I was in the school's computer lab doing some research for English I. (The PC is the exact one in GX1_Man's avatar) I had to use IE 6 SP1 and of course it was going slowly. I wanted to get Email, so I could get a link I Emailed myself. I try to go to hotmail.com. That's exactly what I type. However, it takes me to
http://hotmail.com.org, which is NOT what I wanted. I think to myself, "browser hijacker". So, I pull out my binder and extract my HJT diskette* (yeah, floppies have a use), pop it in, and scan. I don't see anything out of the ordinary. In fact, I've never seen a cleaner log:
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
A:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126832105875
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amity.k12.or.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amity.k12.or.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amity.k12.or.us
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: IM Detector (imdetector) - Unknown owner - C:\Program Files\IMLogic\IM Detector\detector.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
I Google'd for a few .exe files (difficult) but found nothing. It appears clean, even the last one appeared to be OK. Typing in the http and all the rest returns a 404 error (as it turns out, Email is blocked in the lab...). But at this point, my concern is ridding the PCs of the hijacker, because if that can get through, what else can? We only have Norton for protection there, and if a virus gets on there... well, we use floppies a lot in that lab... other PC's nearby were slow as well, but I didn't check for the hijacker there. So what's up?
*I don't know if there is a rule about floppy programs or not, but I haven't heard one...