Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help about trojan TR/... etc. etc.


  • Please log in to reply

#1
Aulin

Aulin

    New Member

  • Member
  • Pip
  • 2 posts
Hi, i'm new on this forum (sorry for my bad english ... i'm italian ... :blink: )

My problem is this :

explorer.exe and some other programs try to connect to this sites whitescat.com [http:// 82.98.235.154] or to [http:// 65.243.103.80].
My firewall block it, but sometimes appear pop up of trash sites .... :help:

this is my hijack log :

Logfile of HijackThis v1.99.1
Scan saved at 8.28.22, on 30/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Utility\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Programmi\Utility\Executive Software\Diskeeper\DkService.exe
C:\Programmi\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Drivers\Trust\Ami Mouse 300 Dual Scroll\Amoumain.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmi\Internet\CronoSoft\Quick Hide Windows\qhw.exe
C:\Programmi\AutoCAD 2006\acad.exe
C:\DOCUME~1\2\IMPOST~1\Temp\AdskCleanup.0001
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\File comuni\Autodesk Shared\WSCommCntr1.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\2\Documenti\My eBooks\Programs\Utility\Spyware\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it...i...-8&oe=UTF-8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Matrix Browser
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Utility\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Startup.lnk = ?
O4 - Global Startup: updspl.lnk = C:\Programmi\Utility\PDF4free\updspl\UpdSpl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Apri PDF in Word - res://C:\Programmi\ScanSoft\PDF Converter\IEShellExt.dll /400
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\Utility\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\Utility\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {BF683EF6-A484-437B-A47C-42622EFA8A2E} (PriMus_net_ocx Control) - http://www.acca.it/P...netWebSetup.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{737EF598-8DBD-4594-9B11-301815D8A368}: NameServer = 1.253.128.30,213.156.54.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3B9BC5F-C933-40F2-B17E-909542231139}: NameServer = 151.99.125.1,151.99.0.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{737EF598-8DBD-4594-9B11-301815D8A368}: NameServer = 1.253.128.30,213.156.54.81
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Utility\Executive Software\Diskeeper\DkService.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programmi\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programmi\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Utility\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe


and this is one of the alert of firewall :

File Version : 6.0.2900.2180
File Description : Esplora risorse (explorer.exe)
File Path : C:\WINDOWS\explorer.exe
Process ID : 0x468 (Heximal) 1128 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.1.30
Local Port : 1528
Remote Name : whitescat.com
Remote Address : 82.98.235.154
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 00-18-4d-30-41-37
Source: 00-e0-7d-ed-2e-1f
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x1bbf (Correct)
Source: 192.168.1.30
Destination: 82.98.235.154
Transmission Control Protocol (TCP)
Source port: 1528
Destination port: 80
Sequence number: 4105713715
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x2850 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 18 4D 30 41 37 00 E0 : 7D ED 2E 1F 08 00 45 00 | ..M0A7..}.....E.
0010: 00 30 3B E9 40 00 80 06 : BF 1B C0 A8 01 1E 52 62 | .0;[email protected]
0020: EB 9A 05 F8 00 50 F4 B8 : 38 33 00 00 00 00 70 02 | .....P..83....p.
0030: FF FF 50 28 00 00 02 04 : 05 B4 01 01 04 02 61 74 | ..P(..........at
0040: 03 63 6F 6D 00 00 01 00 : 01 00 00 00 | .com........

Can you help me ? :whistling:

Thanks

Edited by Aulin, 30 May 2007 - 02:30 AM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP