MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - Chuck » 

Re: HijackThisLog Analysis - Chuck

Date: Friday, 15 October, 2004 2:06 AM

Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

End the below suspicious process :

C: \ Documents and Settings \ Charles Brehmer \ Local Settings \ Temp \ Hji.exe
C: \ WINDOWS \ system32 \ cmcfg324.exe
C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
C: \ WINDOWS \ system32 \ catsrv72.exe
C: \ WINDOWS \ system32 \ thedsk.exe
C: \ Program Files \ Messenger \ msmsgs.exe
C: \ Program Files \ Common Files \ WinTools \ WSup.exe
C: \ WINDOWS \ system32 \ tsssw.exe
C: \ PROGRA~1 \ Web Offer \ wo.exe
C: \ Documents and Settings \ Charles Brehmer \ Application Data \ rncr.exe
C: \ WINDOWS \ system32 \ Qbh53q.exe
C: \ WINDOWS \ system32 \ Ebkfu.exe

Remove these search keys:

R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: qnclwboiowyl.net / ju .. L29.htm
O2 - BHO: (no name) - {49AF175E-B163-76E4-8A23-16550C83784E} - C: \ WINDOWS \ system32 \ wsxf.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsB.dll
O2 - BHO: AdwarePopupStopper.Class1 - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - c: \ windows \ system32 \ adwarepopupstopper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

Remove these additional browser plug-in keys (O2...O4):

O4 - HKLM \ .. \ Run: [tickonce] C: \ PROGRA~1 \ HTMBOL~1 \ 32popokay.exe
O4 - HKLM \ .. \ Run: [Hji] C: \ Documents and Settings \ Charles Brehmer \ Local Settings \ Temp \ Hji.exe
O4 - HKLM \ .. \ Run: [58782d7affad] C: \ WINDOWS \ system32 \ cmcfg324.exe
O4 - HKLM \ .. \ Run: [WinTools] C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
O4 - HKLM \ .. \ Run: [2N85L533MR#GJT] C: \ WINDOWS \ system32 \ KdrQ.exe
O4 - HKLM \ .. \ Run: [709c908590f9] C: \ WINDOWS \ system32 \ catsrv72.exe
O4 - HKLM \ .. \ Run: [2s4i33U] thedsk.exe
O4 - HKCU \ .. \ Run: [LDM] C: \ Program Files \ Logitech \ Desktop Messenger \ 8876480 \ Program \ BackWeb-8876480.exe
O4 - HKCU \ .. \ Run: [JBvsRTY2T] tsssw.exe
O4 - HKCU \ .. \ Run: [eZWO] C: \ PROGRA~1 \ Web Offer \ wo.exe
O4 - HKCU \ .. \ Run: [Usrr] C: \ Documents and Settings \ Charles Brehmer \ Application Data \ rncr.exe

Original log but with private information removed.

Logfile of HijackThis v1.98.0
Scan saved at 12:49:02 PM, on 10 / 14 / 2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ APC \ APC PowerChute Personal Edition \ mainserv.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Norton AntiVirus \ navapsvc.exe
C: \ Program Files \ Norton AntiVirus \ SAVScan.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ CCPD-LC \ symlcsvc.exe
C: \ Program Files \ Common Files \ WinTools \ WToolsS.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ mHotkey.exe
C: \ WINDOWS \ System32 \ spool \ drivers \ w32x86 \ 3 \ hpztsb04.exe
C: \ PROGRA~1 \ Logitech \ MOUSEW~1 \ SYSTEM \ EM_EXEC.EXE
C: \ Program Files \ Hewlett-Packard \ HP Share-to-Web \ hpgs2wnd.exe
C: \ Program Files \ QuickTime \ qttask.exe
C: \ Program Files \ Hewlett-Packard \ HP Share-to-Web \ hpgs2wnf.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ Program Files \ Java \ j2re1.4.2_05 \ bin \ jusched.exe
C: \ Documents and Settings \ Charles Brehmer \ Local Settings \ Temp \ Hji.exe
C: \ WINDOWS \ system32 \ cmcfg324.exe
C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
C: \ WINDOWS \ system32 \ catsrv72.exe
C: \ WINDOWS \ system32 \ thedsk.exe
C: \ Program Files \ Messenger \ msmsgs.exe
C: \ Program Files \ Common Files \ WinTools \ WSup.exe
C: \ WINDOWS \ system32 \ tsssw.exe
C: \ PROGRA~1 \ Web Offer \ wo.exe
C: \ Documents and Settings \ Charles Brehmer \ Application Data \ rncr.exe
C: \ WINDOWS \ system32 \ Qbh53q.exe
C: \ WINDOWS \ system32 \ Ebkfu.exe
C: \ Program Files \ BigFix \ BigFix.exe
C: \ Program Files \ Hewlett-Packard \ Digital Imaging \ bin \ hpobnz08.exe
C: \ Program Files \ APC \ APC PowerChute Personal Edition \ apcsystray.exe
C: \ Program Files \ Hewlett-Packard \ Digital Imaging \ bin \ hposol08.exe
C: \ Program Files \ Common Files \ Intuit \ QuickBooks \ QBUpdate \ qbupdate.exe
C: \ Program Files \ Hewlett-Packard \ Digital Imaging \ bin \ hpoevm08.exe
C: \ WINDOWS \ System32 \ HPZipm12.exe
C: \ PROGRA~1 \ INCRED~2 \ bin \ IMApp.exe
C: \ Program Files \ Hewlett-Packard \ Digital Imaging \ Bin \ hpoSTS08.exe
C: \ WINDOWS \ explorer.exe
C: \ Program Files \ Common Files \ Symantec Shared \ NMain.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ PROGRA~1 \ NORTON~1 \ navw32.exe
C: \ WINDOWS \ system32 \ ??plorer.exe
C: \ My Downloads \ HijackThis.exe

R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: emachines.com
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: qnclwboiowyl.net / ju .. L29.htm
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page_bak = website: comcast.net /
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll
O2 - BHO: (no name) - {49AF175E-B163-76E4-8A23-16550C83784E} - C: \ WINDOWS \ system32 \ wsxf.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsB.dll
O2 - BHO: AdwarePopupStopper.Class1 - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - c: \ windows \ system32 \ adwarepopupstopper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C: \ Program Files \ Norton AntiVirus \ NavShExt.dll
O4 - HKLM \ .. \ Run: [CHotkey] mHotkey.exe
O4 - HKLM \ .. \ Run: [HPDJ Taskbar Utility] C: \ WINDOWS \ System32 \ spool \ drivers \ w32x86 \ 3 \ hpztsb04.exe
O4 - HKLM \ .. \ Run: [EM_EXEC] C: \ PROGRA~1 \ Logitech \ MOUSEW~1 \ SYSTEM \ EM_EXEC.EXE
O4 - HKLM \ .. \ Run: [MMTray] C: \ Program Files \ MUSICMATCH \ MUSICMATCH Jukebox \ mm_tray.exe
O4 - HKLM \ .. \ Run: [Share-to-Web Namespace Daemon] C: \ Program Files \ Hewlett-Packard \ HP Share-to-Web \ hpgs2wnd.exe
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [Ad-aware] "C: \ Program Files \ Lavasoft \ Ad-aware 6 \ Ad-aware.exe" +c
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [NAV CfgWiz] C: \ Program Files \ Common Files \ Symantec Shared \ CfgWiz.exe / GUID NAV / CMDLINE "REBOOT"
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] C: \ Program Files \ Java \ j2re1.4.2_05 \ bin \ jusched.exe
O4 - HKLM \ .. \ Run: [tickonce] C: \ PROGRA~1 \ HTMBOL~1 \ 32popokay.exe
O4 - HKLM \ .. \ Run: [Hji] C: \ Documents and Settings \ Charles Brehmer \ Local Settings \ Temp \ Hji.exe
O4 - HKLM \ .. \ Run: [58782d7affad] C: \ WINDOWS \ system32 \ cmcfg324.exe
O4 - HKLM \ .. \ Run: [WinTools] C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
O4 - HKLM \ .. \ Run: [2N85L533MR#GJT] C: \ WINDOWS \ system32 \ KdrQ.exe
O4 - HKLM \ .. \ Run: [709c908590f9] C: \ WINDOWS \ system32 \ catsrv72.exe
O4 - HKLM \ .. \ Run: [2s4i33U] thedsk.exe
O4 - HKCU \ .. \ Run: [LDM] C: \ Program Files \ Logitech \ Desktop Messenger \ 8876480 \ Program \ BackWeb-8876480.exe
O4 - HKCU \ .. \ Run: [Microsoft Works Update Detection] C: \ Program Files \ Microsoft Works \ WkDetect.exe
O4 - HKCU \ .. \ Run: [IncrediMail] C: \ PROGRA~1 \ INCRED~2 \ bin \ IncMail.exe / c
O4 - HKCU \ .. \ Run: [Privacy Guardian] C: \ Program Files \ Privacy Guardian \ pg.exe / clean
O4 - HKCU \ .. \ Run: [MSMSGS] "C: \ Program Files \ Messenger \ msmsgs.exe" / background
O4 - HKCU \ .. \ Run: [JBvsRTY2T] tsssw.exe
O4 - HKCU \ .. \ Run: [eZWO] C: \ PROGRA~1 \ Web Offer \ wo.exe
O4 - HKCU \ .. \ Run: [Usrr] C: \ Documents and Settings \ Charles Brehmer \ Application Data \ rncr.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BigFix.lnk = C: \ Program Files \ BigFix \ BigFix.exe
O4 - Global Startup: Day-to-Day Screen Calendar.lnk = C: \ WINDOWS \ system32 \ Day-to-Day Screen Calendar.scr
O4 - Global Startup: hp psc 2000 Series.lnk = C: \ Program Files \ Hewlett-Packard \ Digital Imaging \ bin \ hpobnz08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C: \ Program Files \ Logitech \ Desktop Messenger \ 8876480 \ Program \ LDMConf.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C: \ Program Files \ Common Files \ Intuit \ QuickBooks \ QBUpdate \ qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C: \ Program Files \ QUICKENW \ bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C: \ PROGRA~1 \ INCRED~2 \ bin \ resources \ WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C: \ WINDOWS \ System32 \ msjava.dll
O9 - Extra ´Tools´ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C: \ WINDOWS \ System32 \ msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ system32 \ maxspeed.exe
O9 - Extra ´Tools´ menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ system32 \ maxspeed.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ Program Files \ ICQ \ ICQ.exe
O9 - Extra ´Tools´ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ Program Files \ ICQ \ ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C: \ PROGRA~1 \ MICROS~2 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=website: emachines.com
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - website: activex.microsoft.com / activex / controls / WindowsMedia / downloadcontrol.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - website: www2.incredimail.com / contents / setup / downloader / imloader.cab

commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.