Thread: hijacked by aaawebsearch
View Single Post
Old 12-14-2004, 12:42 PM   #1 (permalink)
AMHJohansson
Newb Techie
 
Join Date: Jun 2004
Posts: 9
Send a message via AIM to AMHJohansson Send a message via Yahoo to AMHJohansson
Default hijacked by aaawebsearch
I have a user outside of my firewall that has been hijacked by aaawebsearch. IE is redirected, and she gets pops for 69sexsearch in rapid succession until the IE page cannot be displayed.

After running Ad-Aware and Spybot in normal as well as safe mode, I had her run Hijack This and send me the log. I attempted to fix the problem but must have missed the root because it returned after a reboot.

Would anyone be able to point out my mistake?

Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 12:14:20 PM, on 12/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\toshiba\ivp\ism\ivpsvmgr.exe C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSR V.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\xpsp2fw.exe C:\WINDOWS\system32\ctrdmldpc.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Documents and Settings\Sherrie Ricks\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2 R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2 R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {D086F1E4-67C4-75B9-5C34-C4CEF873EBBE} - C:\WINDOWS\system32\ctrdmldpc.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSR V.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe O4 - HKLM\..\Run: [836C7DDE] C:\WINDOWS\system32\ctrdmldpc.exe O4 - HKLM\..\Run: [CB5BB6E6] C:\WINDOWS\system32\puixatco.exe O4 - HKLM\..\Run: [C3ED52FE] C:\WINDOWS\system32\dspuivtap.exe O4 - HKLM\..\Run: [D83CDC43] C:\WINDOWS\system32\dmplxx.exe O4 - HKLM\..\Run: [B87352C6] C:\WINDOWS\system32\vpatvi.exe O4 - HKLM\..\Run: [95A0975B] C:\WINDOWS\system32\am1agti3d.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe O4 - HKCU\..\Run: [836C7DDE] C:\WINDOWS\system32\ctrdmldpc.exe O4 - HKCU\..\Run: [CB5BB6E6] C:\WINDOWS\system32\puixatco.exe O4 - HKCU\..\Run: [C3ED52FE] C:\WINDOWS\system32\dspuivtap.exe O4 - HKCU\..\Run: [D83CDC43] C:\WINDOWS\system32\dmplxx.exe O4 - HKCU\..\Run: [B87352C6] C:\WINDOWS\system32\vpatvi.exe O4 - HKCU\..\Run: [95A0975B] C:\WINDOWS\system32\am1agti3d.exe O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/422.chm::/fi
le.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {7426EE0D-9ACF-405D-8F28-93DD881B55BC} (APCClient10.System) - http://209.225.52.105/epowercenter/DLL/APCClient10.CAB
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/port...ex/DSLControl.
cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://astutesolutions.webex.com/cl...ex/ieatgpc.cab
AMHJohansson is offline