Logfile of HijackThis v1.99.0 - alan : MAC-NET Secures IT

MAC-NET

How to

Do more with Firefox^NEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack

Home » Spyware Protection » Hijacked Browser Analysis »

Logfile of HijackThis v1.99.0 - alan

Here is what you should do.

Remove these search keys:

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: (no name) - {A93ED26B-E1C3-4A17-9CDD-5930C062CB44} - C: \ WINDOWS \ System32 \ dskrfuoui.dll
O2 - BHO: Name - {F0229CED-6DE0-4A89-952E-5857545C5B4C} - C: \ WINDOWS \ System32 \ msetc.dll (file missing)
O2 - BHO: Name - {F0ABCEB2-EE64-4280-AC4A-517B4370D4B2} - C: \ WINDOWS \ System32 \ msetc.dll (file missing)

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file: / / C: \ Program Files \ Internet Explorer \ rurjuptf.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file: / / d: oo.mht!website: 69.50.166.213 / users / tuma / web / axe / x.chm:: / update.exe

O18 - Extra protocols and protocol hijackers

O18 - Filter: text / html - {71BA71E3-C89D-4EED-AB09-AA9AB54940BF} - C: \ WINDOWS \ System32 \ dskrfuoui.dll
O18 - Filter: text / plain - {71BA71E3-C89D-4EED-AB09-AA9AB54940BF} - C: \ WINDOWS \ System32 \ dskrfuoui.dll

Reboot the computer and put it to safe mode. Then delete these files from your C: drive.

C: \ WINDOWS \ System32 \ dskrfuoui.dll

You may need to run command prompt and de-register dskrfuoui.dll before you can delete it.

Click Start -> Run and at the prompt type the following:
regsvr32 /u dskrfuoui.dll

Original log.

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ S24EvMon.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ ZCfgSvc.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ System32 \ 1XConfig.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Intel \ NCS \ PROSet \ PRONoMgr.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ alogserv.exe
C: \ Program Files \ McAfee \ McAfee Shared Components \ Guardian \ CMGrdian.exe
C: \ Program Files \ Roxio \ Easy CD Creator 6 \ DragToDisc \ DrgToDsc.exe
C: \ Program Files \ Roxio \ Easy CD Creator 6 \ AudioCentral \ RxMon.exe
C: \ Program Files \ Common Files \ AOL \ ACS \ AOLDial.exe
C: \ PROGRA~1 \ COMMON~1 \ AOL \ AOLSPY~1 \ AOLSP Scheduler.exe
C: \ Program Files \ Real \ RealPlayer \ RealPlay.exe
C: \ Program Files \ QuickTime \ qttask.exe
C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe
C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktop.exe
C: \ WINDOWS \ System32 \ ctfmon.exe
C: \ Program Files \ Roxio \ Easy CD Creator 6 \ AudioCentral \ Playlist.exe
C: \ Program Files \ interMute \ SpySubtract \ SpySub.exe
C: \ Program Files \ Microsoft Office \ Office \ OSA.EXE
C: \ Program Files \ Common Files \ AOL \ ACS \ AOLAcsd.exe
C: \ Program Files \ Common Files \ AOL \ TopSpeed \ 2.0 \ aoltsmon.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avsynmgr.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ WINDOWS \ System32 \ nvsvc32.exe
C: \ WINDOWS \ System32 \ RegSrvc.exe
C: \ Program Files \ Common Files \ AOL \ TopSpeed \ 2.0 \ aoltpspd.exe
C: \ WINDOWS \ System32 \ MsPMSPSv.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ VsStat.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Vshwin32.exe
C: \ WINDOWS \ System32 \ wbem \ wmiprvse.exe
C: \ Program Files \ McAfee \ McAfee Firewall \ CPD.EXE
C: \ Program Files \ McAfee \ McAfee Firewall \ CPDCLNT.EXE
C: \ Program Files \ Common Files \ Network Associates \ McShield \ Mcshield.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avconsol.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Webscanx.exe
C: \ PROGRA~1 \ COMMON~1 \ AOL \ 110757~1 \ EE \ AOLHOS~1.EXE
C: \ PROGRA~1 \ COMMON~1 \ AOL \ 110757~1 \ EE \ AOLServiceHost.exe
C: \ WINDOWS \ System32 \ wuauclt.exe
C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktopIndex.exe
C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktopCrawl.exe
C: \ Program Files \ Google \ deskbar-0.5.95.0 \ ggviewer.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ HIJACK THIS \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer,(Default) = website: targetclicks.net / srch.php?qq=%s
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = about:blank
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = about:blank
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = res: / / C: \ WINDOWS \ System32 \ dskrfuoui.dll / sp.html (obfuscated)
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = res: / / C: \ WINDOWS \ System32 \ dskrfuoui.dll / sp.html (obfuscated)
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = res: / / C: \ WINDOWS \ System32 \ dskrfuoui.dll / sp.html (obfuscated)
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = res: / / C: \ WINDOWS \ System32 \ dskrfuoui.dll / sp.html (obfuscated)
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,Default_Search_URL = about:blank
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = res: / / C: \ WINDOWS \ System32 \ dskrfuoui.dll / sp.html (obfuscated)
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch = about:blank
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = res: / / C: \ WINDOWS \ System32 \ dskrfuoui.dll / sp.html (obfuscated)
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch = about:blank
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,HomeOldSP = about:blank
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {0EE9D804-69BC-DB55-9D95-A3B776C19682} - atl_helper.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C: \ Program Files \ Yahoo! \ Companion \ Installs \ cpn \ ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: (no name) - {A93ED26B-E1C3-4A17-9CDD-5930C062CB44} - C: \ WINDOWS \ System32 \ dskrfuoui.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c: \ program files \ google \ googletoolbar1.dll
O2 - BHO: Name - {F0229CED-6DE0-4A89-952E-5857545C5B4C} - C: \ WINDOWS \ System32 \ msetc.dll (file missing)
O2 - BHO: Name - {F0ABCEB2-EE64-4280-AC4A-517B4370D4B2} - C: \ WINDOWS \ System32 \ msetc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c: \ program files \ google \ googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C: \ Program Files \ Yahoo! \ Companion \ Installs \ cpn \ ycomp5_5_7_0.dll
O4 - HKLM \ .. \ Run: [PRONoMgr.exe] C: \ Program Files \ Intel \ NCS \ PROSet \ PRONoMgr.exe
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [Alogserv] C: \ Program Files \ McAfee \ McAfee VirusScan \ alogserv.exe
O4 - HKLM \ .. \ Run: [McAfee Guardian] "C: \ Program Files \ McAfee \ McAfee Shared Components \ Guardian \ CMGrdian.exe" / SU
O4 - HKLM \ .. \ Run: [RoxioEngineUtility] "C: \ Program Files \ Common Files \ Roxio Shared \ System \ EngUtil.exe"
O4 - HKLM \ .. \ Run: [RoxioDragToDisc] "C: \ Program Files \ Roxio \ Easy CD Creator 6 \ DragToDisc \ DrgToDsc.exe"
O4 - HKLM \ .. \ Run: [RoxioAudioCentral] "C: \ Program Files \ Roxio \ Easy CD Creator 6 \ AudioCentral \ RxMon.exe"
O4 - HKLM \ .. \ Run: [AOLDialer] C: \ Program Files \ Common Files \ AOL \ ACS \ AOLDial.exe
O4 - HKLM \ .. \ Run: [AOL Spyware Protection] "C: \ PROGRA~1 \ COMMON~1 \ AOL \ AOLSPY~1 \ AOLSP Scheduler.exe"
O4 - HKLM \ .. \ Run: [RealTray] C: \ Program Files \ Real \ RealPlayer \ RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM \ .. \ Run: [Pure Networks Port Magic] "C: \ PROGRA~1 \ PURENE~1 \ PORTMA~1 \ PortAOL.exe" -Run
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKCU \ .. \ Run: [McAfee.InstantUpdate.Monitor] "C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe" / startmonitor
O4 - HKCU \ .. \ Run: [Google Desktop Search] "C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktop.exe" / startup
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ System32 \ ctfmon.exe
O4 - Startup: ePrompter.lnk = C: \ Program Files \ ePrompter \ ePrompter.exe
O4 - Startup: Microsoft Find Fast.lnk = C: \ Program Files \ Microsoft Office \ Office \ FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C: \ Program Files \ Microsoft Office \ Office \ OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C: \ Program Files \ Adobe \ Acrobat 7.0 \ Reader \ reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C: \ Program Files \ interMute \ SpySubtract \ SpySub.exe
O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res: / / C: \ Program Files \ AOL Toolbar \ toolbar.dll / SEARCH.HTML
O8 - Extra context menu item: &Google Search - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmsearch.html
O8 - Extra context menu item: Backward Links - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmcache.html
O8 - Extra context menu item: Similar Pages - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmsimilar.html
O8 - Extra context menu item: Translate into English - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra ´Tools´ menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C: \ PROGRA~1 \ MICROS~2 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C: \ WINDOWS \ System32 \ Shdocvw.dll
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C: \ Program Files \ WareOut \ WareOut.exe (file missing) (HKCU)
O9 - Extra ´Tools´ menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C: \ Program Files \ WareOut \ WareOut.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - website: housecall-beta.trendmicro.com / housecall / xscan60.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file: / / C: \ Program Files \ Internet Explorer \ rurjuptf.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file: / / d: oo.mht!website: 69.50.166.213 / users / tuma / web / axe / x.chm:: / update.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - website: a840.g.akamai.net / 7 / 840 / 537 / 2004061001 / housecall.trendmicro.com / housecall / xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https: / / download.macromedia.com / pub / shockwave / cabs / flash / swflash.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ {437BCF27-4313-4C54-9B53-4DF507090A63}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ {8E0D9B69-7613-4045-B273-73B5D0B11703}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ {E7C774B9-CAC4-4539-8D2B-3F054877F29C}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM \ System \ CS1 \ Services \ Tcpip \ .. \ {437BCF27-4313-4C54-9B53-4DF507090A63}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM \ System \ CS2 \ Services \ Tcpip \ .. \ {437BCF27-4313-4C54-9B53-4DF507090A63}: NameServer = 69.50.176.197,195.225.176.31
O18 - Filter: text / html - {71BA71E3-C89D-4EED-AB09-AA9AB54940BF} - C: \ WINDOWS \ System32 \ dskrfuoui.dll
O18 - Filter: text / plain - {71BA71E3-C89D-4EED-AB09-AA9AB54940BF} - C: \ WINDOWS \ System32 \ dskrfuoui.dll
O23 - Service: AOL Connectivity Service - America Online - C: \ Program Files \ Common Files \ AOL \ ACS \ AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C: \ Program Files \ Common Files \ AOL \ TopSpeed \ 2.0 \ aoltsmon.exe
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C: \ Program Files \ McAfee \ McAfee VirusScan \ Avsynmgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C: \ Program Files \ iPod \ bin \ iPodService.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C: \ Program Files \ McAfee \ McAfee Firewall \ CPD.EXE
O23 - Service: McShield - Unknown - C: \ Program Files \ Common Files \ Network Associates \ McShield \ Mcshield.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C: \ Program Files \ Intel \ NCS \ Sync \ NetSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C: \ WINDOWS \ System32 \ nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C: \ WINDOWS \ System32 \ RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C: \ WINDOWS \ System32 \ S24EvMon.exe

1xconfig.exe 12-Apr-2005

Post your comment (1)

Mail this page