Re: HijackThisLog Analysis - Luxin : MAC-NET Secures IT

MAC-NET

How to

Do more with Firefox^NEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack

Home » Spyware Protection » Hijacked Browser Analysis »

Re: HijackThisLog Analysis - Luxin

Date: 9 Nov 2004

References: WINSHOST.EXE; WINGO.EXE;

Here is what you should do.

End the below suspicious process :

C: \ WINDOWS \ SYSTEM \ WINGO.EXE

Remove these additional browser plug-in keys (O2...O4):

O4 - HKLM \ .. \ Run: [winshost.exe] C: \ WINDOWS \ SYSTEM \ winshost.exe
O4 - HKCU \ .. \ Run: [wingo] C: \ WINDOWS \ SYSTEM \ wingo.exe
O4 - HKCU \ .. \ Run: [winshost.exe] C: \ WINDOWS \ SYSTEM \ winshost.exe

Reboot the computer and put it to safe mode. Then delete these files from your C: drive.

C: \ WINDOWS \ SYSTEM \ WINGO.EXE

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 4:52:53 PM, on 11 / 9 / 04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ SYSTEM \ KERNEL32.DLL
C: \ WINDOWS \ SYSTEM \ MSGSRV32.EXE
C: \ WINDOWS \ SYSTEM \ SPOOL32.EXE
C: \ WINDOWS \ SYSTEM \ MPREXE.EXE
C: \ WINDOWS \ EXPLORER.EXE
C: \ WINDOWS \ TASKMON.EXE
C: \ WINDOWS \ SYSTEM \ SYSTRAY.EXE
C: \ WINDOWS \ LOADQM.EXE
C: \ WINDOWS \ SYSTEM \ WINGO.EXE
C: \ PROGRAM FILES \ MICROSOFT OFFICE \ OFFICE \ OSA.EXE
C: \ PROGRAM FILES \ MICROSOFT OFFICE \ OFFICE \ FINDFAST.EXE
C: \ WINDOWS \ SYSTEM \ WMIEXE.EXE
C: \ PROGRAM FILES \ INTERNET EXPLORER \ IEXPLORE.EXE
C: \ WINDOWS \ SYSTEM \ DDHELP.EXE
C: \ PROGRAM FILES \ WINZIP \ WINZIP32.EXE
C: \ WINDOWS \ DESKTOP \ HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ SYSTEM \ MSDXM.OCX
O4 - HKLM \ .. \ Run: [ScanRegistry] C: \ WINDOWS \ scanregw.exe / autorun
O4 - HKLM \ .. \ Run: [TaskMonitor] C: \ WINDOWS \ taskmon.exe
O4 - HKLM \ .. \ Run: [SystemTray] SysTray.Exe
O4 - HKLM \ .. \ Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM \ .. \ Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM \ .. \ Run: [AtiKey] Atitask.exe
O4 - HKLM \ .. \ Run: [LoadQM] loadqm.exe
O4 - HKLM \ .. \ Run: [winshost.exe] C: \ WINDOWS \ SYSTEM \ winshost.exe
O4 - HKLM \ .. \ Run: [csrss.exe] C: \ WINDOWS \ csrss.exe
O4 - HKLM \ .. \ RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU \ .. \ Run: [wingo] C: \ WINDOWS \ SYSTEM \ wingo.exe
O4 - HKCU \ .. \ Run: [winshost.exe] C: \ WINDOWS \ SYSTEM \ winshost.exe
O4 - Startup: Office Startup.lnk = C: \ Program Files \ Microsoft Office \ Office \ OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C: \ Program Files \ Microsoft Office \ Office \ FINDFAST.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra ´Tools´ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm

WINGO.EXE 10-Nov-2004

WINSHOST.EXE 10-Nov-2004

Post your comment

Mail this page