Hijack this log help

Thanatos · 07-06-2005, 02:32 AM

Hi, having major PC problem.
I've run AVG and adaware and spybot search and destroy. They all find and delete something and the next time I run them, theyn find and delete it again. I'ts driving me nuts.

Problems
IE homepage has changed
Thing next to the clock(cant remember what its called) show a red icon which says your computer is infected and links to a psscan website.
Whenever I open IE I get an AVG virus warning.

Virus
The virus is called a Trojan Horse Startpage.19.J
Also have a Backdoor Generic DJI and a
BackDoor Generic.DFX

AdAware
Adaware finds a Coolwebsearch with a TAC value of 10 which it removes(but comes back)

What I've Done
Run full virus scan (whit all updates)
Run adaware (with all updates)
Run Spybot S&D(with all updates)
Run Hijack This and the analyser.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:17:16 p.m., on 6/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\intel32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 82.146.33.177 lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 online.lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 www.lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 www.lloydstsb.com
O1 - Hosts: 82.146.33.177 personal.barclays.co.uk
O1 - Hosts: 82.146.33.177 barclays.co.uk
O1 - Hosts: 82.146.33.177 ibank.barclays.co.uk
O1 - Hosts: 82.146.33.177 www.barclays.co.uk
O1 - Hosts: 82.146.33.177 www.nwolb.com
O1 - Hosts: 82.146.33.177 nwolb.com
O1 - Hosts: 82.146.33.177 hsbc.co.uk
O1 - Hosts: 82.146.33.177 www.hsbc.co.uk
O1 - Hosts: 82.146.33.177 abbey.com
O1 - Hosts: 82.146.33.177 www.abbey.com
O1 - Hosts: 82.146.33.177 www.abbey.co.uk
O1 - Hosts: 82.146.33.177 abbey.co.uk
O1 - Hosts: 82.146.33.177 cahoot.com
O1 - Hosts: 82.146.33.177 www.cahoot.com
O1 - Hosts: 82.146.33.177 www.cahoot.co.uk
O1 - Hosts: 82.146.33.177 cahoot.co.uk
O1 - Hosts: 82.146.33.177 www.co-operativebank.co.uk
O1 - Hosts: 82.146.33.177 co-operativebank.co.uk
O1 - Hosts: 82.146.33.177 www.co-operativebank.com
O1 - Hosts: 82.146.33.177 co-operativebank.com
O1 - Hosts: 82.146.33.177 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 www.smile.co.uk
O1 - Hosts: 82.146.33.177 smile.co.uk
O1 - Hosts: 82.146.33.177 www.cajamar.es
O1 - Hosts: 82.146.33.177 cajamar.es
O1 - Hosts: 82.146.33.177 www.cajamar.com
O1 - Hosts: 82.146.33.177 www.unicaja.es
O1 - Hosts: 82.146.33.177 unicaja.es
O1 - Hosts: 82.146.33.177 www.unicaja.com
O1 - Hosts: 82.146.33.177 unicaja.com
O1 - Hosts: 82.146.33.177 www.caixagalicia.es
O1 - Hosts: 82.146.33.177 caixagalicia.es
O1 - Hosts: 82.146.33.177 www.caixagalicia.com
O1 - Hosts: 82.146.33.177 caixagalicia.com
O1 - Hosts: 82.146.33.177 activa.caixagalicia.es
O1 - Hosts: 82.146.33.177 www.caixapenedes.es
O1 - Hosts: 82.146.33.177 caixapenedes.es
O1 - Hosts: 82.146.33.177 www.caixapenedes.com
O1 - Hosts: 82.146.33.177 caixapenedes.com
O1 - Hosts: 82.146.33.177 bancae.caixapenedes.com
O1 - Hosts: 82.146.33.177 www.caixasabadell.es
O1 - Hosts: 82.146.33.177 caixasabadell.es
O1 - Hosts: 82.146.33.177 www.caixasabadell.net
O1 - Hosts: 82.146.33.177 caixasabadell.net
O1 - Hosts: 82.146.33.177 www.cajamadrid.es
O1 - Hosts: 82.146.33.177 cajamadrid.es
O1 - Hosts: 82.146.33.177 www.cajamadrid.com
O1 - Hosts: 82.146.33.177 cajamadrid.com
O1 - Hosts: 82.146.33.177 oi.cajamadrid.es
O1 - Hosts: 82.146.33.177 www.ccm.es
O1 - Hosts: 82.146.33.177 ccm.es
O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 - Hosts: 17.145.117.11 www.kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky-labs.com
O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
O2 - BHO: (no name) - {F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} - C:\WINDOWS\System32\imal.dll
O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Filter: text/html - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll
O18 - Filter: text/plain - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll

End of KRC HijackThis Analyzer Log.
====================================================================

I dont want any toolbars or messenger.
The only things I need are INCD and my virus checker, Adaware and Spybot.

Thanks for the Assist

Thanatos

P.S I did not close my internet connection when I ran Hijack this. I did close all open programs though. Let me know if this is a problem.

**Omerr** · 07-06-2005, 09:34 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

**Omerr** · 07-06-2005, 01:23 PM

Hello and welcome to TSF

I just want to give you a good word: your thread was absolutely excellent, you really gave us the information needed and scanned how we asked you to. Good job with that!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process.

Download CWShredder http://www.greyknight17.com/spy/CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Save that log, we will use it later.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK.

Download CleanUP! and install it. Do NOT run it yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\System32\intel32.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

PSGuard

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 82.146.33.177 lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 online.lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 www.lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 www.lloydstsb.com
O1 - Hosts: 82.146.33.177 personal.barclays.co.uk
O1 - Hosts: 82.146.33.177 barclays.co.uk
O1 - Hosts: 82.146.33.177 ibank.barclays.co.uk
O1 - Hosts: 82.146.33.177 www.barclays.co.uk
O1 - Hosts: 82.146.33.177 www.nwolb.com
O1 - Hosts: 82.146.33.177 nwolb.com
O1 - Hosts: 82.146.33.177 hsbc.co.uk
O1 - Hosts: 82.146.33.177 www.hsbc.co.uk
O1 - Hosts: 82.146.33.177 abbey.com
O1 - Hosts: 82.146.33.177 www.abbey.com
O1 - Hosts: 82.146.33.177 www.abbey.co.uk
O1 - Hosts: 82.146.33.177 abbey.co.uk
O1 - Hosts: 82.146.33.177 cahoot.com
O1 - Hosts: 82.146.33.177 www.cahoot.com
O1 - Hosts: 82.146.33.177 www.cahoot.co.uk
O1 - Hosts: 82.146.33.177 cahoot.co.uk
O1 - Hosts: 82.146.33.177 www.co-operativebank.co.uk
O1 - Hosts: 82.146.33.177 co-operativebank.co.uk
O1 - Hosts: 82.146.33.177 www.co-operativebank.com
O1 - Hosts: 82.146.33.177 co-operativebank.com
O1 - Hosts: 82.146.33.177 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 www.smile.co.uk
O1 - Hosts: 82.146.33.177 smile.co.uk
O1 - Hosts: 82.146.33.177 www.cajamar.es
O1 - Hosts: 82.146.33.177 cajamar.es
O1 - Hosts: 82.146.33.177 www.cajamar.com
O1 - Hosts: 82.146.33.177 www.unicaja.es
O1 - Hosts: 82.146.33.177 unicaja.es
O1 - Hosts: 82.146.33.177 www.unicaja.com
O1 - Hosts: 82.146.33.177 unicaja.com
O1 - Hosts: 82.146.33.177 www.caixagalicia.es
O1 - Hosts: 82.146.33.177 caixagalicia.es
O1 - Hosts: 82.146.33.177 www.caixagalicia.com
O1 - Hosts: 82.146.33.177 caixagalicia.com
O1 - Hosts: 82.146.33.177 activa.caixagalicia.es
O1 - Hosts: 82.146.33.177 www.caixapenedes.es
O1 - Hosts: 82.146.33.177 caixapenedes.es
O1 - Hosts: 82.146.33.177 www.caixapenedes.com
O1 - Hosts: 82.146.33.177 caixapenedes.com
O1 - Hosts: 82.146.33.177 bancae.caixapenedes.com
O1 - Hosts: 82.146.33.177 www.caixasabadell.es
O1 - Hosts: 82.146.33.177 caixasabadell.es
O1 - Hosts: 82.146.33.177 www.caixasabadell.net
O1 - Hosts: 82.146.33.177 caixasabadell.net
O1 - Hosts: 82.146.33.177 www.cajamadrid.es
O1 - Hosts: 82.146.33.177 cajamadrid.es
O1 - Hosts: 82.146.33.177 www.cajamadrid.com
O1 - Hosts: 82.146.33.177 cajamadrid.com
O1 - Hosts: 82.146.33.177 oi.cajamadrid.es
O1 - Hosts: 82.146.33.177 www.ccm.es
O1 - Hosts: 82.146.33.177 ccm.es
O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 - Hosts: 17.145.117.11 www.kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky-labs.com
O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
O2 - BHO: (no name) - {F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} - C:\WINDOWS\System32\imal.dll
O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O18 - Filter: text/html - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll
O18 - Filter: text/plain - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Folder indicated in BLUE if it still exists:

C:\Program Files\PSGuard

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\imal.dll
F:\INSTALL4\INS3DT.EXE

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would liek to keep stored in these locations, Move them now!!!

Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log, along with SpSeHjfix’s log, so we can make sure your system is clean.

Thanatos · 07-07-2005, 12:58 AM

Excellent thank you.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:52:48 p.m., on 7/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

End of KRC HijackThis Analyzer Log.
====================================================================

Incident Status Location

Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\gaming\Application Data\PSGuard.com
Adware:Adware/Smitfraud No disinfected C:\Recycled\Q330995.exe
Virus:Trj/Banker.TA Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X0U7AQEB\bbot[1].exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\oleadm.dll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe

(7/7/05 6:51:18 p.m.) SPSeHjFix started v1.1.2
(7/7/05 6:51:18 p.m.) OS: WinXP (5.1.2600)
(7/7/05 6:51:18 p.m.) Language: english
(7/7/05 6:51:18 p.m.) Win-Path: C:\WINDOWS
(7/7/05 6:51:18 p.m.) System-Path: C:\WINDOWS\System32
(7/7/05 6:51:18 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\
(7/7/05 6:51:27 p.m.) Disinfection started
(7/7/05 6:51:27 p.m.) Bad-Dll(IEP): c:\docume~1\gaming\locals~1\temp\se.dll
(7/7/05 6:51:27 p.m.) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\imal.dll
(7/7/05 6:51:27 p.m.) Searchassistant Uninstaller - Keys Deleted
(7/7/05 6:51:27 p.m.) UBF: 7 - UBB: 2 - UBR: 12
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\text/html (deleted)
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\CLSID\{98FB572A-D936-4FD8-AF60-C693779D20DC} (deleted)
(7/7/05 6:51:27 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\text/plain (deleted)
(7/7/05 6:51:27 p.m.) FilterKey: HKCR\CLSID\{98FB572A-D936-4FD8-AF60-C693779D20DC} (error while deleting)
(7/7/05 6:51:27 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/7/05 6:51:27 p.m.) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} (deleted)
(7/7/05 6:51:27 p.m.) BHO-Key: HKCR\CLSID\{F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} (deleted)
(7/7/05 6:51:27 p.m.) UBF: 5 - UBB: 1 - UBR: 12
(7/7/05 6:51:27 p.m.) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/7/05 6:51:27 p.m.) Stealth-String not found
(7/7/05 6:51:27 p.m.) File added to delete: c:\windows\system32\imal.dll
(7/7/05 6:51:27 p.m.) Reboot

(7/7/05 6:52:34 p.m.) SPSeHjFix started v1.1.2
(7/7/05 6:52:34 p.m.) OS: WinXP (5.1.2600)
(7/7/05 6:52:34 p.m.) Language: english
(7/7/05 6:52:34 p.m.) Win-Path: C:\WINDOWS
(7/7/05 6:52:34 p.m.) System-Path: C:\WINDOWS\System32
(7/7/05 6:52:34 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\
(7/7/05 6:53:07 p.m.) Disinfection started
(7/7/05 6:53:07 p.m.) Bad-Dll(IEP): c:\docume~1\gaming\locals~1\temp\se.dll
(7/7/05 6:53:07 p.m.) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\imal.dll
(7/7/05 6:53:07 p.m.) Searchassistant Uninstaller - Keys Deleted
(7/7/05 6:53:07 p.m.) UBF: 7 - UBB: 2 - UBR: 12
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\text/html (deleted)
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\CLSID\{432562C1-C30C-4799-9297-6FCA3508FF97} (deleted)
(7/7/05 6:53:07 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\text/plain (deleted)
(7/7/05 6:53:07 p.m.) FilterKey: HKCR\CLSID\{432562C1-C30C-4799-9297-6FCA3508FF97} (error while deleting)
(7/7/05 6:53:07 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/7/05 6:53:07 p.m.) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C24C8F3B-C1FF-476C-BE76-36D19CD4C489} (deleted)
(7/7/05 6:53:07 p.m.) BHO-Key: HKCR\CLSID\{C24C8F3B-C1FF-476C-BE76-36D19CD4C489} (deleted)
(7/7/05 6:53:07 p.m.) UBF: 5 - UBB: 1 - UBR: 12
(7/7/05 6:53:07 p.m.) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/7/05 6:53:07 p.m.) Stealth-String not found
(7/7/05 6:53:07 p.m.) File added to delete: c:\windows\system32\imal.dll
(7/7/05 6:53:07 p.m.) Reboot

(7/7/05 6:54:09 p.m.) SPSeHjFix started v1.1.2
(7/7/05 6:54:09 p.m.) OS: WinXP (5.1.2600)
(7/7/05 6:54:09 p.m.) Language: english
(7/7/05 6:54:09 p.m.) Win-Path: C:\WINDOWS
(7/7/05 6:54:09 p.m.) System-Path: C:\WINDOWS\System32
(7/7/05 6:54:09 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\

whew!
everything seems to be workimg ok, but I'm a little concerned with the panda active scan results, looks like there might still be somthing there?

Thanks for the help

**Omerr** · 07-09-2005, 06:05 AM

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
HijackThis entries here if needed. Delete any other malware files not associated to the smitfraud variants and SpySherriff.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Open Ad-aware and do a full scan. Remove all it finds.

Now open Ewido Security Suite

Click on scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save Report
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Thanatos · 07-19-2005, 03:17 PM

Sorry it took me so long to get back to you guys. Everything is working fine. My interent Connection died (due to my not paying for it rather than anything else). So I haven't been online for a while.
Anyways, thanks heaps all ok now.

07-06-2005, 02:32 AM	#1 (permalink)
Thanatos Registered User Join Date: Oct 2004 Posts: 5 OS: WinXP	Hijack this log help Hi, having major PC problem. I've run AVG and adaware and spybot search and destroy. They all find and delete something and the next time I run them, theyn find and delete it again. I'ts driving me nuts. Problems IE homepage has changed Thing next to the clock(cant remember what its called) show a red icon which says your computer is infected and links to a psscan website. Whenever I open IE I get an AVG virus warning. Virus The virus is called a Trojan Horse Startpage.19.J Also have a Backdoor Generic DJI and a BackDoor Generic.DFX AdAware Adaware finds a Coolwebsearch with a TAC value of 10 which it removes(but comes back) What I've Done Run full virus scan (whit all updates) Run adaware (with all updates) Run Spybot S&D(with all updates) Run Hijack This and the analyser. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:17:16 p.m., on 6/07/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\intel32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 82.146.33.177 lloydstsb.co.uk O1 - Hosts: 82.146.33.177 online.lloydstsb.co.uk O1 - Hosts: 82.146.33.177 www.lloydstsb.co.uk O1 - Hosts: 82.146.33.177 www.lloydstsb.com O1 - Hosts: 82.146.33.177 personal.barclays.co.uk O1 - Hosts: 82.146.33.177 barclays.co.uk O1 - Hosts: 82.146.33.177 ibank.barclays.co.uk O1 - Hosts: 82.146.33.177 www.barclays.co.uk O1 - Hosts: 82.146.33.177 www.nwolb.com O1 - Hosts: 82.146.33.177 nwolb.com O1 - Hosts: 82.146.33.177 hsbc.co.uk O1 - Hosts: 82.146.33.177 www.hsbc.co.uk O1 - Hosts: 82.146.33.177 abbey.com O1 - Hosts: 82.146.33.177 www.abbey.com O1 - Hosts: 82.146.33.177 www.abbey.co.uk O1 - Hosts: 82.146.33.177 abbey.co.uk O1 - Hosts: 82.146.33.177 cahoot.com O1 - Hosts: 82.146.33.177 www.cahoot.com O1 - Hosts: 82.146.33.177 www.cahoot.co.uk O1 - Hosts: 82.146.33.177 cahoot.co.uk O1 - Hosts: 82.146.33.177 www.co-operativebank.co.uk O1 - Hosts: 82.146.33.177 co-operativebank.co.uk O1 - Hosts: 82.146.33.177 www.co-operativebank.com O1 - Hosts: 82.146.33.177 co-operativebank.com O1 - Hosts: 82.146.33.177 welcome2.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome6.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome8.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome10.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 www.smile.co.uk O1 - Hosts: 82.146.33.177 smile.co.uk O1 - Hosts: 82.146.33.177 www.cajamar.es O1 - Hosts: 82.146.33.177 cajamar.es O1 - Hosts: 82.146.33.177 www.cajamar.com O1 - Hosts: 82.146.33.177 www.unicaja.es O1 - Hosts: 82.146.33.177 unicaja.es O1 - Hosts: 82.146.33.177 www.unicaja.com O1 - Hosts: 82.146.33.177 unicaja.com O1 - Hosts: 82.146.33.177 www.caixagalicia.es O1 - Hosts: 82.146.33.177 caixagalicia.es O1 - Hosts: 82.146.33.177 www.caixagalicia.com O1 - Hosts: 82.146.33.177 caixagalicia.com O1 - Hosts: 82.146.33.177 activa.caixagalicia.es O1 - Hosts: 82.146.33.177 www.caixapenedes.es O1 - Hosts: 82.146.33.177 caixapenedes.es O1 - Hosts: 82.146.33.177 www.caixapenedes.com O1 - Hosts: 82.146.33.177 caixapenedes.com O1 - Hosts: 82.146.33.177 bancae.caixapenedes.com O1 - Hosts: 82.146.33.177 www.caixasabadell.es O1 - Hosts: 82.146.33.177 caixasabadell.es O1 - Hosts: 82.146.33.177 www.caixasabadell.net O1 - Hosts: 82.146.33.177 caixasabadell.net O1 - Hosts: 82.146.33.177 www.cajamadrid.es O1 - Hosts: 82.146.33.177 cajamadrid.es O1 - Hosts: 82.146.33.177 www.cajamadrid.com O1 - Hosts: 82.146.33.177 cajamadrid.com O1 - Hosts: 82.146.33.177 oi.cajamadrid.es O1 - Hosts: 82.146.33.177 www.ccm.es O1 - Hosts: 82.146.33.177 ccm.es O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru O1 - Hosts: 17.145.117.11 www.kaspersky.ru O1 - Hosts: 17.145.117.11 kaspersky.ru O1 - Hosts: 17.145.117.11 kaspersky-labs.com O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com O2 - BHO: (no name) - {F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} - C:\WINDOWS\System32\imal.dll O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Filter: text/html - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll O18 - Filter: text/plain - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll End of KRC HijackThis Analyzer Log. ==================================================================== I dont want any toolbars or messenger. The only things I need are INCD and my virus checker, Adaware and Spybot. Thanks for the Assist Thanatos P.S I did not close my internet connection when I ran Hijack this. I did close all open programs though. Let me know if this is a problem.

07-06-2005, 09:34 AM	#2 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. __________________ I am here in order to help you.

07-06-2005, 01:23 PM	#3 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello and welcome to TSF I just want to give you a good word: your thread was absolutely excellent, you really gave us the information needed and scanned how we asked you to. Good job with that! Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process. Download CWShredder http://www.greyknight17.com/spy/CWShredder.exe Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98. Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Save that log, we will use it later. If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage. Now run the CWShredder and hit the Fix button. Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK. Download CleanUP! and install it. Do NOT run it yet. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\WINDOWS\System32\intel32.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: PSGuard Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 82.146.33.177 lloydstsb.co.uk O1 - Hosts: 82.146.33.177 online.lloydstsb.co.uk O1 - Hosts: 82.146.33.177 www.lloydstsb.co.uk O1 - Hosts: 82.146.33.177 www.lloydstsb.com O1 - Hosts: 82.146.33.177 personal.barclays.co.uk O1 - Hosts: 82.146.33.177 barclays.co.uk O1 - Hosts: 82.146.33.177 ibank.barclays.co.uk O1 - Hosts: 82.146.33.177 www.barclays.co.uk O1 - Hosts: 82.146.33.177 www.nwolb.com O1 - Hosts: 82.146.33.177 nwolb.com O1 - Hosts: 82.146.33.177 hsbc.co.uk O1 - Hosts: 82.146.33.177 www.hsbc.co.uk O1 - Hosts: 82.146.33.177 abbey.com O1 - Hosts: 82.146.33.177 www.abbey.com O1 - Hosts: 82.146.33.177 www.abbey.co.uk O1 - Hosts: 82.146.33.177 abbey.co.uk O1 - Hosts: 82.146.33.177 cahoot.com O1 - Hosts: 82.146.33.177 www.cahoot.com O1 - Hosts: 82.146.33.177 www.cahoot.co.uk O1 - Hosts: 82.146.33.177 cahoot.co.uk O1 - Hosts: 82.146.33.177 www.co-operativebank.co.uk O1 - Hosts: 82.146.33.177 co-operativebank.co.uk O1 - Hosts: 82.146.33.177 www.co-operativebank.com O1 - Hosts: 82.146.33.177 co-operativebank.com O1 - Hosts: 82.146.33.177 welcome2.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome6.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome8.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome10.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 www.smile.co.uk O1 - Hosts: 82.146.33.177 smile.co.uk O1 - Hosts: 82.146.33.177 www.cajamar.es O1 - Hosts: 82.146.33.177 cajamar.es O1 - Hosts: 82.146.33.177 www.cajamar.com O1 - Hosts: 82.146.33.177 www.unicaja.es O1 - Hosts: 82.146.33.177 unicaja.es O1 - Hosts: 82.146.33.177 www.unicaja.com O1 - Hosts: 82.146.33.177 unicaja.com O1 - Hosts: 82.146.33.177 www.caixagalicia.es O1 - Hosts: 82.146.33.177 caixagalicia.es O1 - Hosts: 82.146.33.177 www.caixagalicia.com O1 - Hosts: 82.146.33.177 caixagalicia.com O1 - Hosts: 82.146.33.177 activa.caixagalicia.es O1 - Hosts: 82.146.33.177 www.caixapenedes.es O1 - Hosts: 82.146.33.177 caixapenedes.es O1 - Hosts: 82.146.33.177 www.caixapenedes.com O1 - Hosts: 82.146.33.177 caixapenedes.com O1 - Hosts: 82.146.33.177 bancae.caixapenedes.com O1 - Hosts: 82.146.33.177 www.caixasabadell.es O1 - Hosts: 82.146.33.177 caixasabadell.es O1 - Hosts: 82.146.33.177 www.caixasabadell.net O1 - Hosts: 82.146.33.177 caixasabadell.net O1 - Hosts: 82.146.33.177 www.cajamadrid.es O1 - Hosts: 82.146.33.177 cajamadrid.es O1 - Hosts: 82.146.33.177 www.cajamadrid.com O1 - Hosts: 82.146.33.177 cajamadrid.com O1 - Hosts: 82.146.33.177 oi.cajamadrid.es O1 - Hosts: 82.146.33.177 www.ccm.es O1 - Hosts: 82.146.33.177 ccm.es O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru O1 - Hosts: 17.145.117.11 www.kaspersky.ru O1 - Hosts: 17.145.117.11 kaspersky.ru O1 - Hosts: 17.145.117.11 kaspersky-labs.com O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com O2 - BHO: (no name) - {F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} - C:\WINDOWS\System32\imal.dll O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O18 - Filter: text/html - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll O18 - Filter: text/plain - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Folder indicated in BLUE if it still exists: C:\Program Files\PSGuard Delete the following Files indicated in RED if they still exist: C:\WINDOWS\System32\intel32.exe C:\WINDOWS\System32\imal.dll F:\INSTALL4\INS3DT.EXE Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: • Empty Recycle Bins • Delete Cookies • Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck* this option) • Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would liek to keep stored in these locations, Move them now!!! Reboot your system in Normal Mode. Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log. Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us. Please scan again with HijackThis to get a new log. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Now give us a new HijackThis Analyzer log, along with SpSeHjfix’s log, so we can make sure your system is clean. __________________ I am here in order to help you.

07-09-2005, 06:05 AM	#5 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Download smitRem.zip and save the file to your desktop. Right click on the file and extract it to it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Now scan with HJT and place a checkmark next to each of the following items: =================================================== HijackThis entries here if needed. Delete any other malware files not associated to the smitfraud variants and SpySherriff. =================================================== Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. Open Ad-aware and do a full scan. Remove all it finds. Now open Ewido Security Suite Click on scanner Make sure the following boxes are checked before scanning: Binder Crypter Archives Click on Start Scan Let the program scan the machine While the scan is in progress you will be prompted to clean files, click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save Report Save the report to your desktop Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply. Let us know if any problems persist. __________________ I am here in order to help you.

07-07-2005, 12:58 AM	#4 (permalink)
Thanatos Registered User Join Date: Oct 2004 Posts: 5 OS: WinXP	Excellent thank you. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 7:52:48 p.m., on 7/07/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab End of KRC HijackThis Analyzer Log. ==================================================================== Incident Status Location Virus:W32/Smitfraud.B Disinfected Operating system Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll Adware:Adware/SaveNow No disinfected Windows Registry Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp Adware:Adware/PsGuard No disinfected C:\Documents and Settings\gaming\Application Data\PSGuard.com Adware:Adware/Smitfraud No disinfected C:\Recycled\Q330995.exe Virus:Trj/Banker.TA Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X0U7AQEB\bbot[1].exe Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\oleadm.dll Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe (7/7/05 6:51:18 p.m.) SPSeHjFix started v1.1.2 (7/7/05 6:51:18 p.m.) OS: WinXP (5.1.2600) (7/7/05 6:51:18 p.m.) Language: english (7/7/05 6:51:18 p.m.) Win-Path: C:\WINDOWS (7/7/05 6:51:18 p.m.) System-Path: C:\WINDOWS\System32 (7/7/05 6:51:18 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\ (7/7/05 6:51:27 p.m.) Disinfection started (7/7/05 6:51:27 p.m.) Bad-Dll(IEP): c:\docume~1\gaming\locals~1\temp\se.dll (7/7/05 6:51:27 p.m.) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\imal.dll (7/7/05 6:51:27 p.m.) Searchassistant Uninstaller - Keys Deleted (7/7/05 6:51:27 p.m.) UBF: 7 - UBB: 2 - UBR: 12 (7/7/05 6:51:27 p.m.) FilterKey: HKCR\text/html (deleted) (7/7/05 6:51:27 p.m.) FilterKey: HKCR\CLSID\{98FB572A-D936-4FD8-AF60-C693779D20DC} (deleted) (7/7/05 6:51:27 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting) (7/7/05 6:51:27 p.m.) FilterKey: HKCR\text/plain (deleted) (7/7/05 6:51:27 p.m.) FilterKey: HKCR\CLSID\{98FB572A-D936-4FD8-AF60-C693779D20DC} (error while deleting) (7/7/05 6:51:27 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting) (7/7/05 6:51:27 p.m.) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} (deleted) (7/7/05 6:51:27 p.m.) BHO-Key: HKCR\CLSID\{F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} (deleted) (7/7/05 6:51:27 p.m.) UBF: 5 - UBB: 1 - UBR: 12 (7/7/05 6:51:27 p.m.) Bad IE-pages: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank (7/7/05 6:51:27 p.m.) Stealth-String not found (7/7/05 6:51:27 p.m.) File added to delete: c:\windows\system32\imal.dll (7/7/05 6:51:27 p.m.) Reboot (7/7/05 6:52:34 p.m.) SPSeHjFix started v1.1.2 (7/7/05 6:52:34 p.m.) OS: WinXP (5.1.2600) (7/7/05 6:52:34 p.m.) Language: english (7/7/05 6:52:34 p.m.) Win-Path: C:\WINDOWS (7/7/05 6:52:34 p.m.) System-Path: C:\WINDOWS\System32 (7/7/05 6:52:34 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\ (7/7/05 6:53:07 p.m.) Disinfection started (7/7/05 6:53:07 p.m.) Bad-Dll(IEP): c:\docume~1\gaming\locals~1\temp\se.dll (7/7/05 6:53:07 p.m.) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\imal.dll (7/7/05 6:53:07 p.m.) Searchassistant Uninstaller - Keys Deleted (7/7/05 6:53:07 p.m.) UBF: 7 - UBB: 2 - UBR: 12 (7/7/05 6:53:07 p.m.) FilterKey: HKCR\text/html (deleted) (7/7/05 6:53:07 p.m.) FilterKey: HKCR\CLSID\{432562C1-C30C-4799-9297-6FCA3508FF97} (deleted) (7/7/05 6:53:07 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting) (7/7/05 6:53:07 p.m.) FilterKey: HKCR\text/plain (deleted) (7/7/05 6:53:07 p.m.) FilterKey: HKCR\CLSID\{432562C1-C30C-4799-9297-6FCA3508FF97} (error while deleting) (7/7/05 6:53:07 p.m.) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting) (7/7/05 6:53:07 p.m.) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C24C8F3B-C1FF-476C-BE76-36D19CD4C489} (deleted) (7/7/05 6:53:07 p.m.) BHO-Key: HKCR\CLSID\{C24C8F3B-C1FF-476C-BE76-36D19CD4C489} (deleted) (7/7/05 6:53:07 p.m.) UBF: 5 - UBB: 1 - UBR: 12 (7/7/05 6:53:07 p.m.) Bad IE-pages: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\gaming\locals~1\temp\se.dll/spage.html deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank (7/7/05 6:53:07 p.m.) Stealth-String not found (7/7/05 6:53:07 p.m.) File added to delete: c:\windows\system32\imal.dll (7/7/05 6:53:07 p.m.) Reboot (7/7/05 6:54:09 p.m.) SPSeHjFix started v1.1.2 (7/7/05 6:54:09 p.m.) OS: WinXP (5.1.2600) (7/7/05 6:54:09 p.m.) Language: english (7/7/05 6:54:09 p.m.) Win-Path: C:\WINDOWS (7/7/05 6:54:09 p.m.) System-Path: C:\WINDOWS\System32 (7/7/05 6:54:09 p.m.) Temp-Path: C:\DOCUME~1\gaming\LOCALS~1\Temp\ whew! everything seems to be workimg ok, but I'm a little concerned with the panda active scan results, looks like there might still be somthing there? Thanks for the help

07-19-2005, 03:17 PM	#6 (permalink)
Thanatos Registered User Join Date: Oct 2004 Posts: 5 OS: WinXP	Sorry it took me so long to get back to you guys. Everything is working fine. My interent Connection died (due to my not paying for it rather than anything else). So I haven't been online for a while. Anyways, thanks heaps all ok now.