Ridiculous Browser Hijack

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nicetime, Feb 7, 2004.

  1. nicetime

    nicetime Private E-2

    Sorry for starting a new thread with a Highjack this log but I need someone to take a look and I couldn’t really find much info. If you look there is the obviously Freshvideogals which is a bitch, and that ip above it. You delete them and they comeback. There is a file that is running that reproduces after shutdown and it just comes back. I know with another browser highjack you have to go into safe mode and delete winlogon.exe. I think this is the same thing but I don’t know which file. It’s technically a Trojan and I probably could delete it through Norton but I would rather do through hijack this. Hijackthis has the best shot cause CWshredder and all the ad-aware in the world won't rid this. Here it is.------------------------------thanx

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\CTSVCCDA.EXE
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINNT\svchost.exe
    C:\Program Files\ATI Multimedia\main\launchpd.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
    C:\WINNT\System32\rundll32.exe
    C:\Program Files\Creative\SBAudigy\SurMix2\SurMix2.exe
    C:\Documents and Settings\Administrator\My Documents\docs\Programs and Drivers\Program Setups\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.103.153.158
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.103.153.158
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freshvideogals.com/search/small.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freshvideogals.com/search/small.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.efinder.cc/search/ (obfuscated)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [MsiMyDesktop] C:\Program Files\Mountain Systems, Inc\MyDesktop\MyDesktop.exe WindowsStartupCheck
    O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINNT\AddClass.exe
    O9 - Extra button: ATI TV (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://ehttp.cc/?
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37981.6787962963
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    nicetime, Feb 7, 2004
    #1
  2. Aurelius

    Aurelius Private First Class

    On your running processes list I found a suspicious item and after some research got the following info:

    isass.exe (or Isass.exe with capital i) is a virus added to the system as a result of variant of OPTIX PRO TROJAN that opens TCP port 3410 and allows a hacker to control an infected PC.
    (found it on this site http://www.liutilities.com/products/wintaskspro/processlibrary/isass/ )

    Do not mix it up with Lsass.exe (or lsass.exe), since it is a Windows file!
    If you can't find any further information, delete this file along with those Regitry entries and see what happens.
     
    Aurelius, Feb 7, 2004
    #2
    1 person likes this.
  3. Greyhound

    Greyhound Sergeant

    Take a look at this site for more information on how to read these. :) :) :rolleyes: http://www.spywareinfo.com/~merijn/htlogtutorial.html
     
    Greyhound, Feb 7, 2004
    #3
  4. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    hi nicetime close all browser windows check and fix these
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.103.153.158
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.103.153.158
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freshvideogals.com/search/small.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freshvideogals.com/search/small.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.efinder.cc/search/ (obfuscated)

    and youve definitely used ad-aware spybot and cw shredder all updated to the latest releases yes?

    @aurelius that looks clean to me just the normal process
    http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

    but just to be on the safe side go here and run a full scan
    http://www.trojanscan.com/
    or here
    http://housecall.trendmicro.com/

    post back with your results
     
    General_Lee_Stoned, Feb 7, 2004
    #4
  5. alanc

    alanc MajorGeek

    alanc, Feb 7, 2004
    #5
  6. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    thanxs for coming in alanc cant believe i bypassed those :(

    seen so many log files lately guess im getting lazy ;)

    @nicetime i would definetily reccomend that online scan now seems your crawling with nasty stuff

    thought id better take another look you also want to dump this
    O13 - WWW. Prefix: http://ehttp.cc/?

    just to add check the svchost files alanc spotted
    reboot and find and delete these
    C:\WINNT\svchost.exe
    C:\WINNT\System32\svchosts.exe
    C:\WINNT\System32\svchost c.exe
     
    Last edited: Feb 7, 2004
    General_Lee_Stoned, Feb 7, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm confused here!:confused: I thought svchost.exe is a required Windows OS file for NT based systems. I believe however it is normally in system32\svchost.exe. So doesn't one have to be careful about deleting this file. Granted in the list above you do not exactly match having svchost.exe in system32 but shouldn't we be careful what is being deleted.
     
    chaslang, Feb 8, 2004
    #7
  8. alanc

    alanc MajorGeek

    It is ALWAYS in system32 unless it is a virus.
    Check the info at the 2nd link in my post above.

    BTW, Windows svchost.exe is not an "Online Service" ;)
     
    alanc, Feb 8, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds