Network Security » Web Security » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - Nick

Re: HijackThisLog Analysis - Nick


Date: 7:09:14 PM, on 6/30/04


Looks like there is a remote control trojan in the system...


Also there are multiple session of scvhost.exe.


End the below suspicious process :


C:WINNTSYSTEM32DNTUS26.EXE
C:WINNTsystem32scvhost.exe


Remove Unauthorised Software:


DNTU26.EXE also suspected infection of W32/Deloder.worm.


Download the latest Stinger Software and Reboot the computer but put it to safe mode.  Then scan and delete viruses.


Original log but with private information removed.




Logfile of HijackThis v1.97.7
Scan saved at 7:09:14 PM, on 6/30/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32spoolss.exe
C:WINNTsystem32RpcSs.exe
C:WINNTSystem32nddeagnt.exe
C:WINNTExplorer.EXE
C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe
C:WINNTSystem32msdtc.exe
C:Program FilesCommon FilesNetwork AssociatesAlert Manageramgrsrvc.exe
C:PROGRA~1DIRECT~1DUService.exe
C:WINNTSYSTEM32DNTUS26.EXE
C:WINNTSystem32llssrv.exe
C:Program FilesNetwork AssociatesNetShield 2000Mcshield.exe
C:Program FilesNetwork AssociatesNetShield 2000VsTskMgr.exe
C:Program FilesMicrosoft SQL ServerMSSQLBinnsqlservr.exe
c:winntsystem32pstores.exe
C:WINNTSystem32LOCATOR.EXE
C:WINNTsystem32NetLogon.exe
C:WINNTsystem32MSTask.exe
C:Program FilesORLVNCWinVNC.exe
C:WINNTSystem32ZipToA.exe
C:WINNTSystem32inetsrvinetinfo.exe
C:WINNTSystem32INTERNAT.EXE
C:WINNTsystem32scvhost.exe
C:WINNTsystem32scvhost.exe
C:WINNTsystem32scvhost.exe
C:WINNTsystem32scvhost.exe
C:WINNTsystem32scvhost.exe
C:vpop3vpop3svc.exe
C:vpop3VPOP3.EXE
C:WINNTregedit.exe
C:Program FilesNetwork AssociatesNetShield 2000scan32.exe
C:WINNTsystem32notepad.exe
C:WinZipwinzip32.exe
C:TEMPHijackThis.exe


R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = 192.168.*;
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTSystem32msdxm.ocx
O4 - Global Startup: Service Manager.lnk = C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe
O13 - WWW. Prefix: http:??


Trojan found:

Updated On: 04.07.08

Related Page:

Tagged By: Re: HijackThisLog Analysis - Costexx.

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.