MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » 

Re: HijackThisLog Analysis - Lin

I need some help. When my computer first starts up it has a form 1 text box pop up. The process behind it is oppos. When I stop the process the form goes away but I canīt find where the form is coming from. I am also getting all kinds of spyware. I have cleaned up most but they seem to come back. I have the log from hijackthis below:
Hope you can help!

Date:  10/5/2004 6:37:46 AM

Here is what you should do.

End the below suspicious process :

C: \ WINDOWS \ ERAAAZ.EXE
C: \ WINDOWS \ SALM.EXE
C: \ WINDOWS \ SYSTEM \ BJAKMIXV.EXE
C: \ WINDOWS \ SYSTEM \ PXCK.EXE

Remove these search keys:

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: comcast.net
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = about:blank
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: comcast.net
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = websearch.drsnsrch.com / q.cgi?q=

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: (no name) - {1FAE440B-B748-7FC1-8753-60550DA77B1D} - C: \ WINDOWS \ SYSTEM \ FSAGD.DLL
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C: \ WINDOWS \ SYSTEM \ MSBE.DLL
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C: \ WINDOWS \ LOCALNRD.DLL
O4 - HKLM \ .. \ Run: [oxibias] C: \ WINDOWS \ eraaaz.exe
O4 - HKLM \ .. \ Run: [Yahoo!] "C: \ WINDOWS \ Temporary Internet Files \ Content.IE5 \ W567WDMZ \ friends[1].scr" / S
O4 - HKLM \ .. \ Run: [Sys Ren] C: \ WINDOWS \ SysRen.exe / S
O4 - HKLM \ .. \ Run: [jptdgjtw] C: \ WINDOWS \ JPTDGJTW.exe
O4 - HKLM \ .. \ Run: [WindUpdates] C: \ PROGRAM FILES \ WINDUPDATES \ WINUPDT.EXE
O4 - HKLM \ .. \ Run: [WhenUSearchWHSE] C: \ PROGRA~1 \ WHENUS~1 \ whse.exe
O4 - HKLM \ .. \ Run: [salm] c: \ windows \ salm.exe
O4 - HKLM \ .. \ Run: [TV Media] C: \ TV MEDIA \ Tvm.exe
O4 - HKLM \ .. \ Run: [wgmazqza] C: \ WINDOWS \ SYSTEM \ bjakmixv.exe
O4 - HKLM \ .. \ Run: [CONSCORR] C: \ WINDOWS \ CONSCORR.exe
O4 - HKCU \ .. \ Run: [Qolfput] C: \ WINDOWS \ SYSTEM \ pxck.exe
O4 - HKCU \ .. \ Run: [TV Media] C: \ TV MEDIA \ Tvm.exe

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - website: photoparade.com / autoinstall / phpsetup.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - website: cartoonorbit.cartoonnetwork.com / orbiter11020 / winorbiter.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - website: wildtangent.com / install / wdriver / generic / wtwdinstFull.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=e85d ... cd9

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ WINDOWS \ ERAAAZ.EXE
C: \ WINDOWS \ SALM.EXE
C: \ WINDOWS \ SYSTEM \ BJAKMIXV.EXE
C: \ WINDOWS \ SYSTEM \ PXCK.EXE

Original log but with private information removed.

Logfile of HijackThis v1.97.7
Scan saved at 6:28:58 PM, on 10 / 04 / 2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ SYSTEM \ KERNEL32.DLL
C: \ WINDOWS \ SYSTEM \ MSGSRV32.EXE
C: \ WINDOWS \ SYSTEM \ MPREXE.EXE
C: \ PROGRAM FILES \ NORTON ANTIVIRUS \ RTVSCN95.EXE
C: \ PROGRAM FILES \ NORTON ANTIVIRUS \ DEFWATCH.EXE
C: \ WINDOWS \ SYSTEM \ MSTASK.EXE
C: \ WINDOWS \ SYSTEM \ mmtask.tsk
C: \ WINDOWS \ EXPLORER.EXE
C: \ WINDOWS \ TASKMON.EXE
C: \ WINDOWS \ STARTER.EXE
C: \ PROGRAM FILES \ REAL \ REALPLAYER \ REALPLAY.EXE
C: \ WINDOWS \ SYSTEM \ QTTASK.EXE
C: \ WINDOWS \ ERAAAZ.EXE
C: \ WINDOWS \ SALM.EXE
C: \ WINDOWS \ SYSTEM \ USBMONIT.EXE
C: \ PROGRAM FILES \ NORTON ANTIVIRUS \ VPTRAY.EXE
C: \ WINDOWS \ SYSTEM \ BJAKMIXV.EXE
C: \ PROGRAM FILES \ BīS CLIP \ BSCLIP.EXE
C: \ WINDOWS \ SYSTEM \ PXCK.EXE
C: \ PROGRAM FILES \ AIM \ AIM.EXE
C: \ WINDOWS \ SYSTEM \ DDHELP.EXE
C: \ WINDOWS \ SYSTEM \ PSTORES.EXE
C: \ WINDOWS \ DESKTOP \ HIJACKTHIS.EXE

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: comcast.net
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = about:blank
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: comcast.net
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = websearch.drsnsrch.com / q.cgi?q=
O2 - BHO: (no name) - {1FAE440B-B748-7FC1-8753-60550DA77B1D} - C: \ WINDOWS \ SYSTEM \ FSAGD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C: \ Program Files \ Spybot - Search & Destroy \ SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c: \ program files \ google \ googletoolbar1.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C: \ WINDOWS \ SYSTEM \ MSBE.DLL
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C: \ WINDOWS \ LOCALNRD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ SYSTEM \ MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c: \ program files \ google \ googletoolbar1.dll
O4 - HKLM \ .. \ Run: [TaskMonitor] c: \ windows \ taskmon.exe
O4 - HKLM \ .. \ Run: [ScanRegistry] c: \ windows \ scanregw.exe / autorun
O4 - HKLM \ .. \ Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM \ .. \ Run: [EnsoniqMixer] starter.exe
O4 - HKLM \ .. \ Run: [RealTray] C: \ Program Files \ Real \ RealPlayer \ RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ WINDOWS \ SYSTEM \ QTTASK.EXE" -atboottime
O4 - HKLM \ .. \ Run: [Yahoo Messenger] YAHOOMSG.EXE
O4 - HKLM \ .. \ Run: [oxibias] C: \ WINDOWS \ eraaaz.exe
O4 - HKLM \ .. \ Run: [Yahoo!] "C: \ WINDOWS \ Temporary Internet Files \ Content.IE5 \ W567WDMZ \ friends[1].scr" / S
O4 - HKLM \ .. \ Run: [Yahoo Messengar] YAHOOMSNGR.EXE
O4 - HKLM \ .. \ Run: [Sys Ren] C: \ WINDOWS \ SysRen.exe / S
O4 - HKLM \ .. \ Run: [jptdgjtw] C: \ WINDOWS \ JPTDGJTW.exe
O4 - HKLM \ .. \ Run: [WindUpdates] C: \ PROGRAM FILES \ WINDUPDATES \ WINUPDT.EXE
O4 - HKLM \ .. \ Run: [WhenUSearchWHSE] C: \ PROGRA~1 \ WHENUS~1 \ whse.exe
O4 - HKLM \ .. \ Run: [salm] c: \ windows \ salm.exe
O4 - HKLM \ .. \ Run: [TV Media] C: \ TV MEDIA \ Tvm.exe
O4 - HKLM \ .. \ Run: [Gene USB Monitor] c: \ windows \ SYSTEM \ USBMonit.exe
O4 - HKLM \ .. \ Run: [vptray] C: \ Program Files \ Norton AntiVirus \ vptray.exe
O4 - HKLM \ .. \ Run: [wgmazqza] C: \ WINDOWS \ SYSTEM \ bjakmixv.exe
O4 - HKLM \ .. \ Run: [CONSCORR] C: \ WINDOWS \ CONSCORR.exe
O4 - HKLM \ .. \ Run: [BīsCLiP] C: \ PROGRA~1 \ BīSCLI~1 \ BSCLIP.exe
O4 - HKLM \ .. \ RunServices: [rtvscn95] C: \ Program Files \ Norton AntiVirus \ rtvscn95.exe
O4 - HKLM \ .. \ RunServices: [defwatch] C: \ Program Files \ Norton AntiVirus \ defwatch.exe
O4 - HKLM \ .. \ RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU \ .. \ Run: [Qolfput] C: \ WINDOWS \ SYSTEM \ pxck.exe
O4 - HKCU \ .. \ Run: [AIM] C: \ PROGRAM FILES \ AIM \ aim.exe -cnetwait.odl
O4 - HKCU \ .. \ Run: [TV Media] C: \ TV MEDIA \ Tvm.exe
O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Control Panel present
O8 - Extra context menu item: &Google Search - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmcache.html
O8 - Extra context menu item: Similar Pages - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmsimilar.html
O8 - Extra context menu item: Backward Links - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmbacklinks.html
O8 - Extra context menu item: Translate into English - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .swf: C: \ Program Files \ Netscape \ Communicator \ Program \ PLUGINS \ npswf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - website: download.macromedia.com / pub / shockwave / cabs / director / swdir8d196.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - website: download.macromedia.com / pub / shockwave / cabs / flash / swflash.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - website: photoparade.com / autoinstall / phpsetup.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - website: cartoonorbit.cartoonnetwork.com / orbiter11020 / winorbiter.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - website: wildtangent.com / install / wdriver / generic / wtwdinstFull.cab
O16 - DPF: {1FA643B0-F90E-11D3-BA0B-00C04F384A92} (HomeTsrCtrl Class) - website: image.excite.com / sputnik / dynacat_upload / HOME / ATHMWWW / locationchange.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - website: download.yahoo.com / dl / installs / yinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - website: apple.com / qtactivex / qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - website: download.microsoft.com / download / F / 6 / E / F6E491A6-77E1-4E20-9F5F-94901338C922 / wmv9VCM.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - website: secure2.comned.com / signuptemplates / ActiveSecurity.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=e85d ... cd9
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - website: v4.windowsupdate.microsoft.com / CAB / x86 / ansi / iuctl.CAB?38253.7703125

commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.