M
moliolioi
Dear IE6 group,
My colleague has been away in Malaysia and his browser has been
hijacked somehow while on a hotels Broadband network connection. The
symptoms are as follows:
A desktop icon called "click me" which re-appears after a re-boot if
you delete it from your recycle bin. This replaces the IE icon and the
home page is greyed out at: http://66.98.199.15/cikis.aspx?did=11148.
A dial up networking connection called happy is present which also
re-appears on re-boot. I have run ad-aware with the latest update from
the 17th July (19th today) and it did find other spyware on the PC but
didn't completely clear it.
I ran hi-jack this and kept the report which I have included here in
this post.
If someone could find the time to have a quick look at the report log
I would be very grateful to you. I can't seem to find anything here
perhaps one of you can.
I found this thread which mentions it but there is no conclusion that
I can find there: http://www.webuser.co.uk/cgi-bin/forums/printthread.pl?Cat=&Board=security&main=77237&type=post
Logfile of HijackThis v1.97.7
Scan saved at 09:47:01, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\system32\slserv.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINXP\System32\wfxsnt40.exe
C:\WINXP\System32\wuamgrd.exe
C:\WINXP\system32\ntvdm.exe
C:\WINXP\System32\rmctrl.exe
C:\system.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\AlchemyUser\Phone Status\userapp.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http://SERVER01:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ICQ Net] C:\WINXP\winlogon.exe -stealth
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OmniPage] C:\Program
Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINXP\System32\jddsu.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINXP\System32\rmctrl.exe
O4 - HKLM\..\Run: [winupgrade] c:\system.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program
Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK =
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office 2000 Pro\Office\OSA9.EXE
O4 - Global Startup: Phone Status.lnk = C:\Program
Files\AlchemyUser\Phone Status\userapp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office
Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/06338cf6d0a12e7b2906/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37963.1568981481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hitech.local
O17 - HKLM\Software\..\Telephony: DomainName = hitech.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hitech.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hitech.local
My colleague has been away in Malaysia and his browser has been
hijacked somehow while on a hotels Broadband network connection. The
symptoms are as follows:
A desktop icon called "click me" which re-appears after a re-boot if
you delete it from your recycle bin. This replaces the IE icon and the
home page is greyed out at: http://66.98.199.15/cikis.aspx?did=11148.
A dial up networking connection called happy is present which also
re-appears on re-boot. I have run ad-aware with the latest update from
the 17th July (19th today) and it did find other spyware on the PC but
didn't completely clear it.
I ran hi-jack this and kept the report which I have included here in
this post.
If someone could find the time to have a quick look at the report log
I would be very grateful to you. I can't seem to find anything here
perhaps one of you can.
I found this thread which mentions it but there is no conclusion that
I can find there: http://www.webuser.co.uk/cgi-bin/forums/printthread.pl?Cat=&Board=security&main=77237&type=post
Logfile of HijackThis v1.97.7
Scan saved at 09:47:01, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\system32\slserv.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINXP\System32\wfxsnt40.exe
C:\WINXP\System32\wuamgrd.exe
C:\WINXP\system32\ntvdm.exe
C:\WINXP\System32\rmctrl.exe
C:\system.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\AlchemyUser\Phone Status\userapp.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http://SERVER01:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ICQ Net] C:\WINXP\winlogon.exe -stealth
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OmniPage] C:\Program
Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINXP\System32\jddsu.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINXP\System32\rmctrl.exe
O4 - HKLM\..\Run: [winupgrade] c:\system.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program
Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK =
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office 2000 Pro\Office\OSA9.EXE
O4 - Global Startup: Phone Status.lnk = C:\Program
Files\AlchemyUser\Phone Status\userapp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office
Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/06338cf6d0a12e7b2906/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37963.1568981481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hitech.local
O17 - HKLM\Software\..\Telephony: DomainName = hitech.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hitech.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hitech.local