MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » 

Re: HijackThisLog Analysis - Toncake

Date: Monday, 13 September, 2004 12:49 AM

Seriously appreciate help of any kind, thanks

Reply:

Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

Remove these search keys:

R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: try-this-search.biz
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: try-this-search.biz / ie.html
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: try-this-search.biz / ie.html
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: try-this-search.biz
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,First Home Page = website: try-this-search.biz
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Local Page = website: try-this-search.biz

Remove these extra items in IE menu (O8...O9):

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ´Tools´ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra ´Tools´ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - website: drivershq.com / DD_v4.CAB
O21 - SSODL: eplrr9 - {FA1E2F6E-78E9-4AC4-896C-E7C2899C64C5} - C: \ WINDOWS \ System32 \ eplrr9.dll

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 12:08:16 AM, on 9 / 13 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Winamp \ winampa.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ Program Files \ Norton SystemWorks \ Norton Ghost \ GhostStartTrayApp.exe
C: \ Program Files \ Java \ j2re1.4.2_04 \ bin \ jusched.exe
C: \ WINDOWS \ System32 \ RUNDLL32.EXE
C: \ WINDOWS \ System32 \ rundll32.exe
C: \ PROGRA~1 \ NORTON~1 \ NORTON~4 \ GHOSTS~2.EXE
C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ NPROTECT.EXE
C: \ Program Files \ Messenger \ msmsgs.exe
C: \ WINDOWS \ System32 \ nvsvc32.exe
C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ SPEEDD~1 \ NOPDB.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ CCPD-LC \ symlcsvc.exe
C: \ WINDOWS \ System32 \ wuauclt.exe
C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ navapsvc.exe
C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ SAVScan.exe
C: \ WINDOWS \ explorer.exe
C: \ Documents and Settings \ Cake \ Local Settings \ Temp \ Temporary Directory 2 for 1188084.zip \ HijackThis.exe
C: \ WINDOWS \ system32 \ NOTEPAD.EXE

R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: try-this-search.biz
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: try-this-search.biz / ie.html
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: try-this-search.biz / ie.html
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: try-this-search.biz
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,First Home Page = website: try-this-search.biz
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Local Page = website: try-this-search.biz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ NavShExt.dll
O4 - HKLM \ .. \ Run: [WinampAgent] C: \ Program Files \ Winamp \ winampa.exe
O4 - HKLM \ .. \ Run: [Mirabilis ICQ] C: \ PROGRA~1 \ ICQ \ ICQNet.exe
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [GhostStartTrayApp] C: \ Program Files \ Norton SystemWorks \ Norton Ghost \ GhostStartTrayApp.exe
O4 - HKLM \ .. \ Run: [AcctMgr] C: \ Program Files \ Norton SystemWorks \ Password Manager \ AcctMgr.exe / startup
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] C: \ Program Files \ Java \ j2re1.4.2_04 \ bin \ jusched.exe
O4 - HKLM \ .. \ Run: [KernelFaultCheck] %systemroot% \ system32 \ dumprep 0 -k
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / install
O4 - HKLM \ .. \ Run: [NvMediaCenter] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvMcTray.dll,NvTaskbarInit
O4 - HKLM \ .. \ Run: [SpyHunter] C: \ Program Files \ Enigma Software Group \ SpyHunter \ SpyHunter.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Program Files \ Microsoft Office \ Office10 \ OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ Office10 \ EXCEL.EXE / 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ´Tools´ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ PROGRA~1 \ ICQ \ ICQ.exe
O9 - Extra ´Tools´ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ PROGRA~1 \ ICQ \ ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra ´Tools´ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O9 - Extra ´Tools´ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - website: drivershq.com / DD_v4.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - website: us.chat1.yimg.com / us.yimg.com / i / chat / applet / v45 / yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - website: chat.yahoo.com / cab / yacsui.cab
O21 - SSODL: eplrr9 - {FA1E2F6E-78E9-4AC4-896C-E7C2899C64C5} - C: \ WINDOWS \ System32 \ eplrr9.dll

commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.