PDA

View Full Version : Hijack This Help Please



skinner
31-08-2004, 01:17 PM
Hi Folks,

Running XP Home and have a hijacker : http://portal.soul-gate.net
CWShredder finds nothing.

I have downloaded and run HJT. Can some kind person have a look at the log file and point me in the right direction please.

Cheers
Skinner
Logfile of HijackThis v1.98.2
Scan saved at 11:11:38 AM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\sysentry.exe
C:\WINDOWS\System32\msxml32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [System Uptime Server] sysentry.exe
O4 - HKLM\..\Run: [XML Service] msxml32.exe
O4 - HKLM\..\RunServices: [System Uptime Server] sysentry.exe
O4 - HKLM\..\RunServices: [XML Service] msxml32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=be5a5344c63819fa0f76be02c9836cb8a42f03deb5cda7f0 17eab49e5b901a47dda91eed23d14571b1dcbb50c53ec324fb 6bbe9df2df75f77a9f377f138a6ac5:1b00391fd504d07ee71 93cbee4e4fb28
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB18AD57-6DC7-4703-9762-D31E97017835}: NameServer = 202.27.158.40 202.27.184.3

Spacemannz
31-08-2004, 01:34 PM
Did you pick up that pic.zip thats on that site?? When you visited it. (did you actually go to that site)?? XP SP2 blocked it and gave me the option,
which i ignored.

That sysentry.exe and msxml32.exe look suss. Theyre not part of XP. BUT maybe part of something else. BUT a search in google and yahoo say theyre either a virus and/or trojan (in another language). BUT I understood virus and trojan!

If you goto Task Manager/processes, are these 2 files in it??

skinner
31-08-2004, 01:38 PM
Cheers for that...no I didn't actually look at the site. I'll check the
odd looking entries.

Skinner

Spacemannz
31-08-2004, 02:04 PM
no prob and that win32x.exe file that appears under run looks nasty and also isnt part of XP. According to google thats Troj/StartPa-DF

This is some info about it

Troj/StartPa-DF aka Downloader-KH is a Trojan downloader which changes Internet Explorer settings.

The Trojan downloads various files from http://bpdn.ath.cx/

In order to run automatically when Windows starts up Troj/StartPa-DF creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \winlogin = win32x.exe

One of the downloaded files contains a URL to which the Trojan creates shortcuts in both the users Favorites folder and the following registry entries:

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page

(the Search Page and Start page under the above entry doesn't exist in XP) Well theyre not on mine. Delete them in your registry. If theyre there. ONLY the search page and start page entry.

Troj/StartPa-DF may send information about the infected computer to the author via an HTTP POST submission. I suggest u go to run in the
registry and remove the win32x.exe entry asap. And reboot

Pheonix
31-08-2004, 02:59 PM
Remove bad boys..

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe

Not sure either about ...

O4 - HKLM\..\Run: [System Uptime Server] sysentry.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=be5a5344c638 19fa0f76be02c9836cb8a42f03deb5cda7f017eab49e5b901a 47dda91eed23d14571b1dcbb50c53e c324fb6bbe9df2df75f77a9f377f138a6ac5:1b00391fd504d 07ee7193cbee4e4fb28
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB18AD57-6DC7-4703-9762-D31E97017835}: NameServer = 202.27.158.40 202.27.184.3

Although O17 and Q4 refer to using your PC as a server , maybe for file ttransfer for your business?

Also, this is a trojan and you will find it has also hidden elsewhere. So after a cleanout using Ccleaner (http://www.ccleaner.com/) and cleanout of the entries, I would run Spybot (http://www.majorgeeks.com/download2471.html) and CWshredder (http://www.spywareinfo.com/~merijn/files/CWShredder.exe) followed by Stinger (http://vil.nai.com/vil/stinger/) WITHOUT restarting PC.
They are getting harder and harder to kill some of these.