MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » 

Re: HijackThisLog Analysis - Scott

Date: Sunday, 19 September, 2004 12:47 PM

Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

Remove these search keys:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

Remove these additional browser plug-in keys (O2...O4):

O4 - HKCU \ .. \ Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU \ .. \ Run: [Weather] C: \ PROGRAM FILES \ AWS \ WEATHERBUG \ WEATHER.EXE 1

Remove these extra items IE plugins:

O12 - Plugin for .UVR: C: \ Program Files \ Internet Explorer \ Plugins \ NPUPano.dll

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - website: by13fd.bay13.hotmail.msn.com / activex / HMAtchmt.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - website: aolcc.aol.com / computercheckup / qdiagcc.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=... a4dbbb

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ WINDOWS \ RunDLL.exe

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 9:44:52 PM, on 9 / 18 / 2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ SYSTEM \ KERNEL32.DLL
C: \ WINDOWS \ SYSTEM \ MSGSRV32.EXE
C: \ WINDOWS \ SYSTEM \ mmtask.tsk
C: \ WINDOWS \ SYSTEM \ MPREXE.EXE
C: \ PROGRAM FILES \ NETROPA \ ONE-TOUCH MULTIMEDIA KEYBOARD \ MMKEYBD.EXE
C: \ WINDOWS \ SYSTEM \ STIMON.EXE
C: \ WINDOWS \ EXPLORER.EXE
C: \ PROGRAM FILES \ NETROPA \ ONE-TOUCH MULTIMEDIA KEYBOARD \ KEYBDMGR.EXE
C: \ PROGRAM FILES \ NETROPA \ ONSCREEN DISPLAY \ OSD.EXE
C: \ PROGRAM FILES \ NETROPA \ ONE-TOUCH MULTIMEDIA KEYBOARD \ MMUSBKB2.EXE
C: \ WINDOWS \ OPTIONS \ CABS \ LOGITECH \ HP_FINDER.EXE
C: \ WINDOWS \ LOADQM.EXE
C: \ WINDOWS \ SYSTEM \ HPSYSDRV.EXE
C: \ WINDOWS \ SYSTEM \ SYSTRAY.EXE
C: \ WINDOWS \ SYSTEM \ E_S4I2L1.EXE
C: \ WINDOWS \ SYSTEM \ SPOOL32.EXE
C: \ WINDOWS \ RunDLL.exe
C: \ WINDOWS \ SYSTEM \ ZONELABS \ ISAFE.EXE
C: \ WINDOWS \ SYSTEM \ WMIEXE.EXE
C: \ PROGRAM FILES \ AWS \ WEATHERBUG \ WEATHER.EXE
C: \ WINDOWS \ SYSTEM \ DDHELP.EXE
C: \ PROGRAM FILES \ ZONE LABS \ ZONEALARM \ ZLCLIENT.EXE
C: \ WINDOWS \ SYSTEM \ ZONELABS \ VSMON.EXE
C: \ WINDOWS \ SYSTEM \ PSTORES.EXE
C: \ UNZIPPED \ 1188084 \ HIJACKTHIS.EXE

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: red.clientapps.yahoo.com / customize / ycomp_wave / defaults / sb / *website: yahoo.com / search / ie.html
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: hp.my.yahoo.com
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: rd.yahoo.com / customize / ymsgr / defaults / sb / *website: yahoo.com / ext / search / search.html
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = website: red.clientapps.yahoo.com / customize / ycomp_wave / defaults / su / *website: yahoo.com
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C: \ Program Files \ Netscape \ Users \ shanman \ prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C: \ PROGRAM FILES \ YAHOO! \ COMPANION \ INSTALLS \ CPN \ YCOMP5_3_19_0.DLL
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C: \ PROGRAM FILES \ VIEWPOINT \ VIEWPOINT TOOLBAR \ VIEWBARBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c: \ program files \ google \ googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c: \ program files \ google \ googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C: \ PROGRAM FILES \ AOL TOOLBAR \ TOOLBAR.DLL
O4 - HKLM \ .. \ Run: [HPLogiFinder] \ WINDOWS \ OPTIONS \ CABS \ LOGITECH \ HP_FINDER.EXE
O4 - HKLM \ .. \ Run: [LoadQM] loadqm.exe
O4 - HKLM \ .. \ Run: [hpsysdrv] c: \ windows \ system \ hpsysdrv.exe
O4 - HKLM \ .. \ Run: [Motive SmartBridge] C: \ PROGRA~1 \ ADELPH~1 \ SMARTB~1 \ MotiveSB.exe
O4 - HKLM \ .. \ Run: [ScanRegistry] C: \ WINDOWS \ scanregw.exe / autorun
O4 - HKLM \ .. \ Run: [SystemTray] SysTray.Exe
O4 - HKLM \ .. \ Run: [EPSON Stylus CX6400] C: \ WINDOWS \ SYSTEM \ E_S4I2L1.EXE / P19 "EPSON Stylus CX6400" / O7 "EPUSB1:" / M "Stylus CX6400"
O4 - HKLM \ .. \ Run: [Zone Labs Client] "C: \ Program Files \ Zone Labs \ ZoneAlarm \ zlclient.exe"
O4 - HKLM \ .. \ RunServices: [Keyboard Manager] C: \ Program Files \ Netropa \ One-touch Multimedia Keyboard \ MMKeybd.exe
O4 - HKLM \ .. \ RunServices: [StillImageMonitor] C: \ WINDOWS \ SYSTEM \ STIMON.EXE
O4 - HKLM \ .. \ RunServices: [TrueVector] C: \ WINDOWS \ SYSTEM \ ZONELABS \ VSMON.EXE -service
O4 - HKCU \ .. \ Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU \ .. \ Run: [Weather] C: \ PROGRAM FILES \ AWS \ WEATHERBUG \ WEATHER.EXE 1
O8 - Extra context menu item: &Viewpoint Search - res: / / C: \ PROGRAM FILES \ VIEWPOINT \ VIEWPOINT TOOLBAR \ VIEWBAR.DLL / CXTSEARCH.HTML
O8 - Extra context menu item: &Google Search - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmcache.html
O8 - Extra context menu item: Similar Pages - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmsimilar.html
O8 - Extra context menu item: Backward Links - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmbacklinks.html
O8 - Extra context menu item: Translate into English - res: / / C: \ PROGRAM FILES \ GOOGLE \ GOOGLETOOLBAR1.DLL / cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res: / / C: \ PROGRAM FILES \ AOL TOOLBAR \ TOOLBAR.DLL / SEARCH.HTML
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ Program Files \ ICQ \ ICQ.exe
O9 - Extra ´Tools´ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ Program Files \ ICQ \ ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C: \ PROGRAM FILES \ INSTANT MESSENGER \ AIM.EXE
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C: \ Program Files \ Net2Phone \ Net2fone.exe
O9 - Extra ´Tools´ menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C: \ Program Files \ Net2Phone \ Net2fone.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C: \ Program Files \ ICQLite \ ICQLite.exe
O9 - Extra ´Tools´ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C: \ Program Files \ ICQLite \ ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C: \ PROGRAM FILES \ YAHOO! \ MESSENGER \ YPAGER.EXE
O9 - Extra ´Tools´ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C: \ PROGRAM FILES \ YAHOO! \ MESSENGER \ YPAGER.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C: \ PROGRAM FILES \ AOL TOOLBAR \ TOOLBAR.DLL
O9 - Extra ´Tools´ menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C: \ PROGRAM FILES \ AOL TOOLBAR \ TOOLBAR.DLL
O12 - Plugin for .asx: C: \ PROGRAM FILES \ NETSCAPE \ COMMUNICATOR \ PROGRAM \ PLUGINS \ npdsplay.dll
O12 - Plugin for .UVR: C: \ Program Files \ Internet Explorer \ Plugins \ NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=website: hp.my.yahoo.com
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - website: by13fd.bay13.hotmail.msn.com / activex / HMAtchmt.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - website: aolcc.aol.com / computercheckup / qdiagcc.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=... a4dbbb

windupdates.com 20-Sep-2004
... windupdates.com  


commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.