HJT and Kaspersky Log.. Help [Archive] - Safer-Networking Forums

View Full Version : HJT and Kaspersky Log.. Help

lankeyk1

2008-02-01, 07:37

Kaspersky found some infections and viruses... here are the appropriate logs

KASPERSKY ONLINE SCANNER REPORT
Friday, February 01, 2008 1:35:15 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/02/2008
Kaspersky Anti-Virus database records: 543474

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
Z:\

Scan Statistics
Total number of scanned objects 84387
Number of viruses found 5
Number of infected objects 34
Number of suspicious objects 0
Duration of the scan process 01:08:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080124_Time-010448390_EnterceptExceptions.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080124_Time-010448390_EnterceptRules.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_LANKEYK1.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_LANKEYK1.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\acccore\nss\cert8.db Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\acccore\nss\key3.db Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\BitTorrent\bittorrent.log Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\CiscoCAA\event.log Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\cert8.db Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\history.dat Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\key3.db Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\parent.lock Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Protector Suite\My Safe.fdp Object is locked skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-381ae7d0/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-381ae7d0/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-381ae7d0/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-381ae7d0 ZIP: infected - 3 skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-79398bfa/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-79398bfa/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-79398bfa/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-79398bfa ZIP: infected - 3 skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-3139544e/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-3139544e ZIP: infected - 1 skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-23af34b5/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-23af34b5/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-23af34b5/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-23af34b5 ZIP: infected - 3 skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-207f7f25-7f0e98cb.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-207f7f25-7f0e98cb.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-207f7f25-7f0e98cb.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-207f7f25-7f0e98cb.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ffb5a0-3228b0fb.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ffb5a0-3228b0fb.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ffb5a0-3228b0fb.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ffb5a0-3228b0fb.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5bdc6cc1-7523e36b.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5bdc6cc1-7523e36b.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5bdc6cc1-7523e36b.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5bdc6cc1-7523e36b.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-4130b72f.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-4130b72f.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Kevin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL OCP\AIM\Storage\data\lightguy531\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\h2yzytjk.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\MSHist012008012420080125\index.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\MSHist012008020120080202\index.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Temp\Perflib_Perfdata_234.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Temp\~DF8F3D.tmp Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kevin\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Kevin\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\AIMTunes\music Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{41355720-BA26-4221-9CCD-539DCD9A998A}\RP518\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{F7938279-DE9B-4CC1-B9E4-2B830F85DB3B}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\1163905728.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

C:\WINDOWS\system32\1163905728.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.VB.y skipped

C:\WINDOWS\system32\1163905728.exe/stream Infected: not-a-virus:AdWare.Win32.VB.y skipped

C:\WINDOWS\system32\1163905728.exe NSIS: infected - 3 skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\Software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\System.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd1757.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\rjavadsa.nls Infected: not-a-virus:AdWare.Win32.VB.y skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\~fdgrr.tmp Infected: not-a-virus:AdWare.Win32.VB.y skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

G:\System Volume Information\_restore{41355720-BA26-4221-9CCD-539DCD9A998A}\RP518\change.log Object is locked skipped

Scan process completed.

lankeyk1

2008-02-01, 07:39

Logfile of HijackThis v1.99.1
Scan saved at 1:38:27 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare Test\BearShare.exe" /pause
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\RunOnce: [ypagerps1] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - http://media.cdigix.com/Performer/downloads/PerformerSetup.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://notes-srv1.lasalle.edu/iNotes6W.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://sln.lasalle.edu/dwa7W.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

pskelley

2008-02-02, 15:03

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I see you started another post for a different computer. I suggest you complete one repair before starting others, it can get confusing and it only takes one mistake.

Thanks for returning the correct information, you would be surprised at how rare that is. Since you told me about no malware symptoms or error messages I will assume you are posted because you ran the Kaspersky and I see some cleaning that needs to be done also in the HJT log. Let's proceed like this:

1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

2) HJT is outdated and not safe as you have positioned it: D:\HijackThis.exe <<< delete that file and follow these directions:
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
(do not create that log until all instructions have been followed)

3) Your Java cache is infected, follow the instructions to clean it:
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\ <<< clean that cache
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you may leave the first three if you set it like that on purpose)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
optional see this >>
http://www.castlecops.com/startuplist-5306.html
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
optional see this >>
http://www.castlecops.com/startuplist-388.html
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare Test\BearShare.exe" /pause
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\1163905728.exe
C:\WINDOWS\system32\rjavadsa.nls
C:\WINDOWS\system32\~fdgrr.tmp

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and run a new Kaspersky, no need to post it if it is clean. Let me know how the computer is running.

Thanks

lankeyk1

2008-02-02, 21:36

thanks for you help so far.. I appreciate it..

Here's the infected files Kaspersky found on the second scan..

C:\System Volume Information\_restore{41355720-BA26-4221-9CCD-539DCD9A998A}\RP520\A0196140.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

C:\System Volume Information\_restore{41355720-BA26-4221-9CCD-539DCD9A998A}\RP520\A0196140.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.VB.y skipped

C:\System Volume Information\_restore{41355720-BA26-4221-9CCD-539DCD9A998A}\RP520\A0196140.exe/stream Infected: not-a-virus:AdWare.Win32.VB.y skipped

C:\System Volume Information\_restore{41355720-BA26-4221-9CCD-539DCD9A998A}\RP520\A0196140.exe NSIS: infected - 3 skipped

If you could seriously help me with my other thread after this one I would greatly appreciate it, as would my friend.

pskelley

2008-02-02, 21:44

Those are infected System Restore files, follow these directions:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

I am sure one of the volunteer helpers will be with your friend as soon as possible. Keep an eye on this topic in case: The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

lankeyk1

2008-02-03, 02:04

no errors found... thank you.

tashi

2008-02-05, 07:12

Two other topics:
http://forums.spybot.info/showthread.php?t=23584
http://forums.spybot.info/showthread.php?t=23806

lankeyk1

2008-02-05, 08:48

Two other topics:
http://forums.spybot.info/showthread.php?t=23584
http://forums.spybot.info/showthread.php?t=23806

yeah i have those.. because it had been 4 days so i moved that one to the waiting room... still waiting for someone to help me with it cause my friend is driving me insane saying how i promised to help her but havent done anything yet.