Browser Hijacked

Printable View

March 13th, 2007, 10:41 PM
alexh

Browser Hijacked

My browser keeps getting it's home page set to xml-cash.com. Suprisingly, I found almost no info about this particular offender on a web search or here. This one is particularly bad - I have tried everything and can't get rid of it. I also realized that it or something else is blocking or resetting cookies - all of the websites I visit have lost my login info and setting the "remember me" does no good. Here are the details -

Windows 2k SP 4, IE 6.0
Nothing apparant in add/remove programs
Search of disk for xml-cash turns up only browser favorites link
Ran Ad-aware, AVG and Spybot many times- Spybot seems to always find something (tracking cookie) but the problem returns shortly.

Thanks for any help

PS. Please advise how to minimize chance of this happening in the future. I have taken all of the steps recommended at this site but I think my problems are more basic. I need to upgrade to XP pro and IE7. I am running the free version of zone alarm. If there is some software I should buy or upgrade/add a low cost subscription service I would consider that.

How do companies avoid these problems? This never happens at work (or extremely rarely).

Logfile of HijackThis v1.99.1
Scan saved at 7:47:02 PM, on 3/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
D:\Apps\CDCreator\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
D:\Apps\QuickTime\iTunesHelper.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
D:\Apps\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Apps\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Apps\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\MsiExec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
D:\Downloads\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xml-cash.com/portal.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Apps\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Apps\CDCreator\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Apps\QuickTime\iTunesHelper.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Apps\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Apps\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O4 - HKCU\..\Run: [oiwq] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Apps\MsOffice\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Apps\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {15C3C7A4-9676-11D3-9799-0060087190B9} - http://www.accurate-image.com/mcnear...ear_online.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Apps\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
March 13th, 2007, 11:13 PM
lgbpop

Hi alex, run HJT and check the boxes next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xml-cash.com/portal.php
O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O16 - DPF: {15C3C7A4-9676-11D3-9799-0060087190B9} - http://www.accurate-image.com/mcnear...ear_online.cab

With your browser window(s) closed, click fix checked.

Go to Control Panel | Add/Remove Programs and uninstall any entries relating to AccurateImage, Interfun or (starting with) McNear. You apparently downloaded and installed something from them that's not playing nice with your system. When done, go to C:\Program Files and D:\Apps and delete the corresponding folder(s) if found. If you don't find them, go to Control Panel | Folder Options (or in any open window, click Tools in the toolbar, then Folder Options) and make sure Show all hidden files and folders is unchecked.

Reboot and post a new HJT log.
March 13th, 2007, 11:43 PM
alexh

Thanks, browser went back to xml-cash on reboot.
McNear is a brick company - it's been on my computer forever but I think I did try to uninstall recently.

Logfile of HijackThis v1.99.1
Scan saved at 8:44:23 PM, on 3/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
D:\Apps\CDCreator\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
D:\Apps\QuickTime\iTunesHelper.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
D:\Apps\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Apps\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Apps\WinZip\WZQKPICK.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
D:\Downloads\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xml-cash.com/portal.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Apps\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Apps\CDCreator\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Apps\QuickTime\iTunesHelper.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Apps\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Apps\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [oiwq] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Apps\MsOffice\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Apps\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173845838393
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Apps\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
March 14th, 2007, 08:32 AM
lgbpop

Why didn't you perform the online scans and the AVG download before running HijackThis? They are critical in helping to pinpoint solutions. Please take care of these now. Post the results here when done.
March 14th, 2007, 10:24 PM
alexh

1 Attachment(s)

Ok, I have run the online scans repeatedly in the past and their is one problem that always re-occurs very quickly. Just to be clear I ran all of the online scans, fix all problems via scanners, reset IE home page to default and removed the xml-cash from favorites. I then re-boot. The second launch of IE after reboot went back to xml-cash. I ran spy bot and came up with the following (see attach).

Avenue A info is all over the web and supposedly it is fairly innocuous and I don't know if it's tied to xml-cash??
March 14th, 2007, 10:48 PM
lgbpop

Screenshot doesn't tell me anything. Where are the online scan results?
March 14th, 2007, 11:30 PM
alexh

It looks like my free version of Spybot just has the screen output.

I read some of the tutorials on this site and realized that I'm an idiot. I'm a Win2k holdout and AFAIK microsoft stopped doing service packs a long time ago. Recently I noticed that they added an auto update feature and I downloaded that. Today I ran it manually and it found 60 critical updates! I had assumed the service packs had all updates and thus MS had basically abandoned Win2k. So I have installed those updates, I'll re-clean my system and see what happens. If the problem re-appears I'll repost in this thread.

Thanks for all the help and sorry for being such a numskull!
March 15th, 2007, 08:07 AM
lgbpop

No problem, maybe those will help. I assumed you had the final Service Rollup Pack, maybe that will be all you need. If you do find the problem persists, feel free to post back here.