Hijack This Log

I work for a small ISP, and I have a customer who has a browser hijack problem. I've had him run ad aware, then run housecall, reboot, and then get this log from hijack this. The problem he's having is with cool web search. The housecall scan fixed like 5 trojans, but it's still happening. Here is his log...

Logfile of HijackThis v1.97.7
Scan saved at 4:42:45 PM, on 3/19/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Saf-T-Net\AgentSrv.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\reg32.exe
C:\PROGRA~1\StupidTitle\01dogbleh.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\Symantec\ACT\SideACT.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\SUITEST.EXE
C:\lotus\smartctr\SMARTCTR.EXE
C:\Program Files\Saf-T-Net\CBSysTray.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\reg32.exe
C:\WINNT\System32\appsys.exe
C:\Documents and Settings\Administrator\Desktop\HIJACKTH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lxzpnc.t.muxa.cc/h.php?aid=227 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [bodydead] C:\PROGRA~1\StupidTitle\01dogbleh.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINNT\System32\BMUpdate.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Saf-T-Net TaskBar Icon.LNK = C:\Program Files\Saf-T-Net\CBSysTray.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\Symantec\ACT\SideACT.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npvmidi.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://help.bellsouth.net/sdccommon/download/tgctlpw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22508dca5b7f4e2cfe06/netzip/RdxIE6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37679.3486921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/AcpControl.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.co.gaston.nc.us/GWM4/Fire_16/ACGM/Acgm.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vnet.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vnet.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vnet.net

 

Hi Taren,

Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. On the desktop will get very messy.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lxzpnc.t.muxa.cc/h.php?aid=227 (obfuscated)

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [bodydead] C:\PROGRA~1\StupidTitle\01dogbleh.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22508dca5b7f4e2cfe06/netzip/RdxIE6.cab

Then please download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Then reboot and delete:
c:\winnt\tour.reg
C:\WINNT\reg32.exe
sys.reg

Then I would be very curious to find out what this is:
C:\PROGRAM FILES\StupidTitle\01dogbleh.exe
Not something I would install at first sight, but who knows?

Regards,

Pieter

 

Hi, just got back in touch with this customer, and he said that he has no idea what that file is. Should he remove it or just ignore it? Also, I wanted to say thank you for the help. It got rid of the hijacker that he had been trying to get rid of for like two weeks.

 

Hi Taren,

Could you have him send that mystery file to the address in my profile? I am kind of curious to find out what that is.

Regards,

Pieter

 

Hi dvk01,

That was my first instinct as well, but leaving the startup usually produces a "passthrough" hjiack for the startpage, and I didn't see that. (Could have been overwritten by CWS) and as you know, the more variants they have, the better their detection and removal gets.

Regards,

Pieter