My problem is this :
explorer.exe and some other programs try to connect to this sites whitescat.com [http:// 82.98.235.154] or to [http:// 65.243.103.80].
My firewall block it, but sometimes appear pop up of trash sites ....
this is my hijack log :
Logfile of HijackThis v1.99.1
Scan saved at 8.28.22, on 30/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Utility\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Programmi\Utility\Executive Software\Diskeeper\DkService.exe
C:\Programmi\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Drivers\Trust\Ami Mouse 300 Dual Scroll\Amoumain.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmi\Internet\CronoSoft\Quick Hide Windows\qhw.exe
C:\Programmi\AutoCAD 2006\acad.exe
C:\DOCUME~1\2\IMPOST~1\Temp\AdskCleanup.0001
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\File comuni\Autodesk Shared\WSCommCntr1.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\2\Documenti\My eBooks\Programs\Utility\Spyware\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it...i...-8&oe=UTF-8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Matrix Browser
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Utility\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Startup.lnk = ?
O4 - Global Startup: updspl.lnk = C:\Programmi\Utility\PDF4free\updspl\UpdSpl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Apri PDF in Word - res://C:\Programmi\ScanSoft\PDF Converter\IEShellExt.dll /400
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\Utility\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\Utility\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {BF683EF6-A484-437B-A47C-42622EFA8A2E} (PriMus_net_ocx Control) - http://www.acca.it/P...netWebSetup.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{737EF598-8DBD-4594-9B11-301815D8A368}: NameServer = 1.253.128.30,213.156.54.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3B9BC5F-C933-40F2-B17E-909542231139}: NameServer = 151.99.125.1,151.99.0.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{737EF598-8DBD-4594-9B11-301815D8A368}: NameServer = 1.253.128.30,213.156.54.81
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Utility\Executive Software\Diskeeper\DkService.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programmi\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programmi\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Utility\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
and this is one of the alert of firewall :
File Version : 6.0.2900.2180
File Description : Esplora risorse (explorer.exe)
File Path : C:\WINDOWS\explorer.exe
Process ID : 0x468 (Heximal) 1128 (Decimal)
Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.1.30
Local Port : 1528
Remote Name : whitescat.com
Remote Address : 82.98.235.154
Remote Port : 80 (HTTP - World Wide Web)
Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 00-18-4d-30-41-37
Source: 00-e0-7d-ed-2e-1f
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x1bbf (Correct)
Source: 192.168.1.30
Destination: 82.98.235.154
Transmission Control Protocol (TCP)
Source port: 1528
Destination port: 80
Sequence number: 4105713715
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x2850 (Correct)
Data (0 Bytes)
Binary dump of the packet:
0000: 00 18 4D 30 41 37 00 E0 : 7D ED 2E 1F 08 00 45 00 | ..M0A7..}.....E.
0010: 00 30 3B E9 40 00 80 06 : BF 1B C0 A8 01 1E 52 62 | .0;[email protected]
0020: EB 9A 05 F8 00 50 F4 B8 : 38 33 00 00 00 00 70 02 | .....P..83....p.
0030: FF FF 50 28 00 00 02 04 : 05 B4 01 01 04 02 61 74 | ..P(..........at
0040: 03 63 6F 6D 00 00 01 00 : 01 00 00 00 | .com........
Can you help me ?
Thanks
Edited by Aulin, 30 May 2007 - 02:30 AM.