Logfile of HijackThis v1.99.0 - mirahmadi : MAC-NET Secures IT

MAC-NET

How to

Do more with Firefox^NEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack

Home » Spyware Protection » Hijacked Browser Analysis »

Logfile of HijackThis v1.99.0 - mirahmadi

Virus (winxp.exe) activity found on your computer. Update you anti-virus data file and scan the entire disk again. Or download and run stinger to detect them.

Here is what you should do.

End the below suspicious process :

C: \ WINDOWS \ system32 \ winxp.exe
C: \ PROGRA~1 \ Save \ Save.exe
C: \ WINDOWS \ system32 \ rundll32.exe
C: \ Program Files \ WhenUSearch \ Search.exe
C: \ Program Files \ WeatherCast \ Weather.exe

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C: \ WINDOWS \ system32 \ winxpwb.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C: \ Program Files \ NewDotNet \ newdotnet6_38.dll

O4 - HKLM \ .. \ Run: [winxp] C: \ WINDOWS \ system32 \ winxp.exe
O4 - HKLM \ .. \ Run: [WhenUSave] C: \ PROGRA~1 \ Save \ Save.exe
O4 - HKLM \ .. \ Run: [New.net Startup] rundll32 C: \ PROGRA~1 \ NEWDOT~1 \ NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM \ .. \ Run: [WhenUSearch] "C: \ Program Files \ WhenUSearch \ Search.exe"
O4 - HKCU \ .. \ Run: [WeatherCast] "C: \ Program Files \ WeatherCast \ Weather.exe" / q

Remove these Winsock hijacker (O10):

O10 - Hijacked Internet access by New.Net

Reboot the computer and put it to safe mode. Then delete these files from your C: drive.

C: \ PROGRA~1 \ Save \ Save.exe
C: \ Program Files \ WhenUSearch \ Search.exe
C: \ Program Files \ WeatherCast \ Weather.exe

Original log but with private information removed.

Scan saved at 12:00:38 PM, on 1 / 12 / 2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avsynmgr.exe
C: \ WINDOWS \ system32 \ cisvc.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Google \ Gmail Notifier \ G001-1.0.24.0 \ gnotify.exe
C: \ WINDOWS \ system32 \ winxp.exe
C: \ PROGRA~1 \ Save \ Save.exe
C: \ WINDOWS \ system32 \ rundll32.exe
C: \ Program Files \ WhenUSearch \ Search.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe
C: \ Program Files \ Babylon \ Babylon.exe
C: \ Program Files \ WeatherCast \ Weather.exe
C: \ Program Files \ Adobe \ Acrobat 6.0 \ Distillr \ acrotray.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ VsStat.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Vshwin32.exe
C: \ Program Files \ Common Files \ Network Associates \ McShield \ Mcshield.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avconsol.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ cidaemon.exe
C: \ WINDOWS \ system32 \ cidaemon.exe
C: \ WINDOWS \ explorer.exe
C: \ Program Files \ Opera7 \ opera.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ VisualRoute \ VisualRoute.exe
C: \ WINDOWS \ system32 \ wjview.exe
C: \ Program Files \ VisualRoute \ exe \ vrdns2.exe
C: \ Program Files \ WinRAR \ WinRAR.exe
C: \ DOCUME~1 \ Maysam \ LOCALS~1 \ Temp \ Rar$EX09.743 \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyServer = 216.148.246.69:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C: \ WINDOWS \ system32 \ winxpwb.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C: \ Program Files \ NewDotNet \ newdotnet6_38.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Acrobat \ AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C: \ Program Files \ McAfee \ McAfee VirusScan \ VSCShellExtension.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Acrobat \ AcroIEFavClient.dll
O4 - HKLM \ .. \ Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C: \ Program Files \ Google \ Gmail Notifier \ G001-1.0.24.0 \ gnotify.exe
O4 - HKLM \ .. \ Run: [NeroCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [CloneCDElbyCDFL] "C: \ Program Files \ Elaborate Bytes \ CloneCD \ ElbyCheck.exe" / L ElbyCDFL
O4 - HKLM \ .. \ Run: [winxp] C: \ WINDOWS \ system32 \ winxp.exe
O4 - HKLM \ .. \ Run: [WinampAgent] "C: \ Program Files \ Winamp3 \ winampa.exe"
O4 - HKLM \ .. \ Run: [WhenUSave] C: \ PROGRA~1 \ Save \ Save.exe
O4 - HKLM \ .. \ Run: [New.net Startup] rundll32 C: \ PROGRA~1 \ NEWDOT~1 \ NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM \ .. \ Run: [WhenUSearch] "C: \ Program Files \ WhenUSearch \ Search.exe"
O4 - HKCU \ .. \ Run: [CTFMON.EXE] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [McAfee.InstantUpdate.Monitor] "C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe" / STARTMONITOR
O4 - HKCU \ .. \ Run: [Babylon Translator] C: \ Program Files \ Babylon \ Babylon.exe
O4 - HKCU \ .. \ Run: [WeatherCast] "C: \ Program Files \ WeatherCast \ Weather.exe" / q
O4 - Global Startup: Acrobat Assistant.lnk = C: \ Program Files \ Adobe \ Acrobat 6.0 \ Distillr \ acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ OFFICE11 \ EXCEL.EXE / 3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C: \ Program Files \ VisualRoute \ vrie.dll
O9 - Extra ´Tools´ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C: \ Program Files \ VisualRoute \ vrie.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes0521.dll
O9 - Extra ´Tools´ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C: \ PROGRA~1 \ MICROS~2 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O10 - Hijacked Internet access by New.Net
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - website: us.dl1.yimg.com / download.yahoo.com / dl / installs / suite / yautocomplete.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ {4B29F64C-508B-4FA4-8F0C-A6C8CBC67601}: NameServer = 213.217.40.186 80.191.28.6
O23 - Service: AVSync Manager - Network Associates, Inc. - C: \ Program Files \ McAfee \ McAfee VirusScan \ Avsynmgr.exe
O23 - Service: McShield - Unknown - C: \ Program Files \ Common Files \ Network Associates \ McShield \ Mcshield.exe

winxp.exe 12-Jan-2005

Post your comment

Mail this page