Jump to content


Photo

Can't get rid of hijacked home page.


  • Please log in to reply
1 reply to this topic

#1 Henry Jones

Henry Jones

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 July 2004 - 12:45 AM

My home page has been hi-jacked by e-catalog.org, I've tried all the usual spyware programs to no avail. Almost as soon as I run FIX with 'Hijack This' the home page is reset and the entries come right back. Please help! Someone else on this site had this problem but they did not leave documentation as to how they fixed it.

I am using Windows XP Pro with Norton Anti-Virus 2003 and Ad-Aware 6.0

Any help will be very much appreciated, and thanks in advance!

Here is my log:


Logfile of HijackThis v1.98.0
Scan saved at 1:41:59 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Inf\Catalog\su\srunner.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Windows\Inf\Catalog\su\explore.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\hrtcm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\CURSORS\meta\oledac\backup\srunner.exe
c:\windows\cursors\meta\oledac\backup\repairx\SPOOLSVC.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-catalog.org
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hacker Eliminator] C:\Program Files\Hacker Eliminator\HackerEliminator.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winxm.exe] C:\WINDOWS\system32\winxm.exe
O4 - HKLM\..\Run: [iepg32.exe] C:\WINDOWS\system32\iepg32.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Shortcut to trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Norton AntiVirus 2003 Professional Edition.lnk = C:\Program Files\Common Files\Symantec Shared\NMain.exe
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.micro...ate/sdkinst.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

#2 DonnaB

DonnaB

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 183 posts

Posted 02 August 2004 - 01:26 PM

Hi there,

I highly suggest that you run a scan using Housecall or Panda ActiveScan because your log seems to have a trojan infection -
http://housecall.ant.../start_corp.asp
http://www.pandasoft...ivescan-com.asp

Before you run a scan, kindly open Task Manager>Processes tab. End the task of hrtcm.exe then close Task Manager. Go ahead in running an online scan.

Reboot the system and confirm your work by running another scan.

Verify that hrtcm.exe is not running as a service. If it's there, end it again via Task Manager>Processes tab.

Next, download the new version of HijackThis which is v1.98.1. Save it in the same location. Replace the existing copy.

Run a scan using HijackThis 1.98.1 then select the following items if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-catalog.org

O4 - HKLM\..\Run: [winxm.exe] C:\WINDOWS\system32\winxm.exe
O4 - HKLM\..\Run: [iepg32.exe] C:\WINDOWS\system32\iepg32.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Make sure no browser/windows are open except HijackThis. Click Fix.

Reboot in Safe mode (To boot in Safe mode - restart the system, hit F8 after the BIOS has loaded)

Delete the following file (if still present):

C:\WINDOWS\hrtcm.exe
C:\WINDOWS\system32\winxm.exe
C:\WINDOWS\system32\iepg32.exe

Reboot in Normal mode. Scan once again using HijackThis and post a new log.
Calendar of Updates
Keep Your Security Software Current
Upgrades, Updates & Definitions
Get involved - Microsoft MVP Program
Read it from SecurityFlash

Do what you feel in your heart to be right - for you'll be criticized anyway.
You'll be damned if you do, and damned if you don't.

-- Eleanor Roosevelt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button