Hi all,
a-squared free found something the other day (can't recover what it was since it was accidently deleted).

So, I wonder whether I am infected and what I should do next?
Also, how do I check my external HD without potentially recreating the problems on the PC?

Cheers!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:54 AM, on 5/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a2\a2service.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (disabled by BHODemon)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190227994484
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371420.cab
O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4E18C09-D5DC-4298-A1AA-E0C3D9E31630}: NameServer = 213.191.74.11 213.191.92.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mpifg.de,mpifg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mpifg.de,mpifg.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mpifg.de,mpifg.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mpifg.de,mpifg.local
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a2\a2service.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8530 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Let me give you some information.

1) HijackThis can not see everything and hackers more and more are learning to hide their junk from HJT. This is why we start with a log and the results of the KOS...see the directions. I can say I see no evidence of malware in the HJT log.

2) C:\Program Files\Java\jre1.6.0_05\ <<< I do see a slightly out of date Java program, ses this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

3) http://www.emsisoft.com/en/software/free/ <<< this is a good free program.

4) Knowing nothing beyond the fact you were "infected?" and nothing about what was found or what was done with it, I can tell you little else. If you wish to try another good malware scan for a double check, try this one:
Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

If it's clean and you have no questions, no need to post it, just let me know so I can close your topic and provide information to help you stay clean.

Cheers...Phil

Hi Phil.
Malwarebytes' Anti-Malware didn't find anything.
Kaperasky is too slow over the internet with 500,000+ files
... but I checked my McAfee logs and found a few problems in the past, see snippet below.

9/9/2007 11:44:43 AM Deleted (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe F:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP128\A0038208.exe Tool-TPatch (Potentially Unwanted Program)
12/20/2007 4:58:16 PM Not scanned (The file is encrypted) C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\ \Local Settings\Temp\fbof2eit.exe\000f2904.EXE
3/7/2008 8:10:30 AM Not scanned (scan timed out) \??\C:\WINDOWS\system32\winlogon.exe ...\untitled3.bmp
4/15/2008 3:40:15 PM Not scanned (scan timed out) C:\Program Files\Adobe\Acrobat 8.0\Designer 8.0\FormDesigner.exe C:\Program Files\Adobe\Acrobat 8.0\Designer 8.0\Documentation\EN\Designer.chm

4/19/2008 6:07:16 PM Deleted C:\WINDOWS\system32\cleanmgr.exe .... Spy-Agent.cj.gen.h (Trojan)
4/19/2008 6:07:16 PM Deleted C:\WINDOWS\system32\cleanmgr.exe .... Spy-Agent.cj.gen.h (Trojan)
4/30/2008 9:39:08 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE F:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZC561402.CAB
5/4/2008 6:16:50 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE F:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZC561402.CAB
5/4/2008 8:53:15 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE F:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZC561402.CAB
5/14/2008 2:45:40 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe N:\SYSTEM VOLUME INFORMATION\_RESTORE{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP265\A0120813.EXE Spy-Agent.cj.gen.h (Trojan)
5/14/2008 3:13:39 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe N:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP265\A0120813.exe Spy-Agent.cj.gen.h (Trojan)


I scanned all drives yesterday and didn't find anything. However, several files were not scanned because they are encrypted.


thanks for any further help.


ps. and what should I do about my external HD that's used for backup?

Having personally dumped McAfee a while back, I don't remember enough about the scan results to advise you much.
If you want to be sure about something McAfee finds, use these free scans to find out.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Some of what I see:
F:\System Volume Information\_restore <<< system restore and they are protected files, see this:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

4/19/2008 6:07:16 PM Deleted C:\WINDOWS\system32\cleanmgr.exe .... Spy-Agent.cj.gen.h (Trojan)
4/19/2008 6:07:16 PM Deleted C:\WINDOWS\system32\cleanmgr.exe .... Spy-Agent.cj.gen.h (Trojan)
cleanmgr.exe looks valid to me:
http://www.google.com/search?hl=en&q=cleanmgr.exe+&btnG=Google+Search
I suppose it could get infected, but I would sure have scanned the file before allowing McAfee to delete it.

pups: (Potentially Unwanted Program)
http://www.google.com/search?hl=en&q=Potentially+Unwanted+Program&btnG=Search
I always deal with these on a case by case basis on my personal computers.

ps. and what should I do about my external HD that's used for backup?
http://www.google.com/search?hl=en&q=how+to+scan+an+external+hard+drive&btnG=Search
You should be able to direct McAfee to that individual drive and have it scan only it or that drive with the rest if it is plugged in when you run a system scan.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.