It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Strange Browser Hijack - Need Some Help On This One :-D

page: 1
0

log in

join
share:

posted on Jun, 18 2004 @ 12:15 AM
link   
Normally I wouldn't ask for help for something like this, but I just can't seem to get rid of this browser hijack! I have tried Spybot, LavaSoft AdAware, Avast Virus Software, TrendMicro Virus Software, and many other Spyware/Adware/Virus detection software - none of them detect this thing! I know it is a file on my computer that causes my start page and search engine queries to be redirected to www.e-catalog.org...

I also think whatever the program is, it is sending out information over my network connection because I am seeing information being sent out when I am not even accessing the net. This is the first browser hijack I have had in a year! I don't know how I could have gotten it. This problem started about a day ago. I probably accidently visited a website that took advantage of some IE flaw. I'm all up to date on Microshaft fixes though. :-/ It might be a new variant of some old browser hijack, I just don't know though.

Any help would be most appreciated!



posted on Jun, 18 2004 @ 09:35 AM
link   
Download and run HijackThis. Then post the logfile for me or somebody else to look over....



posted on Jun, 23 2004 @ 10:17 AM
link   
If Spybot doesn't catch it, there's a good chance that you have something more than a browser plugin. Probably an program installed to run as a service and hijack you search and home page no matter how many times you change it. The best thing to do is find out what services are running on your computer and find out what each one does.

Once you find the offending software, you should delete it and any reference to it in the registry. If you don't know where to start, follow dramelandmafia's advice in the previous post. People that make this crap should be severly punished for their crimes.



posted on Jun, 23 2004 @ 10:48 AM
link   
Im having the same problem and it also has hijacked my AIM so heres my log:

ogfile of HijackThis v1.97.7
Scan saved at 10:52:55 AM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\mzbxfp.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Tweak-XP Pro\tranicon.exe
C:\Program Files\Tweak-XP Pro\popup.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\instant messenger\aim95.exe
C:\DOCUMENTS AND SETTINGS\ROSSCO BURGESS\DESKTOP\Install_AIM_np.exe
C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\GLB13.tmp
C:\PROGRA~1\INSTAN~1\WxBug.EXE
C:\unzipped\hijackthis1977\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _[CFBFAE00-17A6-11D0-99CB-00C04FD64497] - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - [000020DD-C72E-4113-AF77-DD56626C6C42] - (no file)
O2 - BHO: MyWay Search Assistant BHO - [04079851-5845-4dea-848C-3ECD647AA554] - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - [0494D0D1-F8E0-41ad-92A3-14154ECE70AC] - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - [06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - [53707962-6F74-2D53-2644-206D7942484F] - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - [8C2CED55-06B6-485B-B057-00AAB42274B4] - C:\WINDOWS\System32\epnpala.dll
O3 - Toolbar: &Radio - [8E718888-423F-11D2-876E-00A0C9082467] - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - [0494D0D9-F8E0-41ad-92A3-14154ECE70AC] - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe
O4 - HKLM\..\Run: [Cleanup] D:\Complete Cleanup Trial\compind.bat
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zuqnutfeo] C:\WINDOWS\System32\mzbxfp.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [TransparentIcons] "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro\popup.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ROSSBU~1.ROS\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: [166B1BCA-3F9C-11CF-8075-444553540000] (Shockwave ActiveX Control) - download.macromedia.com...
O16 - DPF: [70BA88C8-DAE8-4CE9-92BB-979C4A75F53B] (GSDACtl Class) - launch.gamespyarcade.com...
O16 - DPF: [74D05D43-3236-11D4-BDCD-00C04F9A3B61] (HouseCall Control) - a840.g.akamai.net...
O16 - DPF: [9A9307A0-7DA4-4DAF-B042-5009F29E09E1] (ActiveScan Installer Class) - www.pandasoftware.com...
O16 - DPF: [B942A249-D1E7-4C11-98AE-FCB76B08747F] (RealArcadeRdxIE Class) - games-dl.real.com...
O16 - DPF: [C75BE5CC-7F80-458C-8B66-FAB86E3B13C3] (FotkiUploader Control) - images.fotki.com...
O16 - DPF: [D27CDB6E-AE6D-11CF-96B8-444553540000] (Shockwave Flash Object) - download.macromedia.com...
O16 - DPF: [F54C1137-5E34-4B95-95A5-BA56D4D8D743] (Secure Delivery) - www.gamespot.com...



posted on Jun, 24 2004 @ 09:27 AM
link   
Agent47, I just skimmed your log and will try to look at it more closely later. I did notice a couple of things:

- It doesn't look like all the files for your Symantec antivirus are loaded.
- I don't recognize two of the files that are loading and didn't get any hits on a web search.
C:\WINDOWS\System32\mzbxfp.exe
C:\WINDOWS\System32\epnpala.dll
That indicates you might, at least, be dealing with a worm like
W32/Zafi-A aka Erkez.

Use Trend Micro's online housecall scanner and see if it finds anything.
housecall.trendmicro.com...

And, if you feel adventurous, try locating those files, re-name them, and re-boot.




 
0

log in

join