Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

e-catalog.org

Status
Not open for further replies.
slicardie

slicardie

IS-IT--Management
Apr 16, 2002
136
0
0
LU
Hi guys,

My boss called me to fix a very strange thing. His start page was set to e-catalog.org so I tried the basic things first: Putting a blank page as start page, checking out the settings, uninstalling some suspicious programs, etc. It didn't work. So I tried removing it with Spybot 1.3 and other 3 spyware/adware removers (all up-to-date). Nothing worked. I even tried scanning for viruses but the computer is clean (I used the latest DAT and engine from McAfee). -I set system restore to off-.

I don't know what else to do. I even tried fixing the registry, but the registry entries renegerate themselves and the start page is set to e-catalog.org every time I changed it. Do you know anything about this and a way to fix it? Thanks in advance!!!
 
Sort by date Sort by votes
You are probably going to need to use hijackthis to fix the issue.

The difficulty for you will be that there may be things other than just the r0 and r1 ecatalog lines that need to be fixed. The second link below is a particularly good example of that.

here are three links, give you an idea of what you're looking at.




Post back if you need more help.

Regards.



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Yesterday I was surfing the net in search of a solution and I found the links you sent to me... but believe me, I do not know what to do in order to fix the issue, as I am not a registry expert and I don't want to screw up the pc. I told my boss how to scan the computer and create the log (it's his home pc, not the one at work). I will send you the log when he brings it to me, ok? Thanks for your help diogenes10.
 
Upvote 0 Downvote
Diogenes10,

Here you have the log:

Logfile of HijackThis v1.98.0
Scan saved at 14:50:01, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\hrtcm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = guate.proxy.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM32\MraSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\system32\FWNToolbar.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) -

Thanks in advance.
 
Upvote 0 Downvote
Ok, this is interesting.
First, I want you to know that I'm still very much a novice at this. When I cant find references where someone else has worked with this stuff before, I'm just guessing, and I'm doing some of that here.

This I'm not getting any hits on.
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} -
C:\WINDOWS\SYSTEM32\MraSearch.dll [ no hits ]


This shows in the three threads I linked earlier. It may be the loading process.
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe


These two clsids come up in a pestpatrol thread on rapid blaster.
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} -
C:\WINDOWS\system32\FWNToolbar.dll

O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) -
In assorted places I've seen toolbarcop and bhodemon recommended.

This is what I think I'd try:
Run bhodemon and see if I could get rid of
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} -
C:\WINDOWS\system32\FWNToolbar.dll

Look in running processes for hrtcm.exe and stop it if it's there.

Run Hijackthis and tick to fix any of these remaining:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} -
C:\WINDOWS\SYSTEM32\MraSearch.dll
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} -
C:\WINDOWS\system32\FWNToolbar.dll
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) -

Reboot in safe mode and delete (or rename):
C:\WINDOWS\hrtcm.exe

(I think these should be deleted too but am not sure, on the spyware sites I would check with someone else before posting that.)
C:\WINDOWS\SYSTEM32\MraSearch.dll
C:\WINDOWS\system32\FWNToolbar.dll


And if anybody looking on feels like I've given bad advice here, feel free to chime in.

Hope this helps.

Regards.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Thank you, I'll try what you said. I can only say that I am highly suspecting about hrtcm.exe and the FWNToolbar. In fact I recall I saw it installed in his PC. First thing I'll try is to uninstall it and then see what happens... if not, I'll rename hrtcm.exe. I'm not sure about letting hijackthis! fix the registry entries... I think a better approach would be to take the steps before and then see if I can change the homepage. Do you agree? Your help is most appreciated.
 
Upvote 0 Downvote
I guess my thought would be you should start with the approach you are most comfortable with.

Before you attack though, back up one more time and consider the problems again. My opinion is that you are dealing with at least 2 and maybe 3 separate issues.

1) e-catalog.
If the first link is a complete log (and I'm not sure it is), it would imply e-catalog is r lines and the 1 exec file. The third link supports this because the other 2 exec files suggested for removal are related to wireless activity.

2)Rapid blaster
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} -
C:\WINDOWS\system32\FWNToolbar.dll
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - Google on each of those clsids gives this as the first hit:

Which makes me think there is at least a potential they are connected, but a different issue than the ecatalog. (and you can also see pestpatrol suggestions for manual removal.)


3) And that leaves this one:
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} -
C:\WINDOWS\SYSTEM32\MraSearch.dll
Which I'm choosing to consider as a separate threat - but it may not be. (The fact it gets no hits does not absolutely mean it's a problem, but it makes it very suspicious. (Again - something I dont know for a fact, but I've read that processview from sysinternals will show file relationships and that might be a helpful tool to run here.)

So then the "attack" needs to stop each threat, remove it, and destroy its restarting mechanism. The reason I said all that is that my concern is that just doing something with the toolbar and the 1 exe file may not be enough to completely deal with any of the individual threats that comprise the total problem.

(I've never run hjt from a floppy-It does make backups and I assume that if the floppy is not write protected, it will backup to the floppy if run from it.)

Hope this helps.

Regards.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Thanks Diogenes10. I haven't been able to try the solutions, as I am at work and have little time to visit my boss' house to check his computer. Besides I think he's busy too and haven't told me anything yet... I appreciate all the solutions you have given me so far. I promise I'll try to visit my boss' house asap and let you know whenever I get rid of his troubles... if I can :) If not, I'll ask you again :)
 
Upvote 0 Downvote
My $.02

I am also relatively new to this, but found a handy little HJT tutorial that is a great reference ( Using this and keeping a link to sysinfo.org open in Firefox will help you with most of what you will run across in HJT. According to the tutorial,"For the R3 items, always fix them unless it mentions a program you recognize, like Copernic."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
DKIM for Exchange 2019
Replies
1
Views
86
DrB0b
DrB0b
SaltyTheFrog
  • Locked
  • Question
Nearby Share security exposure
Replies
3
Views
149
goombawaho
goombawaho
johncp
  • Locked
  • Question
A Warning: DON'T LET EMOTION SUSPEND CREDIBILITY.
Replies
1
Views
62
goombawaho
goombawaho
riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
39
riobogmedacaliaires
riobogmedacaliaires
goombawaho
  • Locked
  • Helpful tip
Evil: Poweliks Malware 1
Replies
1
Views
40
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top