Jump to content


Photo

hijacked and taken to Drusearch.


  • Please log in to reply
1 reply to this topic

#1 raykinney

raykinney

    Member

  • New Member
  • Pip
  • 2 posts

Posted 23 June 2004 - 02:27 PM

I'm very new to this forum. Until yesterday, I didn't even know that "hijacking" homepages existed. I'm sure finding out quickly.

Events:
1. Visited known website with new link (can't remember the link). Norton detects virus. I have Norton delete it. I mistakenly press back on Internet Explorer. It re-sends me and I get the virus warning again. Deleted again.
2. My homepage is changed. I go to Drusearch.com. I also have it as a favorite. I change it and nothing. All similiar to the typical descriptions of being hijacked. I see it and change it in the registry. It gets changed back.
3. I run AdAware, latest updates and it finds spyware, but doesn't change my problem.
4. I install Spy Sweeper and it finds nothing that helps my problem. I set it to watch cookies and homepage and memory. It pops up to tell me that something is asking to change my homepage. I need to tell it NO a few times. Always within 5 minutes of a reboot.
5. I run CWShredder yesterday afternoon and I still have the problem. I know because Spy Sweeper popped up this morning with another warning.
6. I run Hijack This. I created a log file, so I'm hoping someone can spot the bad guy here.

Logfile of HijackThis v1.97.7
Scan saved at 9:46:43 AM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\hrtcm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\ray\hijack this\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ciadmin] C:\WINDOWS\System32\ciadmin.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Startup: Microsoft Visual SourceSafe 6.0.lnk = C:\Program Files\Microsoft Visual Studio\VSS\win32\SSEXP.EXE
O4 - Startup: Winamp3.LNK = C:\Program Files\Winamp3\Studio.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PacOptical.local
O17 - HKLM\Software\..\Telephony: DomainName = PacOptical.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PacOptical.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PacOptical.local


Thanks,
Ray Kinney

#2 raykinney

raykinney

    Member

  • New Member
  • Pip
  • 2 posts

Posted 06 July 2004 - 03:42 PM

After waiting well over a week, I started reading other people's "drusearch" problems. I found one common connection between their suggested fix and what I had.

hrtcm.exe

Aside from the registry entries, which are easy to get rid of without damage, hrtcm.exe was showing up. Looking on the internet, I couldn't find what it was legitimately used for. I risked it. I got rid of it using "Hijack This" and then deleted it from the Windows directory.

That seems to have solved the problem. Nothing has written to my registry and nothing is trying to change my homepage (I switched to Firefox since this has happened). I also now have Spy Sweeper running full time with homepage protection on.

I believe hrtcm.exe is the problem. Also I've asked several people I know to check their Windows directory, and no one has that file, so it is not an operating system file.

If any other people with my problem who haven't yet been helped read this, check your Hijack This scan results again for hrtcm. If you find it, get rid of it and all the registry entries for Drusearch, and you should be clean again. I've had no ill effects either, so that's my personal testimonial, for what's it's worth.

Ray Kinney




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button