CoolWWW hijack

Discussion in 'adware, spyware & hijack cleaning' started by piersw, May 4, 2004.

Thread Status:
Not open for further replies.
  1. piersw

    piersw Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    Hi,

    I ran Ad-aware and SpySweeper and still I cannot get rid of the browser hijacking. Here is the HijackThis log. Any help will be great as I am about to format the drive!

    Logfile of HijackThis v1.97.7
    Scan saved at 17:35:06, on 04/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\Windows\SYSTEM32\DWRCS.EXE
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\wuauclt.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Windows\System32\PROMon.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\EGM\Application Data\cacp.exe
    C:\Program Files\a2\a2guard.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    \trin-svr1\Utilities\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: run=C:\Windows\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {B3393151-2332-4D58-A84E-93C2E191E719} - C:\Windows\System32\ekh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [win32.exe] C:\Windows\win32.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [window.exe] C:\Windows\System32\window.exe
    O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\EGM\Application Data\cacp.exe
    O4 - HKCU\..\Run: [WNST] C:\Windows\System32\wnsapisv.exe
    O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16c72bf6e1ddb279dc17/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37727.1255787037
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = trinitydom.local
    O17 - HKLM\Software\..\Telephony: DomainName = trinitydom.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = trinitydom.local
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi piersw,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: run=C:\Windows\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {B3393151-2332-4D58-A84E-93C2E191E719} - C:\Windows\System32\ekh.dll

    O4 - HKLM\..\Run: [win32.exe] C:\Windows\win32.exe

    O4 - HKCU\..\Run: [window.exe] C:\Windows\System32\window.exe
    O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\EGM\Application Data\cacp.exe
    O4 - HKCU\..\Run: [WNST] C:\Windows\System32\wnsapisv.exe

    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16c72bf6e1ddb279dc17/netzip/RdxIE601.cab

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Then reboot into safe mode and delete:
    C:\Windows\win32.exe
    C:\Windows\System32\window.exe
    C:\Documents and Settings\EGM\Application Data\cacp.exe
    C:\Windows\System32\wnsapisv.exe
    C:\Program Files\Q330994.exe

    Then follow intructions here:
    https://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

    Regards,

    PZieter
     
  3. piersw

    piersw Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    Sorry for the delay in the reply. It worked after a fashion and I went hacking after to finish it up. Thanks for your help Pieter... much appreciated.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.