Re: HijackThisLog Analysis - Japlok : MAC-NET Secures IT

MAC-NET

How to

Do more with Firefox^NEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack

Home » Spyware Protection » Hijacked Browser Analysis »

Re: HijackThisLog Analysis - Japlok

Date: Tue 2004-11-02 10:21 AM

Remember DO NOT run hijackthis.exe inside the zip file. Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Major problem is this entry
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe
This is a variant of the BlazeFind spyware. According to blazefind.com website: First close all browser windows. Now go to your Windows Control Panel in Add/Remove Programs, close the Control Panel window if you can and remove 'IE SearchBar ' from the Add/Remove Programs window as well as 'Windows SA' if its present.

Run the scan again and review log that C:\Windows\System32\wsaupdater.exe has been removed before proceeding. If you are unable to uninstall it, you may need to remove it manually. Using the procedure on this link, but be very careful.

Here is what you should do.

End the below suspicious process :

C: \ WINDOWS \ System32 \ femjye.exe
C: \ Program Files \ Web_Rebates \ WebRebates1.exe

Remove these search keys:

Remove these Hosts file redirection (O1):

O1 - Hosts: indows.
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C: \ WINDOWS \ mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C: \ WINDOWS \ systb.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C: \ WINDOWS \ 2_0_1browserhelper2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM \ .. \ Run: [RunDLL] rundll32.exe "C: \ WINDOWS \ Downloaded Program Files \ bridge.dll",Load
O4 - HKLM \ .. \ Run: [Belt] C: \ WINDOWS \ Belt.exe
O4 - HKLM \ .. \ Run: [Windows SA] C: \ Program Files \ WindowsSA \ omniscient.exe
O4 - HKLM \ .. \ Run: [chbzumbiqd] C: \ WINDOWS \ System32 \ femjye.exe
O4 - Global Startup: hp center.lnk = C: \ Program Files \ hp center \ 137903 \ Program \ BackWeb-137903.exe

Remove these extra items in IE menu (O8...O9):

O8 - Extra context menu item: Web Rebates - file: / / C: \ Program Files \ Web_Rebates \ Sy1150 \ Tp1150 \ scri1150a.htm
O8 - Extra context menu item: Web Savings - file: / / C: \ Program Files \ WebSavingsfromEbates \ System \ Temp \ ebateswebsavings_script0.htm

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei / SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - website: www2.flingstone.com / cab / 2000XP / CDTInc / bridge.cab

Reboot the computer and put it to safe mode. Then delete these files from your C: drive.

C: \ WINDOWS \ System32 \ femjye.exe
C: \ Program Files \ Web_Rebates \ WebRebates1.exe

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 8:14:56 PM, on 11 / 1 / 2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Symantec_Client_Security \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Ahead \ InCD \ InCDsrv.exe
C: \ Program Files \ Symantec_Client_Security \ Symantec AntiVirus \ Rtvscan.exe
C: \ WINDOWS \ System32 \ nvsvc32.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ Explorer.EXE
C: \ windows \ system \ hpsysdrv.exe
C: \ HP \ KBD \ KBD.EXE
C: \ WINDOWS \ System32 \ spool \ drivers \ w32x86 \ 3 \ hpztsb04.exe
C: \ Program Files \ WildTangent \ Apps \ GameChannel.exe
C: \ Program Files \ QuickTime \ qttask.exe
C: \ PROGRA~1 \ SYMANT~1 \ SYMANT~1 \ vptray.exe
C: \ Program Files \ Ahead \ InCD \ InCD.exe
C: \ Program Files \ WindowsSA \ omniscient.exe
C: \ WINDOWS \ system32 \ RUNDLL32.exe
C: \ WINDOWS \ System32 \ femjye.exe
C: \ Program Files \ MSN Apps \ Updater \ 01.02.3000.1001 \ en-us \ msnappau.exe
C: \ Program Files \ Viewpoint \ Viewpoint Manager \ ViewMgr.exe
C: \ PROGRA~1 \ WinFax \ WFXSWTCH.exe
C: \ WINDOWS \ system32 \ RUNDLL32.EXE C: \ PROGRA~1 \ PANICW~1 \ POP-UP~1 \ PSFree.exe
C: \ Program Files \ Nikon \ NkView6 \ NkvMon.exe
C: \ Program Files \ Web_Rebates \ WebRebates1.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ Program Files \ hp center \ 137903 \ Program \ BackWeb-137903.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Web_Rebates \ WebRebates0.exe
C: \ DOCUME~1 \ Owner \ LOCALS~1 \ Temp \ Temporary Directory 1 for hijackthis.zip \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: us4.hpwis.com /
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: srch-us4.hpwis.com /
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: us4.hpwis.com /
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch = website: websearch.drsnsrch.com / sidesearch.cgi?id=
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = websearch.drsnsrch.com / q.cgi?q=
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C: \ PROGRA~1 \ INCRED~1 \ BHO \ INCFIN~1.DLL
F2 - REG:system.ini: UserInit=C: \ WINDOWS \ system32 \ userinit.exe,C: \ Windows \ System32 \ wsaupdater.exe,
O1 - Hosts: indows.
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C: \ WINDOWS \ mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C: \ WINDOWS \ systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll (file missing)
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C: \ Program Files \ Zero Knowledge \ Freedom \ FreeBHOR.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C: \ PROGRA~1 \ INCRED~1 \ BHO \ INCFIN~1.DLL
O2 - BHO: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C: \ WINDOWS \ 2_0_1browserhelper2.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C: \ Program Files \ MSN Apps \ ST \ 01.02.3000.1002 \ en-xu \ stmain.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C: \ WINDOWS \ Downloaded Program Files \ bridge.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C: \ Program Files \ MSN Apps \ MSN Toolbar \ 01.02.3000.1001 \ en-us \ msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c: \ Program Files \ Microsoft Money \ System \ mnyviewer.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C: \ Program Files \ MSN Apps \ MSN Toolbar \ 01.02.3000.1001 \ en-us \ msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM \ .. \ Run: [hpsysdrv] c: \ windows \ system \ hpsysdrv.exe
O4 - HKLM \ .. \ Run: [KBD] C: \ HP \ KBD \ KBD.EXE
O4 - HKLM \ .. \ Run: [Recguard] C: \ WINDOWS \ SMINST \ RECGUARD.EXE
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ System32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ System32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [S3TRAY2] S3tray2.exe
O4 - HKLM \ .. \ Run: [PS2] C: \ WINDOWS \ system32 \ ps2.exe
O4 - HKLM \ .. \ Run: [HPDJ Taskbar Utility] C: \ WINDOWS \ System32 \ spool \ drivers \ w32x86 \ 3 \ hpztsb04.exe
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / install
O4 - HKLM \ .. \ Run: [WT GameChannel] C: \ Program Files \ WildTangent \ Apps \ GameChannel.exe
O4 - HKLM \ .. \ Run: [WINSTA~1.EXE] C: \ WINDOWS \ System \ WINSTA~1.EXE -b
O4 - HKLM \ .. \ Run: [Client Access Service] "C: \ Program Files \ IBM \ Client Access \ cwbsvstr.exe"
O4 - HKLM \ .. \ Run: [Client Access Help Update] "C: \ Program Files \ IBM \ Client Access \ cwbinhlp.exe"
O4 - HKLM \ .. \ Run: [Client Access Check Version] "C: \ Program Files \ IBM \ Client Access \ cwbckver.exe" LOGIN
O4 - HKLM \ .. \ Run: [Client Access Express Welcome] "C: \ Program Files \ IBM \ Client Access \ cwbwlwiz.exe"
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA~1 \ SYMANT~1 \ SYMANT~1 \ vptray.exe
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [InCD] C: \ Program Files \ Ahead \ InCD \ InCD.exe
O4 - HKLM \ .. \ Run: [RunDLL] rundll32.exe "C: \ WINDOWS \ Downloaded Program Files \ bridge.dll",Load
O4 - HKLM \ .. \ Run: [Belt] C: \ WINDOWS \ Belt.exe
O4 - HKLM \ .. \ Run: [Windows SA] C: \ Program Files \ WindowsSA \ omniscient.exe
O4 - HKLM \ .. \ Run: [WildTangent CDA] RUNDLL32.exe "C: \ Program Files \ WildTangent \ Apps \ CDA \ cdaEngine0400.dll",cdaEngineMain
O4 - HKLM \ .. \ Run: [chbzumbiqd] C: \ WINDOWS \ System32 \ femjye.exe
O4 - HKLM \ .. \ Run: [msnappau] "C: \ Program Files \ MSN Apps \ Updater \ 01.02.3000.1001 \ en-us \ msnappau.exe"
O4 - HKLM \ .. \ Run: [ViewMgr] C: \ Program Files \ Viewpoint \ Viewpoint Manager \ ViewMgr.exe
O4 - HKLM \ .. \ Run: [WebRebates0] "C: \ Program Files \ Web_Rebates \ WebRebates0.exe"
O4 - HKLM \ .. \ Run: [WFXSwtch] C: \ PROGRA~1 \ WinFax \ WFXSWTCH.exe
O4 - HKLM \ .. \ Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU \ .. \ Run: [Microsoft Works Update Detection] c: \ Program Files \ Microsoft Works \ WkDetect.exe
O4 - HKCU \ .. \ Run: [NvMediaCenter] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU \ .. \ Run: [PopUpStopperFreeEdition] "C: \ PROGRA~1 \ PANICW~1 \ POP-UP~1 \ PSFree.exe"
O4 - Global Startup: Configuration Wizard.lnk = C: \ Program Files \ WinFax \ WTNSETUP.EXE
O4 - Global Startup: hp center.lnk = C: \ Program Files \ hp center \ 137903 \ Program \ BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Program Files \ Microsoft Office \ Office \ OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C: \ Program Files \ Nikon \ NkView6 \ NkvMon.exe
O8 - Extra context menu item: Web Rebates - file: / / C: \ Program Files \ Web_Rebates \ Sy1150 \ Tp1150 \ scri1150a.htm
O8 - Extra context menu item: Web Savings - file: / / C: \ Program Files \ WebSavingsfromEbates \ System \ Temp \ ebateswebsavings_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C: \ Program Files \ AIM95 \ aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c: \ Program Files \ Microsoft Money \ System \ mnyviewerdll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei / SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - website: a1540.g.akamai.net / 7 / 1540 / 52 / 20030530 / qtinstall.info.apple.com / bonnie / us / win / QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - website: v5.windowsupdate.microsoft.com / v5consumer / V5Controls / en / x86 / client / wuweb_site.cab?1094183063984
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - website: www2.flingstone.com / cab / 2000XP / CDTInc / bridge.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - website: tools.ebayimg.com / eps / activex / EPSControl_v1-0-3-0.cab

Reference: bridge.dll

Post your comment

Mail this page