browser highjacker

[Theresa]

I have Microsoft AntiSypware Beta 1 installed in my
machine. I have to date run 18 scans on this machine and
have been able to clear it of all known spyware. The
problem is with the spyware listed below. The Anti-
Spyware software detects it, confirms that it has been
deleted but it is always there when I run the next scan.
How this hijacker works is exactly like the description.
I cannot log onto msn.com, yahoo.com etc, nor maneuver
about in many other web pages. In order to get to this
page I had to use google, and not click on the main page,
but on a cached copy. As soon as I try to log on, this
hijacker redirects me to its own start page. Resetting
the IE start page is of no use, it redirects. And, the
AntiSpyare software sends me messages that a start page
change was attempted and blocked, but it truly wasn't.
I've searched as many folders as I can think of (IE
explorer, download folders etc etc...as well as a general
search on executable files, but cannot find the source of
the problem. HELP!

Spyware Scan Details
Start Date: 2/17/2005 2:00:31 AM
End Date: 2/17/2005 2:09:03 AM
Total Time: 8 mins 32 secs

Detected Threats

Possible Browser Hijack Browser Hijacker more
information...
Details: Possible Browser Hijack redirects Internet
Explorer.
Status: Removed
High threat - High risk threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction. May open up communication ports,
use polymorphic tactics, stealth installations, and/or
anti-spy counter measures. May us a security flaw in the
operating system to gain access to your computer.


Detected Spyware Cookies
No spyware cookies were found during this scan.

 

[Ron Kinner [MVP]]

Not enough information to tell you what it is. If you
want to send me a HijackThis log I can probably tell you
what is going on and how to fix it for good.

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe Select
Scan and Save Log and note where it saves the log so you
can find it and send it to me as an attachment.

Ron Kinner

(e-mail address removed)

 

[cach01]

log in as another user with administrative rights
open documents and settings
delete all 'temp' directories you can find, recusively
and showing all systemfiles.
restart
log in as yourself

 

[Guest]

I have a high threat that came up in my last scan. I
just changed my home page to use msn.com. It has
detected that this is a browser hijacker (Browser
Modifier) and the scan said that the threat is high and
it has suggested removal. Maybe this is what happened to
you? I am not going to remove it or quarantine it
because I feel it might be a glitch in the software.
Also I had your same problem up until last week, when my
computer just would not re-boot. I had to send for disks
from microsoft in order to re-boot my computer. Even
though Earthlink says it could not happen, I still feel
that the last time I downloaded their update from the
internet I somehow received a browser hijacker, which I
could not remove or get rid of. I could not get to
numerous web pages, i was constantly re-directed from my
homepage which was earthlink. ads then started popping
up everywhere even though I had a pop up blocker and had
it on the highest protection. I even turned on content
advisor and blocked numerous sites and they still popped
up. >-----Original Message----->I have Microsoft
AntiSypware Beta 1 installed in my

 

[Bill Sanderson]

Microsoft Antispyware will reset your home page to the default for the
system, which is often MSN, under some circumstances. You can reset it to
your choice of home page, but it helps to go to Tools, advanced tools,
browser hijack restore settings and put your choice of home page into the
URL's displayed there.

 

[Ron Kinner]

Teresa wrote me and sent me a HijackThis log. I asked her
to download a few programs she would need, mainly
lspfix.exe and AboutBuster 4.0, and to create a reference
list of files in critical folders and to get back to me
when she was ready but she never did.

Anyway, here are the malware entries in her HijackThis log
with comments after each entry or group of entries.



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\tbadih\LOCALS~1\Temp\se.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\tbadih\LOCALS~1\Temp\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank

R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =

The first 9 entries are about:blank, specifically the one
called HomeOldSP. This one is a perfect match for the
removal procedure at:

http://www.pchell.com/support/aboutblank.shtml

Tho it might go away easier than most since it seems to
live in a Temp file.


R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-
C2D500688DA2} - (no file)

A washed out TV Media. Something deleted the file
C:\Program Files\TV Media\TvmBho.dll
but didn't clean the registry.

O2 - BHO: (no name) - {BCD234D0-6D4F-4BE3-800D-
ADAA57FDB34A} - C:\WINNT\System32\daam.dll

This one is probably one of those polymorphic ones with a
new name everytime. Not a single hit in google.

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-
E1B4C16F92EB} - (no file)

This is a washed out infotempo toolbar. Here is a write
up on it:

http://www3.ca.com/securityadvisor/pest/pest.aspx?
id=453078631

O4 - HKLM\..\Run: [Iylzs] C:\Program Files\Kboh\Uccpgz.exe

Another polymorph unless Teresa downloaded this from the
KBOH website in the Netherlands.

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program
Files\Windows AdStatus\WinStat.exe

Nasty. Kodorjan Trojan Component

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\tbadih\LOCALS~1
\Temp\se.dll,DllInstall

A liitle more of the About:Blank

O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\mscif.exe

PestPatrol calls this one: Trojan.Win32.Small.i

O4 - HKCU\..\Run: [hticons] C:\WINNT\System32\hticons.exe

Supposed to be Hyperterm but why is it running at startup?

O4 - HKCU\..\RunServices: [Image] rundll32
C:\WINNT\image.dll,Install

Might be CoolWebSearch or a lot of different malware. In
any event does not belong.

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll


Above 4 entries are CouponAge. 010 entries are dangerous
to remove since their improper removal may leave you
without Internet Access. lpsfix.exe is the safest way to
remove these. Run it then check "I know what I am doing"
and move the calsp.dll from the left pane to the right
(and only the calsp.dlls!) then press Finish.


O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
file://c:\counter.cab

This is a compressed download file containing what Norton
calls a Download.Trojan. The exe is also called counter
but is not running so AntiSpy probably got it or perhaps
it has never been opened.

O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} -
http://installs.hotbar.com/installs/hotbar/programs/hotbar.
cab

Hotbar download.

O17 - HKLM\System\CCS\Services\Tcpip\..\{C5498EFB-8B72-
49CE-9357-D294E89559F7}: NameServer =
200.0.0.7,207.164.55.13,198.235.216.137


If you are wondering why I flagged the NameServer entry,
the first IP address is in Latin America and the others
are in Canada. Other entries in her log indicated that
she was in Canada so I believe she has a DNS hijacker to
go along with the rest of the malware. I use ARIN to find
out where they are:

http://www.arin.net/index.html

O18 - Filter: text/html - {0AFD0422-4D9B-44C3-ABD6-
ECB151B1B912} - C:\WINNT\System32\daam.dll

O18 - Filter: text/plain - {0AFD0422-4D9B-44C3-ABD6-
ECB151B1B912} - C:\WINNT\System32\daam.dll

More of the daam.dll polymorph. This is the one that
causes your webmail to turn into a series of links to
strange websites.

Advice is to boot into Safe Mode (F8 Safe Mode without
Networking), run HijackThis and check all of the above
except the 010s. Then use lspfix to clean the calsp.dll
and then try to unregister (regsrv32 /u ) delete the dll's
listed above (if HijackThis didn't get them - that's why I
like a reference file - You can find the date and time of
the malware even if it managed to get itself erased.) and
then search your system for other files installed at the
same time.) and any exe file mentioned too. Clean Temp
folder. Then reboot and run a new HijackThis scan and see
if we need to do the about:buster routine and if anything
else survived the Fix Checked. I notice from her
HijackThis log that she has Win2K SP2 so she is in bad
need of a visit to windowsupdate.microsoft.com.

Quickest way to create a reference file is just to open a
cmd window and type:

dir /s C:\ > C:\Junk.txt

It makes a large file but you can open it with Wordpad and
search for your malware and then for other files with its
date very quickly.

Sometimes I just do a series of dir commands for key files:

dir /ogd \windows\system32 > junk2.txt
dir /ogd \windows >>junk2.txt
dir /ogd \ >>junk2.txt
dir /ogd \"program files" >>junk2.txt

Much smaller file and can be sent by email. The files are
sorted by date which makes it easier to find files done at
the same time.

Ron

 

[Bill Sanderson]

Thanks Ron--don't know whether the OP will see this or not, but it's a good
read for others as well.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Teresa wrote me and sent me a HijackThis log. I asked her
to download a few programs she would need, mainly
lspfix.exe and AboutBuster 4.0, and to create a reference
list of files in critical folders and to get back to me
when she was ready but she never did.

Anyway, here are the malware entries in her HijackThis log
with comments after each entry or group of entries.



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\tbadih\LOCALS~1\Temp\se.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\tbadih\LOCALS~1\Temp\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank

R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =

The first 9 entries are about:blank, specifically the one
called HomeOldSP. This one is a perfect match for the
removal procedure at:

http://www.pchell.com/support/aboutblank.shtml

Tho it might go away easier than most since it seems to
live in a Temp file.


R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-
C2D500688DA2} - (no file)

A washed out TV Media. Something deleted the file
C:\Program Files\TV Media\TvmBho.dll
but didn't clean the registry.

O2 - BHO: (no name) - {BCD234D0-6D4F-4BE3-800D-
ADAA57FDB34A} - C:\WINNT\System32\daam.dll

This one is probably one of those polymorphic ones with a
new name everytime. Not a single hit in google.

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-
E1B4C16F92EB} - (no file)

This is a washed out infotempo toolbar. Here is a write
up on it:

http://www3.ca.com/securityadvisor/pest/pest.aspx?
id=453078631

O4 - HKLM\..\Run: [Iylzs] C:\Program Files\Kboh\Uccpgz.exe

Another polymorph unless Teresa downloaded this from the
KBOH website in the Netherlands.

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program
Files\Windows AdStatus\WinStat.exe

Nasty. Kodorjan Trojan Component

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\tbadih\LOCALS~1
\Temp\se.dll,DllInstall

A liitle more of the About:Blank

O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\mscif.exe

PestPatrol calls this one: Trojan.Win32.Small.i

O4 - HKCU\..\Run: [hticons] C:\WINNT\System32\hticons.exe

Supposed to be Hyperterm but why is it running at startup?

O4 - HKCU\..\RunServices: [Image] rundll32
C:\WINNT\image.dll,Install

Might be CoolWebSearch or a lot of different malware. In
any event does not belong.

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32
\calsp.dll


Above 4 entries are CouponAge. 010 entries are dangerous
to remove since their improper removal may leave you
without Internet Access. lpsfix.exe is the safest way to
remove these. Run it then check "I know what I am doing"
and move the calsp.dll from the left pane to the right
(and only the calsp.dlls!) then press Finish.


O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
file://c:\counter.cab

This is a compressed download file containing what Norton
calls a Download.Trojan. The exe is also called counter
but is not running so AntiSpy probably got it or perhaps
it has never been opened.

O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} -
http://installs.hotbar.com/installs/hotbar/programs/hotbar.
cab

Hotbar download.

O17 - HKLM\System\CCS\Services\Tcpip\..\{C5498EFB-8B72-
49CE-9357-D294E89559F7}: NameServer =
200.0.0.7,207.164.55.13,198.235.216.137


If you are wondering why I flagged the NameServer entry,
the first IP address is in Latin America and the others
are in Canada. Other entries in her log indicated that
she was in Canada so I believe she has a DNS hijacker to
go along with the rest of the malware. I use ARIN to find
out where they are:

http://www.arin.net/index.html

O18 - Filter: text/html - {0AFD0422-4D9B-44C3-ABD6-
ECB151B1B912} - C:\WINNT\System32\daam.dll

O18 - Filter: text/plain - {0AFD0422-4D9B-44C3-ABD6-
ECB151B1B912} - C:\WINNT\System32\daam.dll

More of the daam.dll polymorph. This is the one that
causes your webmail to turn into a series of links to
strange websites.

Advice is to boot into Safe Mode (F8 Safe Mode without
Networking), run HijackThis and check all of the above
except the 010s. Then use lspfix to clean the calsp.dll
and then try to unregister (regsrv32 /u ) delete the dll's
listed above (if HijackThis didn't get them - that's why I
like a reference file - You can find the date and time of
the malware even if it managed to get itself erased.) and
then search your system for other files installed at the
same time.) and any exe file mentioned too. Clean Temp
folder. Then reboot and run a new HijackThis scan and see
if we need to do the about:buster routine and if anything
else survived the Fix Checked. I notice from her
HijackThis log that she has Win2K SP2 so she is in bad
need of a visit to windowsupdate.microsoft.com.

Quickest way to create a reference file is just to open a
cmd window and type:

dir /s C:\ > C:\Junk.txt

It makes a large file but you can open it with Wordpad and
search for your malware and then for other files with its
date very quickly.

Sometimes I just do a series of dir commands for key files:

dir /ogd \windows\system32 > junk2.txt
dir /ogd \windows >>junk2.txt
dir /ogd \ >>junk2.txt
dir /ogd \"program files" >>junk2.txt

Much smaller file and can be sent by email. The files are
sorted by date which makes it easier to find files done at
the same time.

Ron