharlie
Date: March 7, 2004 at 16:00:43 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

If you recognize these leave them, if not have them fix. I don't see anything else, let me know.
This one is new!!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.11.26.142:8080
This one was there before, just check to see if it's OK, you know your system better then I do.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos


Report Offensive Follow Up For Removal


Response Number 6
Name: rents
Date: March 7, 2004 at 16:08:29 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

Yeah, I set that HTTP proxy, since i can view these certain webpages properly if i'm behind a proxy. the only thing spybot detected this afternoon was SomaticCab.setup and it was deteleted along with a few registry keys.


Report Offensive Follow Up For Removal

Response Number 7
Name: MrCharlie
Date: March 7, 2004 at 17:25:39 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

I don't think you have run this program yet, download and run it from your desktop and see if it finds anything.

CW-Shredder


Report Offensive Follow Up For Removal

Response Number 8
Name: MrCharlie
Date: March 7, 2004 at 17:47:33 Pacific
Subject: Hijacked browser? please help me.
Reply: (edit)

Clean up the system also (this is for 98 and ME but should be close for XP)
Open up IE, from the drop down menu choose Tools, Internet Options, Delete Temporary Internet Files and cookies. (cookies optional)
Go to Start, Run, type temp , delete all the files in that folder
Do the same for recent
Delete all the .tmp and .chk files you can find. To do so, click Start/Find and in the search box (field) type *.tmp and this will search for all your temporary files. Repeat for chk files by typing *.chk in the search field, make sure you are looking in 'C'. Empty recycle bin.


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Hijacked browser? please help me.

Comments:
            
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



How often do you use Computing.Net?

Every Day
Once a Week
Once a Month
This Is My First Time!


View Results

Poll Finishes In 3 Days.
Discuss in The Lounge


DDR2 PC2-5300 in DDR2 PC2-4200 slot

How google works

data recovery

P4 Overclock Help

set command and xcopy

All Posts Awaiting Replies