Logfile of HijackThis v1.99.0 - sphinx

MAC-NET

How to

Do more with Firefox^NEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack

Home » Spyware Protection » Hijacked Browser Analysis »

Logfile of HijackThis v1.99.0 - sphinx_76

Remember DO NOT run hijackthis.exe inside the zip file. Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Time to update to Windows XP Service Pack 2. It fixes most of Windows XP security bugs.

You may want to review the following software on your PC:

CrypKey NT Service
Process name: CrypKey NT Service
Product: CrypKey Software Licensing System
Company: Kenonic Controls Ltd.
File: crypserv.exe
Website: crypkey.com
FedSpell
FedSpell lets you spell check using Internet Explorer while working with web-based applications. It also has Snip-N-Save which prevents data loss due to network and server errors. Free for personal use, all other use requires licensing.
Website: drivestopper.com
CAL80 TRAY.EXE ?
F3 - REG:win.ini: run=C: \ CAL80 \ TRAY.EXE

Here is what you should do.

End the below suspicious process :

C: \ CAL80 \ TRAY.EXE

Remove these extra items in IE menu (O8...O9):

O9 - Extra button: FedSpell (F7) - {D0B49704-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / CHECK (file missing)
O9 - Extra ´Tools´ menuitem: Spelling check with FedSpell - {D0B49704-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / CHECK (file missing)
O9 - Extra button: FedSpell Dangerous Word - {D0B49705-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / TARGETWORD (file missing)
O9 - Extra ´Tools´ menuitem: Dangerous Word check with FedSpell - {D0B49705-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / TARGETWORD (file missing)
O9 - Extra button: FedSpell Save My Types - {D0B49706-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / SAVEMYTYPES (file missing)
O9 - Extra ´Tools´ menuitem: FedSpell Save My Types - {D0B49706-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / SAVEMYTYPES (file missing)

Remove the following entries:

O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)

Original log but with private information removed.

Scan saved at 1:34:26 PM, on 11 / 03 / 2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ LEXBCES.EXE
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ system32 \ LEXPPS.EXE
C: \ WINDOWS \ system32 \ crypserv.exe
e: \ PROGRA~1 \ Navnt \ defwatch.exe
C: \ Program Files \ Executive Software \ Diskeeper \ DkService.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7Debug \ mdm.exe
e: \ PROGRA~1 \ Navnt \ rtvscan.exe
C: \ WINDOWS \ System32 \ nvsvc32.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ ZoneLabs \ vsmon.exe
C: \ WINDOWS \ System32 \ ctfmon.exe
C: \ WINDOWS \ System32 \ MsPMSPSv.exe
C: \ CAL80 \ TRAY.EXE
C: \ Program Files \ Lexmark X1100 Series \ lxbkbmgr.exe
C: \ WINDOWS \ System32 \ atwtusb.exe
C: \ Program Files \ Real \ RealPlayer \ RealPlay.exe
C: \ Program Files \ Lexmark X1100 Series \ lxbkbmon.exe
E: \ PROGRA~1 \ Navnt \ vptray.exe
C: \ WINDOWS \ System32 \ TBLMOUSE.EXE
C: \ Program Files \ WordWeb \ wweb32.exe
C: \ Program Files \ Zone Labs \ ZoneAlarm \ zapro.exe
C: \ Program Files \ SpywareGuard \ sgmain.exe
C: \ PROGRA~1 \ INCRED~1 \ bin \ IMApp.exe
C: \ Program Files \ SpywareGuard \ sgbhp.exe
C: \ PROGRA~1 \ INCRED~1 \ bin \ IncMail.exe
E: \ AnalogX \ Proxy \ proxy.exe
C: \ WINDOWS \ System32 \ CMMON32.EXE
C: \ WINDOWS \ explorer.exe
C: \ PROGRA~1 \ MOZILL~1 \ FIREFOX.EXE
e: \ PROGRA~1 \ Navnt \ vpexrt.exe
C: \ PROGRA~1 \ WINZIP \ winzip32.exe
C: \ Documents and Settings \ Eitan \ Local Settings \ Temp \ HijackThis.exe

F3 - REG:win.ini: run=C: \ CAL80 \ TRAY.EXE
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C: \ Program Files \ SpywareGuard \ dlprotect.dll
O2 - BHO: FedSpell_BHO Class - {AEF513C4-D541-4D52-83E1-B14C17F76BC8} - C: \ Program Files \ FedSpell \ FedSpell.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O4 - HKLM \ .. \ Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM \ .. \ Run: [CM-SmWizard] C: \ WINDOWS \ System \ SmWizard.exe
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / install
O4 - HKLM \ .. \ Run: [Lexmark X1100 Series] "C: \ Program Files \ Lexmark X1100 Series \ lxbkbmgr.exe"
O4 - HKLM \ .. \ Run: [atwtusb] atwtusb.exe beta
O4 - HKLM \ .. \ Run: [NeroCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [RealTray] C: \ Program Files \ Real \ RealPlayer \ RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM \ .. \ Run: [CloneCDElbyCDFL] "C: \ Program Files \ Elaborate Bytes \ CloneCD \ ElbyCheck.exe" / L ElbyCDFL
O4 - HKLM \ .. \ Run: [vptray] e: \ PROGRA~1 \ Navnt \ vptray.exe
O4 - HKCU \ .. \ Run: [CTFMON.EXE] C: \ WINDOWS \ System32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [IncrediMail] C: \ Program Files \ IncrediMail \ bin \ IncMail.exe / c
O4 - HKCU \ .. \ Run: [ccleaner] "C: \ Program Files \ CCleaner \ ccleaner.exe" / AUTO
O4 - Startup: SpywareGuard.lnk = C: \ Program Files \ SpywareGuard \ sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Program Files \ Microsoft Office \ Office10 \ OSA.EXE
O4 - Global Startup: WordWeb.lnk = C: \ Program Files \ WordWeb \ wweb32.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C: \ Program Files \ Zone Labs \ ZoneAlarm \ zapro.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C: \ PROGRA~1 \ INCRED~1 \ bin \ resources \ WebMenuImg.htm
O8 - Extra context menu item: &Check Spelling with FedSpell (F7) - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / CHECK
O8 - Extra context menu item: &Dangerous Words check with FedSpell - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / TARGETWORD
O8 - Extra context menu item: &Save My Types with FedSpell - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / SAVEMYTYPES
O8 - Extra context menu item: &WordWeb... - res: / / C: \ WINDOWS \ System32 \ wweb32.dll / lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ Office10 \ EXCEL.EXE / 3000
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c: \ lotus \ organize \ bandobjs.dll
O9 - Extra button: (no name) - {D0B49703-5C63-4d0b-8348-692ED95DFF87} - C: \ Program Files \ FedSpell \ FedSpell.dll
O9 - Extra ´Tools´ menuitem: FedSpell Options - {D0B49703-5C63-4d0b-8348-692ED95DFF87} - C: \ Program Files \ FedSpell \ FedSpell.dll
O9 - Extra button: FedSpell (F7) - {D0B49704-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / CHECK (file missing)
O9 - Extra ´Tools´ menuitem: Spelling check with FedSpell - {D0B49704-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / CHECK (file missing)
O9 - Extra button: FedSpell Dangerous Word - {D0B49705-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / TARGETWORD (file missing)
O9 - Extra ´Tools´ menuitem: Dangerous Word check with FedSpell - {D0B49705-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / TARGETWORD (file missing)
O9 - Extra button: FedSpell Save My Types - {D0B49706-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / SAVEMYTYPES (file missing)
O9 - Extra ´Tools´ menuitem: FedSpell Save My Types - {D0B49706-5C63-4d0b-8348-692ED95DFF87} - res: / / C: \ Program Files \ FedSpell \ FedSpell.dll / SAVEMYTYPES (file missing)
O12 - Plugin for .au: C: \ Program Files \ Internet Explorer \ PLUGINS \ npqtplugin.dll
O12 - Plugin for .bcf: C: \ Program Files \ Internet Explorer \ Plugins \ NPBelv32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - website: us.chat1.yimg.com / us.yimg.com / i / chat / applet / v45 / yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - website: v5.windowsupdate.microsoft.com / v5consumer / V5Controls / en / x86 / client / wuweb_site.cab?1106972338598
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT Profile Manager Class) - https: / / online.westpac.comau / wtpbs / wtBalanceSheet / portfoliomanagerwt.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ {02E51630-A0D6-45EC-A339-D470E2AC08DB}: NameServer = 203.88.255.99 203.88.240.88
O17 - HKLM \ System \ CS1 \ Services \ Tcpip \ .. \ {02E51630-A0D6-45EC-A339-D470E2AC08DB}: NameServer = 203.88.255.99 203.88.240.88
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - e: \ PROGRA~1 \ Navnt \ defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C: \ Program Files \ Executive Software \ Diskeeper \ DkService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C: \ WINDOWS \ system32 \ LEXBCES.EXE
O23 - Service: Norton AntiVirus Client - Symantec Corporation - e: \ PROGRA~1 \ Navnt \ rtvscan.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C: \ WINDOWS \ System32 \ nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C: \ WINDOWS \ system32 \ ZoneLabs \ vsmon.exe

Post your comment

Mail this page