CoolWWW hijack

Discussion in 'adware, spyware & hijack cleaning' started by piersw, May 4, 2004.

Thread Status:
Not open for further replies.
  1. piersw

    piersw Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    Hi,

    I ran Ad-aware and SpySweeper and still I cannot get rid of the browser hijacking. Here is the HijackThis log. Any help will be great as I am about to format the drive!

    Logfile of HijackThis v1.97.7
    Scan saved at 17:35:06, on 04/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\Windows\SYSTEM32\DWRCS.EXE
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\wuauclt.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Windows\System32\PROMon.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\EGM\Application Data\cacp.exe
    C:\Program Files\a2\a2guard.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    \trin-svr1\Utilities\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: run=C:\Windows\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {B3393151-2332-4D58-A84E-93C2E191E719} - C:\Windows\System32\ekh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [win32.exe] C:\Windows\win32.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [window.exe] C:\Windows\System32\window.exe
    O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\EGM\Application Data\cacp.exe
    O4 - HKCU\..\Run: [WNST] C:\Windows\System32\wnsapisv.exe
    O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16c72bf6e1ddb279dc17/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37727.1255787037
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = trinitydom.local
    O17 - HKLM\Software\..\Telephony: DomainName = trinitydom.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = trinitydom.local
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi piersw,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\ekh.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: run=C:\Windows\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {B3393151-2332-4D58-A84E-93C2E191E719} - C:\Windows\System32\ekh.dll

    O4 - HKLM\..\Run: [win32.exe] C:\Windows\win32.exe

    O4 - HKCU\..\Run: [window.exe] C:\Windows\System32\window.exe
    O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\EGM\Application Data\cacp.exe
    O4 - HKCU\..\Run: [WNST] C:\Windows\System32\wnsapisv.exe

    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16c72bf6e1ddb279dc17/netzip/RdxIE601.cab

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Then reboot into safe mode and delete:
    C:\Windows\win32.exe
    C:\Windows\System32\window.exe
    C:\Documents and Settings\EGM\Application Data\cacp.exe
    C:\Windows\System32\wnsapisv.exe
    C:\Program Files\Q330994.exe

    Then follow intructions here:
    https://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

    Regards,

    PZieter
     
  3. piersw

    piersw Registered Member

    Joined:
    May 4, 2004
    Posts:
    2
    Sorry for the delay in the reply. It worked after a fashion and I went hacking after to finish it up. Thanks for your help Pieter... much appreciated.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.