| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 48731 | 2004-08-31 01:17:00 | Hijack This Help Please | skinner (464) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 267236 | 2004-08-31 01:17:00 | Hi Folks, Running XP Home and have a hijacker : http://portal.soul-gate.net CWShredder finds nothing. I have downloaded and run HJT. Can some kind person have a look at the log file and point me in the right direction please. Cheers Skinner Logfile of HijackThis v1.98.2 Scan saved at 11:11:38 AM, on 8/31/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\sysentry.exe C:\WINDOWS\System32\msxml32.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O4 - HKLM\..\Run: [WinLogin] win32x.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [System Uptime Server] sysentry.exe O4 - HKLM\..\Run: [XML Service] msxml32.exe O4 - HKLM\..\RunServices: [System Uptime Server] sysentry.exe O4 - HKLM\..\RunServices: [XML Service] msxml32.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - public.windupdates.com 17eab49e5b901a47dda91eed23d14571b1dcbb50c53ec324fb 6bbe9df2df75f77a9f377f138a6ac5:1b00391fd504d07ee71 93cbee4e4fb28 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{EB18AD57-6DC7-4703-9762-D31E97017835}: NameServer = 202.27.158.40 202.27.184.3 |
skinner (464) | ||
| 267237 | 2004-08-31 01:34:00 | Did you pick up that pic.zip thats on that site?? When you visited it. (did you actually go to that site)?? XP SP2 blocked it and gave me the option, which i ignored. That sysentry.exe and msxml32.exe look suss. Theyre not part of XP. BUT maybe part of something else. BUT a search in google and yahoo say theyre either a virus and/or trojan (in another language). BUT I understood virus and trojan! If you goto Task Manager/processes, are these 2 files in it?? |
Spacemannz (808) | ||
| 267238 | 2004-08-31 01:38:00 | Cheers for that...no I didn't actually look at the site. I'll check the odd looking entries. Skinner |
skinner (464) | ||
| 267239 | 2004-08-31 02:04:00 | no prob and that win32x.exe file that appears under run looks nasty and also isnt part of XP. According to google thats Troj/StartPa-DF This is some info about it Troj/StartPa-DF aka Downloader-KH is a Trojan downloader which changes Internet Explorer settings. The Trojan downloads various files from http://bpdn.ath.cx/ In order to run automatically when Windows starts up Troj/StartPa-DF creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \winlogin = win32x.exe One of the downloaded files contains a URL to which the Trojan creates shortcuts in both the users Favorites folder and the following registry entries: HKLM\Software\Microsoft\Internet Explorer\Main\Search Page HKLM\Software\Microsoft\Internet Explorer\Main\Start Page (the Search Page and Start page under the above entry doesn't exist in XP) Well theyre not on mine. Delete them in your registry. If theyre there. ONLY the search page and start page entry. Troj/StartPa-DF may send information about the infected computer to the author via an HTTP POST submission. I suggest u go to run in the registry and remove the win32x.exe entry asap. And reboot |
Spacemannz (808) | ||
| 267240 | 2004-08-31 02:59:00 | Remove bad boys.. O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O4 - HKLM\..\Run: [WinLogin] win32x.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe Not sure either about ... O4 - HKLM\..\Run: [System Uptime Server] sysentry.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - public.windupdates.com 19fa0f76be02c9836cb8a42f03deb5cda7f017eab49e5b901a 47dda91eed23d14571b1dcbb50c53e c324fb6bbe9df2df75f77a9f377f138a6ac5:1b00391fd504d 07ee7193cbee4e4fb28 O17 - HKLM\System\CCS\Services\Tcpip\..\{EB18AD57-6DC7-4703-9762-D31E97017835}: NameServer = 202.27.158.40 202.27.184.3 Although O17 and Q4 refer to using your PC as a server , maybe for file ttransfer for your business? Also, this is a trojan and you will find it has also hidden elsewhere. So after a cleanout using Ccleaner (www.ccleaner.com/) and cleanout of the entries, I would run Spybot (http:) and CWshredder (www.spywareinfo.com) followed by Stinger (vil.nai.com) WITHOUT restarting PC. They are getting harder and harder to kill some of these. |
Pheonix (280) | ||
| 1 | |||||