MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » 

Re: HijackThisLog Analysis - ycspring

Date: Wed 2004-10-20 8:18 PM

Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

I recommend that you uninstall all software that you currently not frequently used.  For example:

  • The Cleaner
  • SECRETMAKER (smiehlp.dll)
  • SafeListBoys
  • Systweak Wallpaper Changer
  • PC Doctor Online

Note: You can reinstall them after you clean up the system.

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {00000000-0000-0000-0000-000020000000} - website: 68737075.com / connect / wla / x / ukgolwla1x.exe

O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} - website: plug-in.reallusion.com / CrazyTalk.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} - website: rovion.com / Controls / Rovion.cab?affiliate=WFMS
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - website: akamai.downloadv3.com / binaries / IA / nethv32_EN_XP.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - website: akamai.downloadv3.com / binaries / LiveService / LiveService_5_EN_XPcab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - website: a840.g.akamai.net / 7 / 840 / 537 / 2004061001 / housecall.trendmicro.com / housecall / xscan53.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - website: ysbweb.com / ist / softwares / v4.0 / ysb_regular.cab

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - website: deposito.hostance.net / dialer / 1018835.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - website: direct.data-line.us / gbn283.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - website: direct.data-line.us / gbn283.exePaste

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 13:17:57, on 20 / 10 / 2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7Debug \ mdm.exe
C: \ WINDOWS \ System32 \ nvsvc32.exe
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ passrv.exe
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ Firewall \ PavFires.exe
C: \ Program Files \ Common Files \ Panda Software \ PavShld \ pavprsrv.exe
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ pavsrv51.exe
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ psimsvc.exe
C: \ WINDOWS \ System32 \ snmp.exe
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ AVENGINE.EXE
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ apvxdwin.exe
C: \ windows \ system \ hpsysdrv.exe
C: \ Program Files \ The Cleaner \ tca.exe
C: \ Program Files \ The Cleaner \ tcm.exe
C: \ WINDOWS \ realtime.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ SECRETMAKER \ secretmaker.exe
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ SRVLOAD.EXE
C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ WebProxy.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ SafeListBoys \ UNWISE.EXE
C: \ DOCUME~1 \ Owner \ LOCALS~1 \ Temp \ Temporary Directory 1 for 1188084.zip \ HijackThis.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: zwallet.com /
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 5.0 \ Reader \ ActiveX \ AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C: \ Program Files \ Spybot - Search & Destroy \ SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboForm.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C: \ WINDOWS \ system32 \ smiehlp.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C: \ Program Files \ Advanced System Optimizer \ IEHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboForm.dll
O4 - HKLM \ .. \ Run: [hpsysdrv] c: \ windows \ system \ hpsysdrv.exe
O4 - HKLM \ .. \ Run: [StorageGuard] "C: \ Program Files \ VERITAS Software \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [SCANINICIO] "C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ Inicio.exe"
O4 - HKLM \ .. \ Run: [APVXDWIN] "C: \ Program Files \ Panda Software \ Panda Platinum Internet Security \ APVXDWIN.EXE" / s
O4 - HKLM \ .. \ Run: [tcactive] C: \ Program Files \ The Cleaner \ tca.exe
O4 - HKLM \ .. \ Run: [tcmonitor] C: \ Program Files \ The Cleaner \ tcm.exe
O4 - HKLM \ .. \ Run: [PCDRealtime] C: \ WINDOWS \ realtime.exe
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Systweak Wallpaper Changer] wallpaper.exe -minimize
O4 - Global Startup: SECRETMAKER.lnk = C: \ Program Files \ SECRETMAKER \ secretmaker.exe
O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Control Panel present
O8 - Extra context menu item: Customize Menu &4 - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComFillForms.html
O9 - Extra ´Tools´ menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComSavePass.html
O9 - Extra ´Tools´ menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComShowToolbar.html
O9 - Extra ´Tools´ menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file: / / C: \ Program Files \ Siber Systems \ AI RoboForm \ RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O12 - Plugin for .spop: C: \ Program Files \ Internet Explorer \ Plugins \ NPDocBox.dll
O15 - Trusted Zone: ebay.co.uk
O15 - Trusted Zone: website: freewebs.com
O16 - DPF: Yahoo! Chess - website: download.games.yahoo.com / games / clients / y / ct2_x.cab
O16 - DPF: {00000000-0000-0000-0000-000020000000} - website: 68737075.com / connect / wla / x / ukgolwla1x.exe
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} - website: plug-in.reallusion.com / CrazyTalk.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} - website: rovion.com / Controls / Rovion.cab?affiliate=WFMS
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - website: akamai.downloadv3.com / binaries / IA / nethv32_EN_XP.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - website: akamai.downloadv3.com / binaries / LiveService / LiveService_5_EN_XPcab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - website: a840.g.akamai.net / 7 / 840 / 537 / 2004061001 / housecall.trendmicro.com / housecall / xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - website: ysbweb.com / ist / softwares / v4.0 / ysb_regular.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - website: deposito.hostance.net / dialer / 1018835.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - website: direct.data-line.us / gbn283.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - website: direct.data-line.us / gbn283.exe

Mail this pageMail this page

MAC-NET Secures IT | internet toolkit

© 2004-2008. All Rights Reserved.