HIjacked by http://rl.webtracer.cc/-/?bayzm

[Maracucho]

HI, I need help. My browser has been hijacked and and my startup page was changed to http://rl.webtracer.cc/-/?bayzm. I Downloaded the latest Hijackthis, here is the log file.... Thanks in advance for the help

[guestolo]

Create a new folder on your desktop
Right click an empty spot on the desktop
Select NEW>>FOLDER
Name the new folder Locate
Download and save too desktop Locate.zip

UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat

Could you also
download Startdreck.zip startdreck.zip

UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here

[Maracucho]

THis is the log from Stratdreck, hope it helps. Thanks

[guestolo]

It doesn't look like the full log from Startdreck
You must post it all back

Also I need you to download Locate.zip and post the info I asked from Locate.bat

Go back and read what I asked from you
Thanks

EDIT>>I guess I forgot to ask for the log from Locate.bat>>Sorry

But could you supply it please along with the full log from Startdreck

[Maracucho]

Sorry, about the mistake, THanks for the help

This is the locate report



And this is the full Startdreck log.

[guestolo]

That's better, let's try some cleaning
I'll have to do some of off the Hijackthis log you first posted
Some things may of changed, but try the following

Download CWShredder.exe from my signature below and save to desktop

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Find and delete this file if found
C:\WINDOWS\SYSTEM32\DRIVERS\DCCAMG.SYS <-file
C:\WINDOWS\stsheets.dat <-file
c:\info6_s.cab <-file

Stay in safe mode

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R3 - URLSearchHook: (no name) - {510E6A69-F6E3-0E22-E504-88142D649AEC} - C:\WINDOWS\system32\HPRTIcno.exe (file missing)
O1 - Hosts: 1159680172 auto.search.msn.com

O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Do a Disk Cleanup
Go to START>>RUN>>type in
cleanmgr
Hit OK
Give it time to compress files
Ensure Temp and Temp internet files are checked

Afterwards
With only CWShredder open click the FIX button
Let it fix whatever it finds

Restart back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Post back a fresh Hijackthis log

[Maracucho]

Evarything is working great, thanks for the help
This is th new Hijackthis log

[guestolo]

Do you recognize this domain
May be part of the network your on or your ISP
I suspect it's bogus, but I want to make sure

O17 - HKLM\System\CCS\Services\Tcpip\..\{A7C8DF4E-3191-4045-B1D6-B75157E3EEB3}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5340B29-942A-4FB0-AF2B-D1E9563FC45F}: NameServer = 69.50.184.85,195.225.176.37

Here's what I can find about it
Click Here

I suspect that there are nasties
Open Control panel>>Network Connections
Right click your connection and select properties
Double click Internet Protocol(TCPIP)
Take note of the settings

With all other windows closed, have hijackthis fix those entries

Restart your computer

If you have trouble connecting back to the Internet
With all browsers closed
Enter your Control panel>>Network Connections
Double click Internet Protocol(TCPIP)
Set to Automatically obtain IP address

Restart your computer
Post back a fresh Hijackthis log afterwards

[Maracucho]

Done, here's the latest log

[guestolo]

We still have that entry to rid you of
More info from Symantec
http://securityresponse.symantec.com/avcen...an.flush.a.html

Do the following
Disconnect from the Internet
With all other Windows closed, including this one
Go to START>>RUN>>type in
cmd
Hit OK
At the prompt type in
ipconfig /flushdns
Hit Enter on the keyboard

Do another scan with Hijackthis and fix checked this entry
O17 - HKLM\System\CCS\Services\Tcpip\..\{88FE6CC4-5EE1-42D7-B879-8623503EC608}: NameServer = 69.50.184.85 195.225.176.37

Restart your computer and post back a fresh Hijackthis log

[Maracucho]

Done, here's the fesh log

[guestolo]

Your log is looking good

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

One note: You are running Kodak's software updater
Many consider backweb as spyware, you can disable the updater if you wish

Check out this link

http://faqs.kodak.com/EasyShare_Software_E...FAQ_13_841.shtm

[Maracucho]

Thank you very much, you've been very helpful. I'll probably disable the Kodak updater also.Thanks again for everything

[guestolo]

Good job Maracucho, I'll lock this topic as your problems are resolved
If you need it reopened, please PM a Mod or the site Admin and supply a link to this
thread

Take Care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />