MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » 

Logfile of HijackThis v1.99.0 - tiago

Please remember NOT to run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

Remove these search keys:

R1 - HKCU \ Software \ Microsoft \ Internet Explorer,SearchURL = website: searchmiracle.com / sp.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: searchmiracle.com / sp.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: searchmiracle.com / sp.php
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: google.pt /
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: mysearchnow.com / searchbar.html
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: searchmiracle.com / sp.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page_bak = website: google.pt /
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Window Title = ..::DaRox::..
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Toolbar,LinksFolderName = Hiperligações

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C: \ ELITET~1.DLL
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C: \ WINDOWS \ EliteSideBar \ EliteSideBar 08.dll
O4 - HKLM \ .. \ Run: [farmmext] C: \ WINDOWS \ farmmext.exe
O4 - HKLM \ .. \ Run: [etbrun] C: \ windows \ system32 \ elitecwk32.exe
O4 - HKLM \ .. \ Run: [windll] C: \ WINDOWS \ system32 \ win82.exe
O4 - HKLM \ .. \ RunServices: [windll] C: \ WINDOWS \ system32 \ win82.exe
O4 - HKLM \ .. \ RunOnce: [MyWebSearch bar Uninstall] rundll32 C: \ PROGRA~1 \ UNINST~1.DLL,O 3

Remove these extra items in IE menu (O8...O9):

O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - website: messenger.ipfox.com (file missing)
O9 - Extra ´Tools´ menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - website: messenger.ipfox.com (file missing)

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=c695addc126925fea4417da94491be1358d22cd05c4cc745
395a86b3c678a9882f0d979c46d71b06b9c2991aeeb9cbb0c21bd192
7eb34e862c26b9b49d65dd615c:90c9c6e760fb23a76bdb35b5342e9fc3
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei-2 / SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - website: xxxtoolbar.com / ist / softwares / v4.0 / 0006_cracks.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - website: xxxtoolbar.com / ist / softwares / v3.0 / protect_regular.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - website: cdn.climaxbucks.com / internet-optimizer / 080703 / UniDistIOcrack.CAB
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - website: sponsoradulto.com / cab / 14 / en / SysWebTelecomInt.cab

Original log.

Scan saved at 11:37:19, on 25-03-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Programas \ Ahead \ InCD \ InCDsrv.exe
C: \ Programas \ TGTSoft \ StyleXP \ StyleXPService.exe
C: \ Programas \ Sygate \ SPF \ smc.exe
C: \ Programas \ Ficheiros comuns \ Symantec Shared \ ccSetMgr.exe
C: \ Programas \ Ficheiros comuns \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programas \ Ficheiros comuns \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ system32 \ crypserv.exe
C: \ Programas \ Ficheiros comuns \ Microsoft Shared \ VS7Debug \ mdm.exe
C: \ Programas \ Norton SystemWorks \ Norton AntiVirus \ navapsvc.exe
C: \ Programas \ Norton SystemWorks \ Norton AntiVirus \ IWP \ NPFMntor.exe
C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ NPROTECT.EXE
C: \ WINDOWS \ system32 \ nvsvc32.exe
C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ SPEEDD~1 \ NOPDB.EXE
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Programas \ Ficheiros comuns \ Symantec Shared \ CCPD-LC \ symlcsvc.exe
C: \ WINDOWS \ system32 \ RunDll32.exe
C: \ Programas \ Messenger Plus! 3 \ MsgPlus.exe
C: \ Programas \ Ficheiros comuns \ Symantec Shared \ ccApp.exe
C: \ Programas \ Netcount \ Netcount.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Programas \ Ahead \ Nero StartSmart \ NeroStartSmart.exe
C: \ WINDOWS \ System32 \ imapi.exe
C: \ Programas \ Avant Browser \ avant.exe
C: \ Programas \ Mozilla Firefox \ firefox.exe
C: \ Programas \ Messenger \ msmsgs.exe
C: \ Programas \ Messenger \ msmsgs.exe
C: \ Documents and Settings \ Tiago \ Ambiente de trabalho \ 1217480 \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer,SearchURL = website: searchmiracle.com / sp.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: searchmiracle.com / sp.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: searchmiracle.com / sp.php
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: google.pt /
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: mysearchnow.com / searchbar.html
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: searchmiracle.com / sp.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page_bak = website: google.pt /
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Window Title = ..::DaRox::..
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Toolbar,LinksFolderName = Hiperligações
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C: \ ELITET~1.DLL
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C: \ WINDOWS \ EliteSideBar \ EliteSideBar 08.dll
O4 - HKLM \ .. \ Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM \ .. \ Run: [MessengerPlus3] "C: \ Programas \ Messenger Plus! 3 \ MsgPlus.exe"
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ system32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Programas \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [SmcService] C: \ PROGRA~1 \ Sygate \ SPF \ smc.exe -startgui
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Programas \ Ficheiros comuns \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [Symantec NetDriver Monitor] C: \ PROGRA~1 \ SYMNET~1 \ SNDMon.exe
O4 - HKLM \ .. \ Run: [svchost] C: \ WINDOWS \ system32 \ svmhost.exe
O4 - HKLM \ .. \ Run: [farmmext] C: \ WINDOWS \ farmmext.exe
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / install
O4 - HKLM \ .. \ Run: [NvMediaCenter] RUNDLL32.EXE C: \ WINDOWS \ system32 \ NvMcTray.dll,NvTaskbarInit
O4 - HKLM \ .. \ Run: [etbrun] C: \ windows \ system32 \ elitecwk32.exe
O4 - HKLM \ .. \ Run: [windll] C: \ WINDOWS \ system32 \ win82.exe
O4 - HKLM \ .. \ RunServices: [windll] C: \ WINDOWS \ system32 \ win82.exe
O4 - HKLM \ .. \ RunOnce: [MyWebSearch bar Uninstall] rundll32 C: \ PROGRA~1 \ UNINST~1.DLL,O -3
O4 - HKCU \ .. \ Run: [Netcount] C: \ Programas \ Netcount \ Netcount.exe 0
O4 - HKCU \ .. \ Run: [STYLEXP] C: \ Programas \ TGTSoft \ StyleXP \ StyleXP.exe -Hide
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Norton SystemWorks] "C: \ Programas \ Norton SystemWorks \ cfgwiz.exe" / GUID
{05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} / MODE CfgWiz
O4 - Global Startup: Adobe Gamma Loader.lnk = C: \ Programas \ Ficheiros comuns \ Adobe \ Calibration \ Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C: \ Programas \ InterVideo \ Common \ Bin \ WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Programas \ Microsoft Office \ Office10 \ OSA.EXE
O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Restrictions present
O8 - Extra context menu item: Abrir todos os links nesta página... - C: \ Programas \ Avant Browser \ OpenAllLinks.htm
O8 - Extra context menu item: Adicionar à lista negra - C: \ Programas \ Avant Browser \ AddToADBlackList.htm
O8 - Extra context menu item: Bloquear todas as imagens do mesmo servidor - C: \ Programas \ Avant Browser \ AddAllToADBlackList.htm
O8 - Extra context menu item: Destacar - C: \ Programas \ Avant Browser \ Highlight.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~3 \ Office10 \ EXCEL.EXE / 3000
O8 - Extra context menu item: Procurar - C: \ Programas \ Avant Browser \ Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C: \ Programas \ Java \ jre1.5.0 \ bin \ npjpi150.dll
O9 - Extra ´Tools´ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C: \ Programas \ Java \ jre1.5.0 \ bin \ npjpi150.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C: \ Programas \ Desktop Sidebar \ sbhelp.dll
O9 - Extra ´Tools´ menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C: \ Programas \ Desktop Sidebar \ sbhelp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Programas \ Messenger \ msmsgs.exe
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Programas \ Messenger \ msmsgs.exe
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - website: messenger.ipfox.com (file missing)
O9 - Extra ´Tools´ menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - website: messenger.ipfox.com (file missing)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - website: messenger.zone.msn.com / binary / MessengerStatsPAClient.cab30149.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=c695addc126925fea4417da94491be1358d22cd05c4cc745
395a86b3c678a9882f0d979c46d71b06b9c2991aeeb9cbb0c21bd192
7eb34e862c26b9b49d65dd615c:90c9c6e760fb23a76bdb35b5342e9fc3
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - website: go.microsoft.com / fwlink / ?linkid=34738&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei-2 / SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - website: download.007guard.com / msnnames / msnnamescab
O16 - DPF: {2A0DED63-24F3-4FD6-BEC4-58F8E1F0C205} (FileSharingCtrl Class) - website: appdirectory.messenger.msn.com / AppDirectory / P4Apps / FileSharing / pt-PT / filesharingctrl.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - website: xxxtoolbar.com / ist / softwares / v4.0 / 0006_cracks.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - website: xxxtoolbar.com / ist / softwares / v3.0 / protect_regular.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - website: files.ea.com / downloads / rtpatch / v2 / EARTPX.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - website: appdirectory.messenger.msn.com / AppDirectory / P4Apps / FileSharing / en / filesharingctrl.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - website: ysbweb.com / ist / softwares / v4.0 / ysb_regular.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - website: xxxtoolbar.com / ist / softwares / v4.0 / 0006_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - website: messenger.zone.msn.com / binary / MessengerStatsClient.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - website: netvenda.com / sites / games-ww / ptw / games3.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file: / / D: \ html \ IntraLaunch.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - website: messenger.zone.msn.com / binary / ZIntro.cab30149.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - website: us.dl1.yimg.com / download.yahoo.com / dl / installs / suite / yautocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - website: messenger.zone.msn.com / binary / Bankshot.cab30149.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - website: cdn.climaxbucks.com / internet-optimizer / 080703 / UniDistIOcrack.CAB
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - website: sponsoradulto.com / cab / 14 / en / SysWebTelecomInt.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C: \ Programas \ HP \ hpcoretech \ comp \ hpuiprot.dll
O18 - Filter: text / html - {13EACE96-8778-41DF-81CB-260BD87E7AB2} - C: \ Documents and Settings \ Tiago \ Definições locais \ Application Data \ microsoft \ internet explorer \ V0.26.dat
O23 - Service: Symantec Event Manager - Symantec Corporation - C: \ Programas \ Ficheiros comuns \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C: \ Programas \ Ficheiros comuns \ Symantec Shared \ ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C: \ Programas \ Ficheiros comuns \ Symantec Shared \ ccSetMgr.exe
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: InCD Helper - Ahead Software AG - C: \ Programas \ Ahead \ InCD \ InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C: \ Programas \ Norton SystemWorks \ Norton AntiVirus \ navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C: \ Programas \ Norton SystemWorks \ Norton AntiVirus \ IWP \ NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C: \ WINDOWS \ system32 \ nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C: \ Programas \ Ficheiros comuns \ Sony Shared \ AVLib \ Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C: \ WINDOWS \ System32 \ HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles% \ WinPcap \ rpcapd.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C: \ Programas \ Norton SystemWorks \ Norton AntiVirus \ SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C: \ PROGRA~1 \ FICHEI~1 \ SYMANT~1 \ SCRIPT~1 \ SBServ.exe
O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. - C: \ Programas \ Sygate \ SPF \ smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C: \ Programas \ Ficheiros comuns \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C: \ Programas \ Ficheiros comuns \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ SPEEDD~1 \ NOPDB.EXE
O23 - Service: Sony SPTI Service - Sony Corporation - C: \ Programas \ Ficheiros comuns \ Sony Shared \ AVLib \ Sptisrv.exe
O23 - Service: StyleXPService - Unknown - C: \ Programas \ TGTSoft \ StyleXP \ StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C: \ Programas \ Ficheiros comuns \ Symantec Shared \ CCPD-LC \ symlcsvc.exe

Reference:

 

commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.