Thread: Hijack this log help
View Single Post
Old 07-07-2005, 01:58 AM   #4 (permalink)
Thanatos
Registered User
 
Join Date: Oct 2004
Posts: 5
OS: WinXP


Excellent thank you.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:52:48 p.m., on 7/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab


End of KRC HijackThis Analyzer Log.
====================================================================



Incident Status Location

Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\gaming\Application Data\PSGuard.com
Adware:Adware/Smitfraud No disinfected C:\Recycled\Q330995.exe
Virus:Trj/Banker.TA Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X0U7AQEB\bbot[1].exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\oleadm.dll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe




(7/7/05 6:51:18 p.m.) SPSeHjFix started v1.1.2
(7/7/05 6:51:18 p.m.) OS: WinXP (5.1.2600)
(7/7/05 6:51:18 p.m.) Language: english
(7/7/05 6:51:18 p.m.) Win-Path: C:\WINDOWS
(7/7/05 6:51:18 p.m.) System-Path: C:\WINDOWS\System32
(7/7/05 6:51:18 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\
(7/7/05 6:51:27 p.m.) Disinfection started
(7/7/05 6:51:27 p.m.) Bad-Dll(IEP): c:\docume~1\gaming\locals~1\temp\se.dll
(7/7/05 6:51:27 p.m.) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\imal.dll
(7/7/05 6:51:27 p.m.) Searchassistant Uninstaller - Keys Deleted
(7/7/05 6:51:27 p.m.) UBF: 7 - UBB: 2 - UBR: 12
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\text/html (deleted)
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\CLSID\{98FB572A-D936-4FD8-AF60-C693779D20DC} (deleted)
(7/7/05 6:51:27 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\text/plain (deleted)
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\CLSID\{98FB572A-D936-4FD8-AF60-C693779D20DC} (error while deleting)
(7/7/05 6:51:27 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/7/05 6:51:27 p.m.) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} (deleted)
(7/7/05 6:51:27 p.m.) BHO-Key: HKCR\CLSID\{F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} (deleted)
(7/7/05 6:51:27 p.m.) UBF: 5 - UBB: 1 - UBR: 12
(7/7/05 6:51:27 p.m.) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/7/05 6:51:27 p.m.) Stealth-String not found
(7/7/05 6:51:27 p.m.) File added to delete: c:\windows\system32\imal.dll
(7/7/05 6:51:27 p.m.) Reboot


(7/7/05 6:52:34 p.m.) SPSeHjFix started v1.1.2
(7/7/05 6:52:34 p.m.) OS: WinXP (5.1.2600)
(7/7/05 6:52:34 p.m.) Language: english
(7/7/05 6:52:34 p.m.) Win-Path: C:\WINDOWS
(7/7/05 6:52:34 p.m.) System-Path: C:\WINDOWS\System32
(7/7/05 6:52:34 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\
(7/7/05 6:53:07 p.m.) Disinfection started
(7/7/05 6:53:07 p.m.) Bad-Dll(IEP): c:\docume~1\gaming\locals~1\temp\se.dll
(7/7/05 6:53:07 p.m.) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\imal.dll
(7/7/05 6:53:07 p.m.) Searchassistant Uninstaller - Keys Deleted
(7/7/05 6:53:07 p.m.) UBF: 7 - UBB: 2 - UBR: 12
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\text/html (deleted)
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\CLSID\{432562C1-C30C-4799-9297-6FCA3508FF97} (deleted)
(7/7/05 6:53:07 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\text/plain (deleted)
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\CLSID\{432562C1-C30C-4799-9297-6FCA3508FF97} (error while deleting)
(7/7/05 6:53:07 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/7/05 6:53:07 p.m.) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C24C8F3B-C1FF-476C-BE76-36D19CD4C489} (deleted)
(7/7/05 6:53:07 p.m.) BHO-Key: HKCR\CLSID\{C24C8F3B-C1FF-476C-BE76-36D19CD4C489} (deleted)
(7/7/05 6:53:07 p.m.) UBF: 5 - UBB: 1 - UBR: 12
(7/7/05 6:53:07 p.m.) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/7/05 6:53:07 p.m.) Stealth-String not found
(7/7/05 6:53:07 p.m.) File added to delete: c:\windows\system32\imal.dll
(7/7/05 6:53:07 p.m.) Reboot


(7/7/05 6:54:09 p.m.) SPSeHjFix started v1.1.2
(7/7/05 6:54:09 p.m.) OS: WinXP (5.1.2600)
(7/7/05 6:54:09 p.m.) Language: english
(7/7/05 6:54:09 p.m.) Win-Path: C:\WINDOWS
(7/7/05 6:54:09 p.m.) System-Path: C:\WINDOWS\System32
(7/7/05 6:54:09 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\


whew!
everything seems to be workimg ok, but I'm a little concerned with the panda active scan results, looks like there might still be somthing there?

Thanks for the help
Thanatos is offline