temmu's 2003 sr2 hijack this log thingy

Started by Temmu, November 02, 2006, 10:32:50 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Temmu

November 02, 2006, 10:32:50 PM
anything unusual?  this for example:
Code Select
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
of which hijack this says is a rarely used method of loading stuff...

or anything else suspicious??

here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:26:08 PM, on 11/2/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Merak\config.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BF1588D-8BEE-42E0-93FB-24383DDE7587}: NameServer = 205.152.132.23,205.152.37.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BF1588D-8BEE-42E0-93FB-24383DDE7587}: NameServer = 205.152.132.23,205.152.37.23
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BF1588D-8BEE-42E0-93FB-24383DDE7587}: NameServer = 205.152.132.23,205.152.37.23
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Merak Control / Web / FTP (MerakControl) - IceWarp Software - C:\Program Files\Merak\control.exe
O23 - Service: Merak POP3 / IMAP (MerakPOP3) - IceWarp Software - C:\Program Files\Merak\pop3.exe
O23 - Service: Merak SMTP (MerakSMTP) - IceWarp Software - C:\Program Files\Merak\smtp.exe


thanks in advance!

Corrine

#1
November 02, 2006, 11:28:46 PM
According to Greatis, dimsntfy.dll is a DIMS Notification Handler and is legitimate.

The only other thing I noticed was the start page:  res://shdoclc.dll/hardAdmin.htm .  The only reference I found to that was at Cyber Answers but the poster never returned so the issue wasn't resolved.

Is that your normal start page?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Temmu

#2
November 02, 2006, 11:46:57 PM
it's somethin' ms puts there to let you know it's harder'n heck to browse from server 2003.  you have to add every domain to the trusted sites to browse to it...  it's some kinda security thingy.

thanks for checking that, :rose: corrine!

winchester73

#3
November 02, 2006, 11:59:01 PM
Indeed, that dll comes from Windows 2003:  http://www.castlecops.com/o20list-19.html

That's a pretty lean HJT log.
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Corrine

#4
November 02, 2006, 11:59:44 PM
Thanks.  I learned something too (although I'm sure Mars11 could have explained it in detail.  :lol: ). 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

winchester73

#5
November 03, 2006, 01:39:22 AM
Installing Internet Explorer 7 with The Microsoft Windows ServerĀ® 2003 operating systems with Service Pack SP1 (SP1)--The home page will be reset to the secure page (res://shdoclc.dll/hardadmin.htm).

Towards the bottom of this page:  http://msdn2.microsoft.com/en-us/ie/aa740486.aspx

You have IE6 however ...  :confused:

QuotePlatform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member
Print
Go Up Pages1
User actions