MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - Edaniel » 

NDrv.exe

NDrv.exe and NDrv.dll appear to be an Adware Program.   It is found in c:\windows\system32.  On running it it search for valuead.com This is the web site that this program contacts to pull down stuff.  An ip address in the .exe file is 66.150.193.11.  That address inside the file is actually 66.150.193.111 and it traces to the Internap.com domain.

Could also be linked to:

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\[username]\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Ohub] C:\Documents and Settings\[username]\Application Data\itro.exe

Removal:

End the below suspicious process :

C:\WINNT\System32\NDrv.exe

Remove these additional browser plug-in keys (fdjfocv.exe) looks suspicious:

O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\System32\NDrv.dll
O4 - HKCU\..\Run: [????] C:\Documents and Settings\[username]\Application Data\????.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ljgcrqfdg] C:\WINNT\System32\fdjfocv.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe

Reboot the computer but put it to safe mode.  Then delete these files from your C: drive.

C:\WINNT\System32\NDrv.exe
C:\WINNT\System32\NDrv.dll

 

commentPost your comment (1) 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.