Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 4th, 2008, 2:44pm
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Anyone encounter this malware??  E26START.EXE		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Anyone encounter this malware??  E26START.EXE  (Read 676 times)
mugen2020
Newbie
*





   


Posts: 2
Anyone encounter this malware??  E26START.EXE
« on: Jul 13th, 2006, 4:12pm »		 Quote Quote  Modify Modify
This malware keep itself loaded in the running process in background of my WinXP .
 
C:\WINDOWS\system32\E26Start.exe  
299 KB (306,176 bytes)
c:\windows\system32\wscntfy.exe
i can;t even remove it from the memory or delete the file using
Adware/Kapersky
 
Anyone pls can give me some assistance or advise to remove this malware pls
IP Logged
mugen2020
Newbie
*





   


Posts: 2
Re: Anyone encounter this malware??  E26S
« Reply #1 on: Jul 13th, 2006, 4:19pm »		 Quote Quote  Modify Modify
Below is the report from hijackthis
 
Logfile of HijackThis v1.99.1
Scan saved at 5:17:08, on 14/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\e26Start.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe
 
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\E26Start.exe  
O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll (file missing)
O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\ldltgy7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\E26Start.exe  
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyShares] c:\program Files\易虎\MyShares.exe /tray
O8 - Extra context menu item: &使用屁屁狗[PPGou]加速下载 - C:\PROGRA~1\PPGou2\geturl.htm
O8 - Extra context menu item: &使用屁屁狗[PPGou]下载全部链接 - C:\PROGRA~1\PPGou2\getAll.htm
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\xboxcenter.dll
O10 - Unknown file in Winsock LSP: c:\windows\xboxcenter.dll
O10 - Unknown file in Winsock LSP: c:\windows\xboxcenter.dll
O10 - Unknown file in Winsock LSP: c:\windows\xboxcenter.dll
O10 - Unknown file in Winsock LSP: c:\windows\xboxcenter.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9463A7CB-90A1-48B7-89F4-39B2BD332849} : NameServer = 202.188.1.5,202.188.0.133
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - (no file)
O23 - Service: DeskService - Unknown owner - C:\WINDOWS\system32\winsvc.exe
 
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Anyone encounter this malware?? 燛26START.EXE
« Reply #2 on: Jul 14th, 2006, 12:04am »		 Quote Quote  Modify Modify
Can you remove it or rename it when you reboot into SAFE MODE?
 
Also, can you uncheck its startup entry by going to START-RUN and typing in   msconfig    Then go to the Startup tab, locate it, uncheck its entry, click on APPLY and OK and then reboot.  
 
Please submit this file for analysis by Gavin (Mischel's trojan analyst) as per the instructions in the link below.
 
http://forum.misec.net/board/FAQ/1139308293
« Last Edit: Jul 14th, 2006, 12:06am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Anyone encounter this malware?? 燛26START.EXE
« Reply #3 on: Jul 14th, 2006, 12:13am »		 Quote Quote  Modify Modify
Of great concern is Winsvc.  It is a worm according to this link:
 
http://www.liutilities.com/products/wintaskspro/processlibrary/winsvc/
 
You should download the trial version of TrojanHunter, install it, run LiveUpdate to obtain the latest definitions.  Then open TH scanner and set ALL the options active under Options icon on the left icon bar.   Reboot your computer into SAFE MODE and run a FULL system scan with TrojanHunter.  Let it remove what it can.
 
Reboot back into normal mode and post here what TH found and removed.  Then rerun HJT and post another log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register