Cawper
asked on
Homepage.com hijacker
I have a homepage hijacker and have tried Adaware, spybot, pest patrol, hijack this, trend micro, and symantec numerous times with no successful results. It have also done complete hard drive searchs for any indication of the text and deleted infected files with no success. I have also done this with the network cable unplugged as I thought I might be getting reinfections from the server or another station but also had not luck with this. Reformatting is not an option at this point because I dont think I could ever get this workstation reconfigured.
Well below is some information, if you need more I will check often to see if I can help.
Webpage that I am Hijacked to. http://homepage.com
Redirection code in tools, internet options, generel, homepage address.
http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%68%70/
Hijack this log.
file of HijackThis v1.97.7
Scan saved at 3:42:30 PM, on 06/17/2004
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\spoolss. exe
C:\Program Files\Navnt\defwatch.exe
C:\Program Files\Navnt\rtvscan.exe
C:\WINNT\system32\RpcSs.ex e
c:\winnt\system32\pstores. exe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\nddeagnt .exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray. Exe
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\qttask.e xe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\msoffic e.exe
C:\PROGRA~1\MICROS~1\Offic e\OUTLOOK. EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\ MAPISP32.E XE
C:\PROGRA~1\Webshots\Websh otsTray.ex e
\Wsc01\company\Operations\ Jobs Active\Mike\IT\Downloads\H ijackThis. exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = http://WSC01:80
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\In ternet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
F2 - REG:system.ini: UserInit=userinit,nddeagnt .exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C 907E5D5BD6 E} - C:\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask. exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTra y.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4 4455354000 0} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-3 6318989DB1 3} (PPSDKActiveXScanner.MainS creen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0 010DC2A624 3} (SecureLogin.SecureControl ) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6 689520C7CD 7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D 817F6D575D F} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {A8739816-022C-11D6-A85D-0 0C04F9AEAF B} (WebEye Control) - http://198.60.1.55/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Thanks in advance for any help!
Well below is some information, if you need more I will check often to see if I can help.
Webpage that I am Hijacked to. http://homepage.com
Redirection code in tools, internet options, generel, homepage address.
http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%68%70/
Hijack this log.
file of HijackThis v1.97.7
Scan saved at 3:42:30 PM, on 06/17/2004
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\spoolss.
C:\Program Files\Navnt\defwatch.exe
C:\Program Files\Navnt\rtvscan.exe
C:\WINNT\system32\RpcSs.ex
c:\winnt\system32\pstores.
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\nddeagnt
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\qttask.e
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\msoffic
C:\PROGRA~1\MICROS~1\Offic
C:\Program Files\Common Files\System\MAPI\1033\nt\
C:\PROGRA~1\Webshots\Websh
\Wsc01\company\Operations\
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
F2 - REG:system.ini: UserInit=userinit,nddeagnt
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTra
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0
O16 - DPF: {90A29DA5-D020-4B18-8660-6
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D
O16 - DPF: {A8739816-022C-11D6-A85D-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
Thanks in advance for any help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Doh! Doing double-duty again...sorry. :D
=)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hmmmmmmmmmmmmmm,,,,,,, :-?
ASKER
Thank you so much for the help. I accepted the answer from Sirbounty and Rossfingal due to Rossfingals clarification about the F2 entry as well as the additional information about the 016 entries. I am sorry not to give you any points sheharyaarSaahil as your help was very appreciated, but the solution I used was the combination of Sirbounty and Rossfingal. In any event thank you all the dang thing is gone. =)
Cawper
Cawper
well Cawper if u think that i was not so helpful, then accept my apologise for it,,,, i will try to be more clear from next time =\
Hi! Cawper
Now, make sure you keep your computer running clean.
See the following:
What is spyware : http://www.spychecker.com/spyware.html
and:
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
Thanks and good luck!
Now, make sure you keep your computer running clean.
See the following:
What is spyware : http://www.spychecker.com/spyware.html
and:
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
Thanks and good luck!
>> R1 - HKCU\Software\Microsoft\In
>> R0 - HKCU\Software\Microsoft\In
>> (obfuscated)
>> R1 - HKCU\Software\Microsoft\In
>> R1 - HKCU\Software\Microsoft\In
>> R1 - HKCU\Software\Microsoft\In
>> R0 - HKLM\Software\Microsoft\In
>> (obfuscated)
>> R1 - HKLM\Software\Microsoft\In
>> (obfuscated)
>> R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
F2 - REG:system.ini: UserInit=userinit,nddeagnt
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C
O13 - WWW. Prefix: http://
==========================
Fix these ones !!!
reboot and check !!
!! GOOD LUCK !!