Network Security » Web Security » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - Costexx

Re: HijackThisLog Analysis - costexx


Date: Thursday, 23 September, 2004 3:46 PM


Message: The process dntus26.exe was also runing but i stoped that before.


Response: DNTU26.EXE also suspected infection of W32/Deloder.wormRead this analysis.


Here is what you should do.





Remove these search keys:


R1 - HKCU Software Microsoft Internet Explorer Main,Default_Page_URL = res: / / shdoclc.dll / hardAdmin.htm
R0 - HKCU Software Microsoft Internet Explorer Main,Start Page = res: / / shdoclc.dll / hardAdmin.htm



Remove these additional browser plug-in keys (O2...O4):



O4 - Global Startup: update.bat




Remove these extra items in IE menu (O8...O9):


O8 - Extra context menu item: Download All by FlashGet - C: Program Files FlashGet jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C: Program Files FlashGet jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: PROGRA~1 FlashGet flashget.exe (file missing)
O9 - Extra ’Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: PROGRA~1 FlashGet flashget.exe (file missing)



Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.



C: Program Files FlashGet


Original log but with private information removed.




Logfile of HijackThis v1.98.2
Scan saved at 10:39:36, on 23.09.2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)


the process dntus26.exe was also runing but i stoped that before


Running processes:
C: WINDOWS System32 smss.exe
C: WINDOWS system32 csrss.exe
C: WINDOWS system32 winlogon.exe
C: WINDOWS system32 services.exe
C: WINDOWS system32 lsass.exe
C: WINDOWS system32 svchost.exe
C: WINDOWS system32 svchost.exe
C: WINDOWS system32 svchost.exe
C: WINDOWS System32 svchost.exe
C: WINDOWS system32 spoolsv.exe
C: WINDOWS system32 msdtc.exe
C: WINDOWS system32 Dfssvc.exe
C: WINDOWS System32 dns.exe
C: WINDOWS System32 svchost.exe
C: WINDOWS system32 inetsrv inetinfo.exe
c: WINDOWS apppatch ioFTPD system srvany.exe
C: WINDOWS System32 ismserv.exe
C: Program Files MultiLink bin LiebertM.exe
C: Program Files Exchsrvr bin srsmain.exe
c: windows apppatch ioftpd system ioFTPD.exe
C: mysql bin mysqld.exe
C: WINDOWS system32 ntfrs.exe
C: WINDOWS system32 PAV UPDATES PavAcS.exe
C: WINDOWS system32 pavsrv51.exe
C: WINDOWS system32 svchost.exe
C: WINDOWS system32 RISRV.EXE
C: WINDOWS system32 service.exe
C: WINDOWS system32 AVENGINE.EXE
C: WINDOWS system32 SRVTSK.EXE
C: WINDOWS System32 vssvc.exe
C: WINDOWS system32 winlog.exe
C: Program Files Exchsrvr bin mad.exe
C: Program Files Common Files System MSSearch Bin mssearch.exe
C: WINDOWS System32 svchost.exe
C: Program Files Exchsrvr bin exmgmt.exe
C: WINDOWS system32 wbem wmiprvse.exe
C: WINDOWS system32 wbem wmiprvse.exe
C: Program Files Exchsrvr bin store.exe
C: Program Files Exchsrvr bin emsmta.exe
c: windows system32 inetsrv w3wp.exe
C: WINDOWS system32 PAvEx PAvDCExc.exe
C: WINDOWS system32 PAvEx PavExA PavEx.exe
C: WINDOWS System32 svchost.exe
C: WINDOWS system32 logon.scr
C: WINDOWS system32 csrss.exe
C: WINDOWS system32 winlogon.exe
C: WINDOWS system32 rdpclip.exe
C: WINDOWS Explorer.EXE
C: WINDOWS system32 ctfmon.exe
C: mysql bin winmysqladmin.exe
C: WINDOWS system32 ntvdm.exe
C: Program Files Webroot Spy Sweeper SpySweeper.exe
C: Program Files Symantec AntiVirus DefWatch.exe
C: Program Files Symantec AntiVirus Rtvscan.exe
C: Program Files Common Files Symantec Shared ccSetMgr.exe
C: Program Files Common Files Symantec Shared ccApp.exe
C: WINDOWS system32 taskmgr.exe
c: windows system32 inetsrv w3wp.exe
C: PROGRA~1 SYMANT~1 DWHWIZRD.EXE
C: Program Files Symantec AntiVirus VPC32.exe
D: staff Docs cx HijackThis.exe


R1 - HKCU Software Microsoft Internet Explorer Main,Default_Page_URL = res: / / shdoclc.dll / hardAdmin.htm
R0 - HKCU Software Microsoft Internet Explorer Main,Start Page = res: / / shdoclc.dll / hardAdmin.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: WINDOWS system32 msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM .. Run: [PAVNT] PAVNT.exe
O4 - HKLM .. Run: [ccApp] "C: Program Files Common Files Symantec Shared ccApp.exe"
O4 - HKLM .. Run: [vptray] C: PROGRA~1 SYMANT~1 VPTray.exe
O4 - HKCU .. Run: [CTFMON.EXE] C: WINDOWS system32 ctfmon.exe
O4 - HKCU .. Run: [SpySweeper] "C: Program Files Webroot Spy Sweeper SpySweeper.exe" / 0
O4 - Startup: WinMySQLadmin.lnk = C: mysql bin winmysqladmin.exe
O4 - Global Startup: update.bat
O8 - Extra context menu item: Download All by FlashGet - C: Program Files FlashGet jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C: Program Files FlashGet jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ’Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: PROGRA~1 FlashGet flashget.exe (file missing)
O9 - Extra ’Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C: PROGRA~1 FlashGet flashget.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - website: pandasoftware.com / activescan / as5 / asinst.cab


Updated On: 04.09.27

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.