Jump to content


Photo

Please explain mis-tyed URLs


  • Please log in to reply
6 replies to this topic

#1 captainjy

captainjy

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 01:46 AM

Ok, I can go to www.msn.com, but if I go to www.msn.cim, I am taken to smartname.com. What controls this? I am just not sure if I have been hijacked. I have posted about this before and no one has answered. Please help. TIA!

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 24 June 2004 - 03:39 PM

You have been hijacked!

We need a closer look at what's happening.
Please download Hijack this
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 captainjy

captainjy

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 June 2004 - 12:22 AM

Thanks for the reply. Here is what HiJackThis found. Some of the things listed look suspicious, but are legit such as rmctrl.exe, which is from PowerDVD, WLTRYSVC.EXE, which is my network card, bcmwltry.exe which is my wireless tray, BCMSMMSG.exe, which is my modem. I don't see anything that looks too serious, but maybe you can. Appreciate your help!

Logfile of HijackThis v1.97.7
Scan saved at 11:14:02 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Temporary Internet Files\Content.IE5\8T2309Y3\HijackThis[1].exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaun...ublic/jaunt.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8149.9834953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.micr...04/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = federation.com
O17 - HKLM\Software\..\Telephony: DomainName = federation.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{247AA290-D065-47B6-8D06-919020438F15}: NameServer = 4.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0852B6-9AF3-4027-9230-2373B88831BC}: Domain = FEDERATION.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0852B6-9AF3-4027-9230-2373B88831BC}: NameServer = 4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = federation.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = federation.com

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 26 June 2004 - 04:31 AM

You are running Hijack this from a temporary folder. Before we fix anything, please make a permanent folder on your drive, such as c:\HJT, and move the program into it. This will ensure that any backups are available if needed.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = federation.com
O17 - HKLM\Software\..\Telephony: DomainName = federation.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0852B6-9AF3-4027-9230-2373B88831BC}: Domain = FEDERATION.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = federation.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = federation.com

Reboot after fixing.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 captainjy

captainjy

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 27 June 2004 - 03:10 AM

FEDERATION.COM is my home domain.

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 27 June 2004 - 05:12 AM

FEDERATION.COM is my home domain.

If so, the other O17 entries seem to be the wrong ones. It was just that anything pointing to Grand Cayman seemed to be the more probable culprit. The 4.2.2.2 and 4.2.2.3 entries refer to Level 3 communications. If not your ISP, fix them.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 captainjy

captainjy

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 12:43 AM

I will try that. Thanx for the suggestions!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button