LandzDown Forum

anything unusual?  this for example:
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dllof which hijack this says is a rarely used method of loading stuff...

or anything else suspicious??

here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:26:08 PM, on 11/2/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Merak\config.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BF1588D-8BEE-42E0-93FB-24383DDE7587}: NameServer = 205.152.132.23,205.152.37.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BF1588D-8BEE-42E0-93FB-24383DDE7587}: NameServer = 205.152.132.23,205.152.37.23
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BF1588D-8BEE-42E0-93FB-24383DDE7587}: NameServer = 205.152.132.23,205.152.37.23
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Merak Control / Web / FTP (MerakControl) - IceWarp Software - C:\Program Files\Merak\control.exe
O23 - Service: Merak POP3 / IMAP (MerakPOP3) - IceWarp Software - C:\Program Files\Merak\pop3.exe
O23 - Service: Merak SMTP (MerakSMTP) - IceWarp Software - C:\Program Files\Merak\smtp.exe


thanks in advance!

it's somethin' ms puts there to let you know it's harder'n heck to browse from server 2003.  you have to add every domain to the trusted sites to browse to it...  it's some kinda security thingy.

thanks for checking that, corrine!

Thanks.  I learned something too (although I'm sure Mars11 could have explained it in detail.  ).