Logfile of HijackThis v1.97.7 - cjoseph : MAC-NET Secures IT

MAC-NET

How to

Do more with Firefox^NEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack

Home » Spyware Protection » Hijacked Browser Analysis »

Logfile of HijackThis v1.97.7 - cjoseph

Here is what you should do.

End the below suspicious process :

C: \ PROGRA~1 \ COMMON~1 \ moku \ mokum.exe
C: \ WINDOWS \ system32 \ dmafg.exe
C: \ PROGRA~1 \ COMMON~1 \ moku \ mokua.exe

Remove these search keys:

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe C: \ WINDOWS \ Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C: \ WINDOWS \ Nail.exe

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - C: \ WINDOWS \ BTGrab.dll
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C: \ WINDOWS \ localNRD.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C: \ PROGRA~1 \ SEARCH~1 \ SEARCH~2.DLL
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - C: \ WINDOWS \ Bolger.dll
O2 - BHO: (no name) - {31F9E8B7-4F90-4C3D-B806-35FA909EA9C5} - C: \ WINDOWS \ System32 \ fad.dll (file missing)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C: \ WINDOWS \ system32 \ msbe.dll

O4 - HKLM \ .. \ Run: [version] C: \ WINDOWS \ system32 \ Uqlrrs.exe
O4 - HKLM \ .. \ Run: [secure] C: \ WINDOWS \ system32 \ Qsixbn.exe
O4 - HKLM \ .. \ Run: [farmmext] C: \ WINDOWS \ farmmext.exe
O4 - HKLM \ .. \ Run: [B8XEHr4Dd] C: \ WINDOWS \ hnutpd.exe
O4 - HKLM \ .. \ Run: [ba6o3kph] C: \ WINDOWS \ system32 \ ba6o3kph.exe
O4 - HKLM \ .. \ Run: [saap] c: \ windows \ saap.exe
O4 - HKLM \ .. \ Run: [p36f36T] dnsuth.exe

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: static.windupdates.com / cab / ClickYesToContinue / ie / Bridge-c139.cab

Reboot the computer and put it to safe mode. Then delete these files from your C: drive.

C: \ WINDOWS \ Nail.exe
C: \ WINDOWS \ farmmext.exe
c: \ windows \ saap.exe

Original log.

Scan saved at 9:43:20 PM, on 15 / 04 / 2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ LEXBCES.EXE
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ system32 \ LEXPPS.EXE
C: \ WINDOWS \ Explorer.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avsynmgr.exe
C: \ WINDOWS \ system32 \ cisvc.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ VsStat.exe
C: \ WINDOWS \ System32 \ nvsvc32.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Vshwin32.exe
C: \ PROGRA~1 \ 3WEBAC~1 \ ACCESS~1 \ app \ pppoeservice.exe
C: \ WINDOWS \ system32 \ RioMSC.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avconsol.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ WLTRYSVC.EXE
C: \ WINDOWS \ System32 \ bcmwltry.exe
C: \ Program Files \ Common Files \ Network Associates \ McShield \ Mcshield.exe
C: \ WINDOWS \ system32 \ cidaemon.exe
C: \ Program Files \ Common Files \ Dell \ EUSW \ Support.exe
C: \ Program Files \ Synaptics \ SynTP \ SynTPLpr.exe
C: \ Program Files \ Synaptics \ SynTP \ SynTPEnh.exe
C: \ Program Files \ Java \ j2re1.4.2_05 \ bin \ jusched.exe
C: \ Program Files \ Dell \ Support \ Alert \ bin \ NotifyAlert.exe
C: \ Program Files \ MUSICMATCH \ MUSICMATCH Jukebox \ mm_tray.exe
C: \ PROGRA~1 \ CANONC~1 \ TEXTBR~1 \ Bin \ INSTAN~1.EXE
C: \ WINDOWS \ BCMSMMSG.exe
C: \ PROGRA~1 \ PESTPA~1 \ PPControl.exe
C: \ PROGRA~1 \ PESTPA~1 \ PPMemCheck.exe
C: \ PROGRA~1 \ PESTPA~1 \ CookiePatrol.exe
C: \ Program Files \ Lexmark X6100 Series \ lxbfbmgr.exe
C: \ Program Files \ QuickTime \ qttask.exe
C: \ Program Files \ MUSICMATCH \ MUSICMATCH Jukebox \ mmtask.exe
C: \ Program Files \ Admilli Service \ AdmilliServ.exe
C: \ Program Files \ Ulead Systems \ Ulead Photo Explorer 8.0 SE Basic \ Monitor.exe
C: \ Program Files \ Admilli Service \ AdmilliKeep.exe
C: \ Program Files \ iTunes \ iTunesHelper.exe
C: \ WINDOWS \ system32 \ ba6o3kph.exe
C: \ Program Files \ Lexmark X6100 Series \ lxbfbmon.exe
C: \ windows \ saap.exe
C: \ WINDOWS \ system32 \ dnsuth.exe
C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe
C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe
C: \ Program Files \ iPod \ bin \ iPodService.exe
C: \ PROGRA~1 \ COMMON~1 \ moku \ mokum.exe
C: \ WINDOWS \ system32 \ dmafg.exe
C: \ PROGRA~1 \ COMMON~1 \ moku \ mokua.exe
C: \ Program Files \ Sony Corporation \ Image Transfer \ SonyTray.exe
C: \ Program Files \ WinZip \ WZQKPICK.EXE
C: \ WINDOWS \ System32 \ wbem \ wmiapsrv.exe
C: \ Documents and Settings \ Colin \ My Documents \ scanning \ HijackThis.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: hotmail.com /
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: dell.com
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: hotmail.com
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page_bak = website: hotmail.com /
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe C: \ WINDOWS \ Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C: \ WINDOWS \ Nail.exe
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - C: \ WINDOWS \ BTGrab.dll
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C: \ WINDOWS \ localNRD.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C: \ Program Files \ CxtPls \ cxtpls.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C: \ PROGRA~1 \ SEARCH~1 \ SEARCH~2.DLL
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - C: \ WINDOWS \ Bolger.dll
O2 - BHO: (no name) - {31F9E8B7-4F90-4C3D-B806-35FA909EA9C5} - C: \ WINDOWS \ System32 \ fad.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C: \ Program Files \ Spybot - Search & Destroy \ SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C: \ WINDOWS \ system32 \ msbe.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C: \ Program Files \ McAfee \ McAfee VirusScan \ VSCShellExtension.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C: \ Program Files \ MSN Toolbar \ 01.01.1601.0 \ msgr.en-usen-ca \ msntb.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C: \ Program Files \ ISTbar \ istbarcm.dll (file missing)
O4 - HKLM \ .. \ Run: [DwlClient] C: \ Program Files \ Common Files \ Dell \ EUSW \ Support.exe
O4 - HKLM \ .. \ Run: [SynTPLpr] C: \ Program Files \ Synaptics \ SynTP \ SynTPLpr.exe
O4 - HKLM \ .. \ Run: [SynTPEnh] C: \ Program Files \ Synaptics \ SynTP \ SynTPEnh.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] C: \ Program Files \ Java \ j2re1.4.2_05 \ bin \ jusched.exe
O4 - HKLM \ .. \ Run: [RegisterDropHandler] C: \ PROGRA~1 \ CANONC~1 \ TEXTBR~1 \ Bin \ REGIST~1.EXE
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / installquiet
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [MMTray] C: \ Program Files \ MUSICMATCH \ MUSICMATCH Jukebox \ mm_tray.exe
O4 - HKLM \ .. \ Run: [InstantAccess] C: \ PROGRA~1 \ CANONC~1 \ TEXTBR~1 \ Bin \ INSTAN~1.EXE / h
O4 - HKLM \ .. \ Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [PestPatrol Control Center] C: \ PROGRA~1 \ PESTPA~1 \ PPControl.exe
O4 - HKLM \ .. \ Run: [PPMemCheck] C: \ PROGRA~1 \ PESTPA~1 \ PPMemCheck.exe
O4 - HKLM \ .. \ Run: [CookiePatrol] C: \ PROGRA~1 \ PESTPA~1 \ CookiePatrol.exe
O4 - HKLM \ .. \ Run: [Lexmark X6100 Series] "C: \ Program Files \ Lexmark X6100 Series \ lxbfbmgr.exe"
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [mmtask] C: \ Program Files \ MUSICMATCH \ MUSICMATCH Jukebox \ mmtask.exe
O4 - HKLM \ .. \ Run: [Admilli Service] C: \ Program Files \ Admilli Service \ AdmilliServ.exe
O4 - HKLM \ .. \ Run: [Ulead AutoDetector] C: \ Program Files \ Ulead Systems \ Ulead Photo Explorer 8.0 SE Basic \ Monitor.exe
O4 - HKLM \ .. \ Run: [version] C: \ WINDOWS \ system32 \ Uqlrrs.exe
O4 - HKLM \ .. \ Run: [secure] C: \ WINDOWS \ system32 \ Qsixbn.exe
O4 - HKLM \ .. \ Run: [farmmext] C: \ WINDOWS \ farmmext.exe
O4 - HKLM \ .. \ Run: [iTunesHelper] C: \ Program Files \ iTunes \ iTunesHelper.exe
O4 - HKLM \ .. \ Run: [B8XEHr4Dd] C: \ WINDOWS \ hnutpd.exe
O4 - HKLM \ .. \ Run: [ba6o3kph] C: \ WINDOWS \ system32 \ ba6o3kph.exe
O4 - HKLM \ .. \ Run: [saap] c: \ windows \ saap.exe
O4 - HKLM \ .. \ Run: [p36f36T] dnsuth.exe
O4 - HKLM \ .. \ Run: [IST Service] C: \ Program Files \ ISTsvc \ istsvc.exe
O4 - HKLM \ .. \ RunServices: [RegisterDropHandler] C: \ PROGRA~1 \ CANONC~1 \ TEXTBR~1 \ Bin \ REGIST~1.EXE
O4 - HKCU \ .. \ Run: [McAfee.InstantUpdate.Monitor] "C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe" / STARTMONITOR
O4 - HKCU \ .. \ Run: [MsnMsgr] "C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe" / background
O4 - HKCU \ .. \ Run: [moku] C: \ PROGRA~1 \ COMMON~1 \ moku \ mokum.exe
O4 - HKCU \ .. \ Run: [Y0ppRWf3j] dmafg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C: \ Program Files \ Adobe \ Acrobat 7.0 \ Reader \ reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C: \ Program Files \ WinZip \ WZQKPICK.EXE
O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~4 \ OFFICE11 \ EXCEL.EXE / 3000
O9 - Extra ´Tools´ menuitem: Sun Java Console (HKLM)
O9 - Extra ´Tools´ menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ´Tools´ menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - website: down.plaxo.com / down / release / PlaxoInstall.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - website: musicnotes.com / download / mnviewer.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: static.windupdates.com / cab / ClickYesToContinue / ie / Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - website: go.microsoft.com / fwlink / ?linkid=36467&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - website: streamaudio.com / download / ccpm_0237.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - website: download.microsoft.com / download / F / 6 / E / F6E491A6-77E1-4E20-9F5F-94901338C922 / wmv9VCM.CAB
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - website: ysbweb.com / ist / softwares / v4.0 / ysb_regular.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - website: bin.mcafee.com / molbin / shared / mcinsctl / en-us / 4,0,0,81 / mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - website: by103fd.bay103.hotmail.msn.com / resources / MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - website: a840.g.akamai.net / 7 / 840 / 537 / 2004061001 / housecall.trendmicro.com / housecall / xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - website: ysbweb.com / ist / softwares / v4.0 / ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - website: static.topconverting.com / activex / mp3.ocx
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - website: sibelius.com / download / software / win / ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - website: messenger.msn.com / download / MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - website: bin.mcafee.com / molbin / shared / mcgdmgr / en-us / 1,0,0,19 / mcgdmgr.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - website: nullsoft.com / nsv / embed / nsvplayx_vp6_mp3cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - website: download.macromedia.com / pub / shockwave / cabs / flash / swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https: / / appliedbiosystems.webex.com / client / latest / event / ieatgpc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - website: by15fd.bay15.hotmail.msn.com / activex / HMAtchmt.ocx

Post your comment

Mail this page