• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Henry Jones

Can't get rid of hijacked home page.

2 posts in this topic

My home page has been hi-jacked by e-catalog.org, I've tried all the usual spyware programs to no avail. Almost as soon as I run FIX with 'Hijack This' the home page is reset and the entries come right back. Please help! Someone else on this site had this problem but they did not leave documentation as to how they fixed it.

 

I am using Windows XP Pro with Norton Anti-Virus 2003 and Ad-Aware 6.0

 

Any help will be very much appreciated, and thanks in advance!

 

Here is my log:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 1:41:59 AM, on 7/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\Inf\Catalog\su\srunner.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

c:\Windows\Inf\Catalog\su\explore.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\hrtcm.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Trillian\trillian.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\CURSORS\meta\oledac\backup\srunner.exe

c:\windows\cursors\meta\oledac\backup\repairx\SPOOLSVC.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-catalog.org

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [siSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Hacker Eliminator] C:\Program Files\Hacker Eliminator\HackerEliminator.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [winxm.exe] C:\WINDOWS\system32\winxm.exe

O4 - HKLM\..\Run: [iepg32.exe] C:\WINDOWS\system32\iepg32.exe

O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: Shortcut to trillian.lnk = C:\Program Files\Trillian\trillian.exe

O4 - Global Startup: Norton AntiVirus 2003 Professional Edition.lnk = C:\Program Files\Common Files\Symantec Shared\NMain.exe

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/20646/online.chm::/on-line.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/contr...ate/sdkinst.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Share this post


Link to post
Share on other sites

Hi there,

 

I highly suggest that you run a scan using Housecall or Panda ActiveScan because your log seems to have a trojan infection -

http://housecall.antivirus.com/housecall/start_corp.asp

http://www.pandasoftware.es/activescan/activescan-com.asp

 

Before you run a scan, kindly open Task Manager>Processes tab. End the task of hrtcm.exe then close Task Manager. Go ahead in running an online scan.

 

Reboot the system and confirm your work by running another scan.

 

Verify that hrtcm.exe is not running as a service. If it's there, end it again via Task Manager>Processes tab.

 

Next, download the new version of HijackThis which is v1.98.1. Save it in the same location. Replace the existing copy.

 

Run a scan using HijackThis 1.98.1 then select the following items if still present:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-catalog.org

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-catalog.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.e-catalog.org

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-catalog.org

 

O4 - HKLM\..\Run: [winxm.exe] C:\WINDOWS\system32\winxm.exe

O4 - HKLM\..\Run: [iepg32.exe] C:\WINDOWS\system32\iepg32.exe

O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe

 

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/20646/online.chm::/on-line.exe

 

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

Make sure no browser/windows are open except HijackThis. Click Fix.

 

Reboot in Safe mode (To boot in Safe mode - restart the system, hit F8 after the BIOS has loaded)

 

Delete the following file (if still present):

 

C:\WINDOWS\hrtcm.exe

C:\WINDOWS\system32\winxm.exe

C:\WINDOWS\system32\iepg32.exe

 

Reboot in Normal mode. Scan once again using HijackThis and post a new log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0