|
Re: HijackThisLog Analysis - costexx
Date: Thursday, 23 September, 2004 3:46 PM
Message: The process dntus26.exe was also runing but i stoped that before.
Response: DNTU26.EXE also suspected infection of W32/Deloder.worm. Read this analysis.
Here is what you should do.
Remove these search keys:
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = res: / / shdoclc.dll / hardAdmin.htm
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = res: / / shdoclc.dll / hardAdmin.htm
Remove these additional browser plug-in keys (O2...O4):
O4 - Global Startup: update.bat
Remove these extra items in IE menu (O8...O9):
O8 - Extra context menu item: Download All by FlashGet - C: \ Program Files \ FlashGet \ jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C: \ Program Files \ FlashGet \ jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: \ PROGRA~1 \ FlashGet \ flashget.exe (file missing)
O9 - Extra ´Tools´ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: \ PROGRA~1 \ FlashGet \ flashget.exe (file missing)
Reboot the computer and put it to safe mode. Then delete these files from your C: drive.
C: \ Program Files \ FlashGet \
Original log but with private information removed.
Logfile of HijackThis v1.98.2
Scan saved at 10:39:36, on 23.09.2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
the process dntus26.exe was also runing but i stoped that before
Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ system32 \ msdtc.exe
C: \ WINDOWS \ system32 \ Dfssvc.exe
C: \ WINDOWS \ System32 \ dns.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ inetsrv \ inetinfo.exe
c: \ WINDOWS \ apppatch \ ioFTPD \ system \ srvany.exe
C: \ WINDOWS \ System32 \ ismserv.exe
C: \ Program Files \ MultiLink \ bin \ LiebertM.exe
C: \ Program Files \ Exchsrvr \ bin \ srsmain.exe
c: \ windows \ apppatch \ ioftpd \ system \ ioFTPD.exe
C: \ mysql \ bin \ mysqld.exe
C: \ WINDOWS \ system32 \ ntfrs.exe
C: \ WINDOWS \ system32 \ PAV \ UPDATES \ PavAcS.exe
C: \ WINDOWS \ system32 \ pavsrv51.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ RISRV.EXE
C: \ WINDOWS \ system32 \ service.exe
C: \ WINDOWS \ system32 \ AVENGINE.EXE
C: \ WINDOWS \ system32 \ SRVTSK.EXE
C: \ WINDOWS \ System32 \ vssvc.exe
C: \ WINDOWS \ system32 \ winlog.exe
C: \ Program Files \ Exchsrvr \ bin \ mad.exe
C: \ Program Files \ Common Files \ System \ MSSearch \ Bin \ mssearch.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Exchsrvr \ bin \ exmgmt.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ Program Files \ Exchsrvr \ bin \ store.exe
C: \ Program Files \ Exchsrvr \ bin \ emsmta.exe
c: \ windows \ system32 \ inetsrv \ w3wp.exe
C: \ WINDOWS \ system32 \ PAvEx \ PAvDCExc.exe
C: \ WINDOWS \ system32 \ PAvEx \ PavExA \ PavEx.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ logon.scr
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ rdpclip.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ mysql \ bin \ winmysqladmin.exe
C: \ WINDOWS \ system32 \ ntvdm.exe
C: \ Program Files \ Webroot \ Spy Sweeper \ SpySweeper.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ WINDOWS \ system32 \ taskmgr.exe
c: \ windows \ system32 \ inetsrv \ w3wp.exe
C: \ PROGRA~1 \ SYMANT~1 \ DWHWIZRD.EXE
C: \ Program Files \ Symantec AntiVirus \ VPC32.exe
D: \ staff \ Docs \ cx \ HijackThis.exe
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = res: / / shdoclc.dll / hardAdmin.htm
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = res: / / shdoclc.dll / hardAdmin.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ system32 \ msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM \ .. \ Run: [PAVNT] PAVNT.exe
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA~1 \ SYMANT~1 \ VPTray.exe
O4 - HKCU \ .. \ Run: [CTFMON.EXE] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [SpySweeper] "C: \ Program Files \ Webroot \ Spy Sweeper \ SpySweeper.exe" / 0
O4 - Startup: WinMySQLadmin.lnk = C: \ mysql \ bin \ winmysqladmin.exe
O4 - Global Startup: update.bat
O8 - Extra context menu item: Download All by FlashGet - C: \ Program Files \ FlashGet \ jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C: \ Program Files \ FlashGet \ jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ´Tools´ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: \ PROGRA~1 \ FlashGet \ flashget.exe (file missing)
O9 - Extra ´Tools´ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: \ PROGRA~1 \ FlashGet \ flashget.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - website: pandasoftware.com / activescan / as5 / asinst.cab
|
Post your comment