HijackThis Log Analysis.

Started by xNo1, Mar 23 2006 05:51 AM

You cannot reply to this topic

6 replies to this topic

#1 OFFLINE xNo1

Member

Members
23 posts

Posted 23 March 2006 - 05:51 AM

Hi everybody!

It's been a while since rridgely helped me solve many problems involving malware on my computer.
I haven't really experienced many - or any - major problems. So I feel kind of bad for wasting your time

I only want someone to take a quick peek at my log and give me their opinions and solutions to any problems that may appear on my log.

Logfile of HijackThis v1.99.1
Scan saved at 12:16:20 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\susan\Desktop\Cleaners\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124165042411
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{053286AE-549B-45A1-848E-877A4AF8CBB9}: Domain = sympatico.ca
O17 - HKLM\System\CS1\Services\Tcpip\..\{053286AE-549B-45A1-848E-877A4AF8CBB9}: Domain = sympatico.ca
O17 - HKLM\System\CS2\Services\Tcpip\..\{053286AE-549B-45A1-848E-877A4AF8CBB9}: Domain = sympatico.ca
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

Back to top

#2 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 23 March 2006 - 08:16 PM

Hi xNo1

There's no reason to feel bad , This area is for posting logs so we would like to see them and help if there is any potential issues rather than ignore the problems,

Your log looks fine but if you have the time can you run these two scanners. Ewido shows its a 14day trial but it performs fine after that expires as a on demand scanner and remover so its worth keeping on the pc. Panda has a great detection rate so may show if there is any leftover malware files from when you had problems that need removing.

Please download, install, and update Ewido Anti-Malware. When installing, under Additional Options uncheck Install background guard and Install scan via context menu. Run Ewdio and click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display Update successful)
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. When ewido finds something, it will pop up a notification. Select Remove and check the boxes Perform action with all infections and Create encrypted backup then click on ok.When the scan finishes, click on Save Report and save it to your desktop or c:/drive and post it back in your next reply.
Finally run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Please post the Ewido scan log and the Panda log but if they show clear its looking good

Regards

Andy

Back to top

#3 OFFLINE xNo1

Member

Members
23 posts

Posted 27 March 2006 - 06:19 PM

Sorry Andy for really late reply since work and school are cranking up the pressure on my schedule.

I decided to scan last night and left my computer on. I didn't do this in safe mode or anything, I just scanned my computer.

Ewido Anti-Malware Scan::

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:53:17 AM, 3/26/2006
+ Report-Checksum: EE2F0F04

+ Scan result:

C:\Documents and Settings\Admin\Desktop\Cleaners\backups\backup-20050726-002010-487.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
:mozilla.6:C:\Documents and Settings\susan\Application Data\Mozilla\Firefox\Profiles\efkuxrba.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\susan\Cookies\susan@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\susan\Desktop\Cleaners\backups\backup-20050726-002010-487.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\Documents and Settings\susan\Desktop\Junk Folder\MsgPlus-254.exe/sponsor.exe -> Downloader.Swizzor.ag : Cleaned with backup
C:\Documents and Settings\susan\Desktop\Junk Folder\sc\Polie13.zip/Polie13.dll -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\Documents and Settings\susan\Desktop\plugin\blah\Zero.dll -> Trojan.Small : Cleaned with backup
C:\Program Files\Messenger Plus! 3(2)\Setup.dat/sponsor.exe -> Downloader.Swizzor.ag : Cleaned with backup
C:\RECYCLER\S-1-5-21-220523388-507921405-1957994488-1003\Dc115.zip/Zero.exe -> Trojan.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-220523388-507921405-1957994488-1003\Dc115.zip/Zero.dll -> Trojan.Small : Cleaned with backup
C:\WINDOWS\taskman.exe -> Trojan.Susear.a : Cleaned with backup

::Report End

Panda Software Antivirus ActiveScan::

Incident Status Location

Adware:adware/fastlook Not disinfected Windows Registry

I see problems, but i'm not going to be too hasty and randomly delete what I think is bad.

Back to top

#4 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 27 March 2006 - 07:34 PM

You may wish to change to Avast for your antivirus.

Back to top

#5 OFFLINE Ultimate Predator

Power Member

Validating
550 posts

Location:England

Posted 27 March 2006 - 07:42 PM

Not eTrust?

Back to top

#6 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 27 March 2006 - 08:31 PM

Hi xNo1

There's nothing showing in the logs that you need to delete , Ewido removed everything it found and Panda found a trace of Adware Fastlook but doesnt give the location where it found the reg entry, Its probably a left over reg entry and not a threat but its worth running Ad-Aware and Spybot S&D to make sure there is no other problems.

Its strange that the LOP infection (Swizzor) was found but doesnt seem to be active on your system, LOP comes with Messenger Plus if you accept the sponsor, you need to choose the I Refuse To Give My Support option or you get infected with LOP but it creates random named files and folders and can be seen in the log in the R1, 02 and 04 area so it doesnt look like it installed on your pc, If you do notice any pop ups or the random named entries in Hijack This anytime, Uninstall Messenger Plus and include the Sponsor when uninstalling. You can re-install it again but use the refuse option.

Here's some free programs that are worth installing if you dont already have them to remove any remaining files and help protect the pc.

Install all 3 and update them, Run Spybot and Ad-Aware on full scans and remove anything found then enable the Immunize feature in Spybot , run SpywareBlaster and update then enable the protection in all area's.

If you think there is still malware problems after running Ad-Aware and Spybot, run a different online scanner and post a new Hijack This log.

Here's some more Online scans if you need them anytime:

Regarding the AV choice I really like CA's EZ Antivirus , mainly because its a 1 year free trial but I also think it provides excellent protection and is very user friendly, Ive never tried the main free ones (AVG, Avast or AntiVir) so cannot compare them but Im sure other members like Tarun will give you more info if you wanted to change anytime.

Andy

Back to top

#7 OFFLINE Andavari

Captain Spectacular

Moderators
13,328 posts

Gender:Male
Location:Shadow Moses

Posted 27 March 2006 - 09:14 PM

Tarun, on Mar 27 2006, 01:34 PM, said:

You may wish to change to Avast for your antivirus.

Will you please start a new thread with the reason for this?
I'd like to know because in about one month I'll be switching to one of the freeware av's when my eTrust EZAV license expires.

Edit:
Sorry for your thread being hijacked xNo1.

Complexity of incoherent design.

Back to top

Back to Spyware Hell