Hijacked browser?

[renton]

Hiya. Whenever I try to access certain websites I get this a light-blue site with a link "ENTER" that goes to http://links.verotel.com/cgi-bin/sho...04000000515758
Other people tried to access the same sites, and they can do it properly. Therefore I reached the conclusion that my browser has been hijacked. However, sometimes, when i check the same sites, they work properly, and then if i check 10 seconds later, I see the fake webpage.

If anyone needs to see the source code of the fake webpage, let me know and I'll paste it.

*OS: WinXP Pro. (updated) Browser: Internet Explorer 6.

* Anti spyware software installed:

- Ad-aware 6.0 professional edition. (updated) - It only found a spylog tracking cookie that I get from the fake site.
- Spybot (updated). - Found and fixed a few registry keys. (somaticab.setup was one of them).
- Spywareblaster (updated).

I also scanned my computer with Norton AV 2004 Pro, PC-Cillin's online scanner and The Cleaner and CWShredder. Nothing was detected.

I tried accessing these webpages via HTTP proxy, and the webpage loads properly.

Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 09:19:11 p.m., on 07/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Norton Internet Security\NISUM.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\Wcgopsvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 61.11.26.142:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SetCacheMode] Rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CTStartup] C:\Archivos de programa\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~2\AdvTools\ADVCHK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{455509BB-9F7D-4A9F-961E-F46A3CC7B25F}: NameServer = 200.51.254.238 200.51.208.21

------------------------------------------------------------------------------------

I deleted this one before: O17 - HKLM\System\CCS\Services\Tcpip\..\{455509BB-9F7D-4A9F-961E-F46A3CC7B25F}: NameServer = 200.51.254.238 200.51.208.21

and now it's there again.

Btw, if necessary, i can also paste a list of my built-in Startuplist app that lists all autostarting programs.

Thanks.

[Neř]

i wonder if a firewall would help...

-Neř

[I2n0ld]

Quote:

Originally posted by renton

I deleted this one before: O17 - HKLM\System\CCS\Services\Tcpip\..\{455509BB-9F7D-4A9F-961E-F46A3CC7B25F}: NameServer = 200.51.254.238 200.51.208.21

and now it's there again.

Thanks. [/B]

just curious why did u delete that file? sory i could not offer u any help. ill just bump this one for u

[Chuckiechan]

I assume you are trying to get rid of it?

Run Adaware 6, then run regedit.

If you still have problems, unistall Internet Explorer, then delete the remainder of the file fragements manually that are left in the IE folder. Then run regedit again.

A firewall may or may not protect you, but Zone Alarm is a good, free place to start.

Good luck