Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me get my browser hijacked!


  • This topic is locked This topic is locked
7 replies to this topic

#1 shawzy

shawzy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 22 September 2004 - 08:53 AM

I have posted on 2 separate forums on this site about a problem I am having logging into a WLAN cafe to use their free 802.11 service.

I realize that more than likely the Hijackthis guru's can help me!

When I connect to the wireless LAN at this cafe, I open my browser and attempt to open google.com (or hotmail, etc.). My browser at that point should be HIJACKED by the operator I am connected to and redirect me to their login page so I can enter my login info and get access to the internet.

My browser doesn't get hijacked!! Not sure why, but my browser (IE6) does not get redirected to their login page.

I know my wireless connection is 100% ok because I can access the host web site without issue.

I have no proxy server setting, I've tried auto detect, my security settings are default medium, and I have no issues connecting to my home wireless router.

HELP ME GET HIJACKED!

Take a look at my log and let me know if you see anything that would prevent my browser from being hijacked. The first thing that jumped out at me is the reference to a proxy server - I do not have proxy server settings visible in my IE options.

[Note I have edited the log slightly and removed any references to protect my identity and the identity of my employer.]


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=47.73.8.150:8080;https=47.73.8.150:8080;ftp=47.73.8.150:8080;gopher=47.73.8.150:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 47.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\(removed)\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\(removed)\IPMon32.exe"
O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SMS Client Service] C:\WINDOWS\MS\SMS\core\bin\clisvc95.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Handy Backup 3.9] C:\PROGRAM FILES\NOVOSOFT\HANDY BACKUP\hbagent.exe -logon
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {1AC3B560-19CD-11d3-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\Default Browser Chooser.exe (HKCU)
O9 - Extra 'Tools' menuitem: Default Browser Chooser - {1AC3B560-19CD-11d3-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\Default Browser Chooser.exe (HKCU)
O9 - Extra button: (no name) - {66CE23E0-C5AF-11d2-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\policy.js (HKCU)
O9 - Extra 'Tools' menuitem: (removed) - {66CE23E0-C5AF-11d2-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\policy.js (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://47.173.32.36:8080/intranet/access.html
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://(removed)/obra/forms/Codebase/FormCtl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = (removed for confidential reasons)


Here are the things that strike a chord:
- proxy reference
- IP monitor tasks running (this is for a VPN I can use for work)
- O14 - IE RESET - this is an internal page at work that is dead

Any ideas?

I may try and remove proxy references and o14, and kill the IP tasks to see if that helps.

thanks

Edited by shawzy, 22 September 2004 - 08:55 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 22 September 2004 - 04:23 PM

Can you do me a favor and at least post the top of the log that shows the hijackthis version, the internet explorer version, and windows version

If you do not need the following for work I would fix these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=47.73.8.150:8080;https=47.73.8.150:8080;ftp=47.73.8.150:8080;gopher=47.73.8.150:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 47.*;<local>
O4 - Startup: PowerReg SchedulerV2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


I would also definitely kill almost everything before attempting to connect and see if that works. If it does, then add each one back one at a time until you find the one that causes the problem.

#3 shawzy

shawzy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 27 September 2004 - 09:26 AM

info requested:

Logfile of HijackThis v1.98.2
Scan saved at 1:10:25 PM, on 22/09/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

------------------

- I killed both O1 above successfully - still no luck
- O4 isn't really necessary unless i am on batt power so i can kill it, but it's handy as it safely puts the laptop on standy when bat gets too low
- will try to kill O6

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 27 September 2004 - 10:09 AM

Please post the entire log including running processes and the header. I will tell you what you can end task on at the cafe and see if it fixes the problem

#5 shawzy

shawzy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 01 October 2004 - 02:29 AM

As requested, here is the complete log.

If all else fails, I am tempted to download another browser (ie. netscape) but would rather not.

Really appreciate your help - there aren't many who can it seems.



-----------------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 9:15:13 AM, on 01/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVC95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\LTCM000C.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\NOVOSOFT\HANDY BACKUP\HBAGENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by (removed)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SMS Client Service] C:\WINDOWS\MS\SMS\core\bin\clisvc95.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Handy Backup 3.9] C:\PROGRAM FILES\NOVOSOFT\HANDY BACKUP\hbagent.exe -logon
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {1AC3B560-19CD-11d3-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\Default Browser Chooser.exe (HKCU)
O9 - Extra 'Tools' menuitem: Default Browser Chooser - {1AC3B560-19CD-11d3-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\Default Browser Chooser.exe (HKCU)
O9 - Extra button: (no name) - {66CE23E0-C5AF-11d2-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\policy.js (HKCU)
O9 - Extra 'Tools' menuitem: (removed) - {66CE23E0-C5AF-11d2-BC8E-00C04F985C5D} - c:\Program Files\Internet Explorer\policy.js (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = ca.(removed).com,us.(removed).com,europe.(removed).com,asiapc.(removed).com,cala.(removed).com

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 01 October 2004 - 09:33 AM

If any of these processes are running when you do control-alt-delete at the cafe, end task them. Do it one by one trying each time to get the internet to work. Hopefully one of these is interfering.

scanregw.exe
taskmon.exe
TPWRTRAY.EXE
ltcm000c.exe 9
point32.exe
DEFALERT.EXE
NAVAPW32.EXE
POProxy.exe
IPClient.exe
IPMon32.exe
SMSMsg.exe
QTTASK.EXE
mstask.exe
THotkey.exe
SymTray.exe
clisvc95.exe
MsnMsgr.Exe
ctfmon.exe
hbagent.exe
OSA.EXE
PowerReg SchedulerV2.exe

Dont fix these in hijackthis, just end task them at the cafe.

Also have you spoken to the cafe owners and confirmed this redirection will work with ME?

#7 shawzy

shawzy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 06 October 2004 - 07:30 AM

Funny that you ask if redirection works with ME.

That is what I am trying to find out. The tech support that provides the service basically choked when I told them I am on ME. They claimed that many ME users have difficulty.

My humble question is therefore, if it works with 98, and ME is built ontop of 98, why would ME not work?

Is ME so different that I am wasting my time here? I am convinced that ME is fine so long as I have the correct network and browser settings, perhaps someone can prove me wrong.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 06 October 2004 - 12:06 PM

ME is a notorious piece of garbage. That is the truth.

I dont know of any technical reasons why it does not work...but I am not going to rule it out




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users