Hijack This Log

Discussion in 'adware, spyware & hijack cleaning' started by Taren, Mar 19, 2004.

Thread Status:
Not open for further replies.
  1. Taren

    Taren Guest

    I work for a small ISP, and I have a customer who has a browser hijack problem. I've had him run ad aware, then run housecall, reboot, and then get this log from hijack this. The problem he's having is with cool web search. The housecall scan fixed like 5 trojans, but it's still happening. Here is his log...

    Logfile of HijackThis v1.97.7
    Scan saved at 4:42:45 PM, on 3/19/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Saf-T-Net\AgentSrv.EXE
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\QCONSVC.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\tp4serv.exe
    C:\WINNT\System32\atiptaxx.exe
    C:\WINNT\System32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINNT\reg32.exe
    C:\PROGRA~1\StupidTitle\01dogbleh.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
    C:\Program Files\Symantec\ACT\SideACT.exe
    C:\Program Files\Symantec\ACT\ACTLDR.EXE
    C:\lotus\organize\easyclip.exe
    C:\lotus\smartctr\SUITEST.EXE
    C:\lotus\smartctr\SMARTCTR.EXE
    C:\Program Files\Saf-T-Net\CBSysTray.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\reg32.exe
    C:\WINNT\System32\appsys.exe
    C:\Documents and Settings\Administrator\Desktop\HIJACKTH.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lxzpnc.t.muxa.cc/h.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [bodydead] C:\PROGRA~1\StupidTitle\01dogbleh.exe
    O4 - HKCU\..\Run: [BMUpdate] C:\WINNT\System32\BMUpdate.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: Saf-T-Net TaskBar Icon.LNK = C:\Program Files\Saf-T-Net\CBSysTray.exe
    O4 - Global Startup: SideACT!.lnk = C:\Program Files\Symantec\ACT\SideACT.exe
    O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
    O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
    O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
    O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npvmidi.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://help.bellsouth.net/sdccommon/download/tgctlpw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22508dca5b7f4e2cfe06/netzip/RdxIE6.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37679.3486921296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/AcpControl.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.co.gaston.nc.us/GWM4/Fire_16/ACGM/Acgm.cab
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vnet.net
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vnet.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vnet.net
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Taren,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. On the desktop will get very messy.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lxzpnc.t.muxa.cc/s.php?aid=227 (obfuscated)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lxzpnc.t.muxa.cc/h.php?aid=227 (obfuscated)

    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [bodydead] C:\PROGRA~1\StupidTitle\01dogbleh.exe

    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22508dca5b7f4e2cfe06/netzip/RdxIE6.cab

    Then please download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and delete:
    c:\winnt\tour.reg
    C:\WINNT\reg32.exe
    sys.reg

    Then I would be very curious to find out what this is:
    C:\PROGRAM FILES\StupidTitle\01dogbleh.exe
    Not something I would install at first sight, but who knows?

    Regards,

    Pieter
     
  3. Taren

    Taren Guest

    Hi, just got back in touch with this customer, and he said that he has no idea what that file is. Should he remove it or just ignore it? Also, I wanted to say thank you for the help. It got rid of the hijacker that he had been trying to get rid of for like two weeks.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Taren,

    Could you have him send that mystery file to the address in my profile? I am kind of curious to find out what that is.

    Regards,

    Pieter
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    that is 99% sure to be lop
    O4 - HKLM\..\Run: [bodydead] C:\PROGRA~1\StupidTitle\01dogbleh.exe


    adaware takes out the BHO entries but is leaving the 04 start up

    it's the 3rd new variety of it I've seen this week and I have sent several different copies of simialr files to adaware & spybot , but as they are random it's getting difficult to pin the blighters down again
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi dvk01,

    That was my first instinct as well, but leaving the startup usually produces a "passthrough" hjiack for the startpage, and I didn't see that. (Could have been overwritten by CWS) and as you know, the more variants they have, the better their detection and removal gets.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.