Results 1 to 5 of 5

Thread: Hijackthis

  1. April 6th, 2005, 04:27 AM #1
    dark5yntax
    dark5yntax is offline
    Junior Member
    Join Date
    Mar 2005
    Posts
    25

    Hijackthis

    Hey I just ran hijack this and found some interesting search entries at the top can anyone see anything else that I should remove?

    Logfile of HijackThis v1.99.1
    Scan saved at 11:59:29 AM, on 4/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\PGPserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\tlntsvr.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\WZCBDL Service\WZCBDLS.exe
    C:\WINDOWS\System32\dmadmin.exe
    C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\@stake\LC5\lc5.exe
    C:\Documents and Settings\nate\My Documents\Gear\Computger Analysis\Hijacthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.192/search.php?v=6&aff=971910
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.192/index.php?v=6&aff=971910
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.192/index.php?v=6&aff=971910
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PGPtray.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
    O18 - Filter: text/html - (no CLSID) - (no file)
    O23 - Service: GFI LANguard N.S.S. 5.0 attendant service - Unknown owner - C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (file missing)
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\System32\PGPserv.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
    Reply With Quote Reply With Quote
  2. April 6th, 2005, 04:30 AM #2
    Irongeek
    Irongeek is offline
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Run it through this CGI:

    http://www.hijackthis.de/en

    and see what it says.
    http://www.irongeek.com
    Reply With Quote Reply With Quote
  3. April 6th, 2005, 06:45 AM #3
    rapier57
    rapier57 is offline
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    I am suspicious of the Explorer.EXE file listed in the C:\Windows directory. Normally, WinXP SP2 doesn't capitalize any characters in the file name for explorer.exe. Right-click and select properties. Select the Version tab and see what it says. I've seen mIRC executables named like this in root kits.
    Reply With Quote Reply With Quote
  4. April 6th, 2005, 07:22 AM #4
    therenegade
    therenegade is offline
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    I think explorer.EXE isnt necessarily a bad entry?The point was discussed in a spyware thread quite a few months ago,I cant seem to find the link howver sorry.(besides I'm in a cafe,and I'm replying to a spyware related thread on a computer which seems to be riddled with it )
    These're a few entries you might want to google and see what they bring up:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.192/search.php?v=6&aff=971910
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.192/index.php?v=6&aff=971910
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.192/index.php?v=6&aff=971910
    This one's definitely not required unless you like casino:P
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
    If you've uninstalled this you might want to consider removing this one too:
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    cheers
    Reply With Quote Reply With Quote
  5. April 6th, 2005, 07:26 AM #5
    XTC46
    XTC46 is offline
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    aww how cute...someone is playing with port scanners and password crackers.

    maybe you should figure out what should and shouldnt be on a computer before you try and break into them? hehe just messing with you.

    aside from the above it looks good from here. It seems anything "extra" that is running has a legit reason for running. But i only took a quick look. Generally when I am concerned about things or something looks "out of the ordinary" I just google the file and you get some good results and you learn what each thing is. But It is also a good idea to post them on boards like this just to make sure.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules