What is this computer infected with?

I’m usually pretty good at diagnosing and getting rid of these things, but this one is eluding me.

The IE browser homepage was hijacked to www.browser-page.com , and when I visit that page, a clone of msn.com displays with a bunch of popups about spyware from www.adwarehunter.com , and the CDROM drive opens.

When I go there from my laptop which is not infected, I get the myway news page, no popups, and no hot drive tray action.

I’ve run updated copies of both adaware and spybot S&D (neither found anything), and there is updated virus protection on the computer as well. Googling browser-page.com and adwarehunter.com is no help.

Any suggestions?

By Far I am no computer genius, however, I use “Hijack this” (its a program kinda like spybot) to see if I can find anything fishy. When all else fails, hijack this can usually help me out.

Thanks, I ran Hijack This, here is the log:

Logfile of HijackThis v1.97.3
Scan saved at 9:05:02 PM, on 3/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.6845833333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

It all looks normal as far as I can tell. AVG is the virus scanner. There’s a Lexmark X63 USB printer installed. Lansuits is a mail server. Yac is a Tivo hack that displays caller ID info on my TV screen. Logonui.exe and logon.scr running is normal because I’m using remote desktop to access the machine.

Some other things I’ve tried: I searched the registry for browser-page and adware, as well as the IP addresses I get when I ping browser-page.com, and adwarehunter.com, nothing. When I ping browser-page.com it gets the correct IP, not the hijacked one. If I could figure out the IP of the actual hijacked msn.com clone page, I’d try searching for that, too. I’ve checked my hosts file, nothing there.

Well I’ll be dipped. Your Log looks A-ok to me. I can’t think of anything else, But I am sure another much cooler doper will be along shortly to tell you some things to try. Some where around “the winter of our lost content” I had a 100 something post thread going about a computer problem I had, So I have full confidence in our fellow dopers :smiley:

Spybot, adaware, etc., only target adware and spyware. They don’t identify viruses, trojans, etc.

What you have is a type of “infection” that is not considered adware, spyware, virus or trojan. Lots of companies won’t target these type of programs, which you download with a variety of freeware, like Kazaa and other peer-to-peer sharing programs because you supposedly give permission for them to be installed along with the freeware.

Currently, McAfee will find and clean these programs, whereas Norton will not. My son had that CD drive door opening one, along with popups that won’t close and I was forced to buy McAfee in order to get rid of it because Norton doesn’t recognize it as a virus.

If you do a McAfee online scan, it will identify the “virus” but won’t clean it. You need the full program to clean it or attempt to do it yourself which is darned near impossible.

Good luck.

I’d take a look at your hosts file. Normally the only active line is something like — localhost and a number of lines that start with # (comment)

I advise that you visit this site. It is dedicated to assistance in removing spyware, etc. They have Forums and with a search you might find a good fix. Make sure that you have the latest updates from Spybot. They are sometimes hard to get. I would also try CWShredder and see it that helps. There are links to it in the Spyware Forums. Your HiJack This log looks smaller that some that I have seen. You can post your log at the Forums and they will analyse it and help you out. My guess that it is in the registry somewhere. There is also a nice program called Spyware Blaster that you install and it prevents identified spyware from installation in the first place. It will not help now but prevents future problems.I have had good success with it on the computers at home. Make sure as always to install the latest updates. Post back if successful as I would be interested in the solution. Good Luck

I had something very similar a couple of months ago. Fellow dopers advised me to switch browsers, since these type of attacks are almost always designed to zero in on Explorer (that is what most people use, so they get more victims). I changed to Firebird and my troubles immediately vanished. :slight_smile:

Some time back, a program called Qhost does exactly that kind of thing. What you got is probably a variant of it.

You left out the most relevant portions of the hijackthis log: the R1 entries. They’ll tell about any browser hijackings. The log is also truncated, so if it is infected, it can’t be determined.

The most common cause for browser hijackings these days is CoolWebSearch. Download and run CWShredder to see if that cleans it.

If CWShredder doesn’t run, you may need to run the CWS Killer removal tool on the page.

I would have to agree, I use mozilla. For all I know its a glorified IE, however, I don’t have the problems I had using IE. My niece always uses IE when she uses my computer and it drives me insane because I usually end up having to get rid of something.