PDA

View Full Version : Win32.Agent.lta



Hugh_Jazz
2009-04-09, 08:27
I've been having some system instability, so I ran a check with Spybot and and it found Win32.Agent.lta. After I fix the problem in Spybot, I do another check immediatly after, and Spybot finds the same problem again. I guess my only option now is a manual removal. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:03 AM, on 4/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Saitek\Software\Profiler.exe
E:\Program Files\Saitek\Software\SaiSmart.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\WINDOWS\system32\ctfmon.exe
E:\program files\valve\steam\steam.exe
E:\Program Files\Windows Media Player\WMPNSCFG.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - E:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - E:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - E:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Profiler] E:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] E:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "E:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "e:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] "E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: ERUNT AutoBackup.lnk = E:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151189921984
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - E:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - E:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7243 bytes

Shaba
2009-04-10, 11:34
Hi Hugh_Jazz

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

After that, please post back a fresh hijackthis log and spybot report :)

Hugh_Jazz
2009-04-10, 22:19
Hi Shaba. I thought that the instructions for posting here told me to disable TeaTimer before I ran the HijackThis system scan, so that is why it didn't appear in my previous HJT log. Or, doesn't Spybot S&D count as antivirus software? Windows Security Center didn't detect SB S&D as virus software that it could monitor and the Virus Protection tab was colored yellow and labled "not monitored." I installed Antivir and now the Security Center, Virus Protection tab says "on" and indicates that I have virus software that windows can monitor. Is SB S&D not enough virus protection by itself?

Antivir was running during the HJT scan below. I left Teatimer disabled to avoid conflicts. Am I correct that TeaTimer should be disabled to avoid conflicts with Antivir when Antivir is "activated?" I know nothing of how these two programs will deal with eachother, so I could use some advice about that. I may or may not choose to keep them both installed depending on the amount of trouble it is to keep them from conflicting with each other.

I discovered since my first post here that SB S&D doesn't detect any problems if my Firefox browser is open during the scan. The included SB S&D report was done with the Firefox browser closed. It shows the detection and reports the problem fixed, but every time I've run a SB S&D scan since the problem was first detected (problem first detected on April 8), and Firefox closed, the problem reappears.

I've also included an Antivir scan log. It detected some problems which it fixed and, after a second scan, declares my sytem clean. Antivir did not seem to detect the problem that SB S&D did. SB S&D still behaves the same as descibed above and still detects the problem after the Antivir fixes. Is SB S&D giving a false positive detection? If so, should I instruct SB S&D to ignore that detection in future scans? Thanks again.

--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:45 PM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Saitek\Software\Profiler.exe
E:\Program Files\Saitek\Software\SaiSmart.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\program files\valve\steam\steam.exe
E:\Program Files\Windows Media Player\WMPNSCFG.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSI\i-Speeder\i-Speeder.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - E:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - E:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - E:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Profiler] E:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] E:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "E:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "e:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] "E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: ERUNT AutoBackup.lnk = E:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151189921984
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - E:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - E:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7725 bytes

-------------------------------------------------------------------------


--- Report generated: 2009-04-10 12:23 ---

Win32.Agent.lta: Bookmark (Firefox: me (default)) (Bookmark, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 SDShred.exe (1.0.2.5)
2009-02-12 unins000.exe (51.49.0.0)
2009-03-05 TeaTimer.exe (1.6.6.32)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-26 advcheck.dll (1.6.2.15)
2009-01-26 SDHelper.dll (1.6.2.14)
2009-01-26 Tools.dll (2.1.6.10)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-04-07 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-03-31 Includes\PUPSC.sbi (*)
2009-03-23 Includes\SecurityC.sbi (*)
2009-04-07 Includes\MalwareC.sbi (*)
2009-03-17 Includes\KeyloggersC.sbi (*)
2009-03-03 Includes\HijackersC.sbi (*)
2009-03-25 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-03-25 Includes\AdwareC.sbi (*)
2009-04-07 Includes\SpywareC.sbi (*)
2009-03-31 Includes\Dialer.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-04-08 Includes\Trojans.sbi (*)
2009-04-07 Includes\Malware.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-03-25 Includes\Adware.sbi (*)
2009-03-17 Includes\Keyloggers.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll


------------------------------------------------------------------------

Avira AntiVir Personal
Report file date: Friday, April 10, 2009 10:44

Scanning for 1346528 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CRAIG

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 17:13:28
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:28
ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 15:32:10
ANTIVIR3.VDF : 7.1.3.41 162304 Bytes 4/10/2009 15:32:12
Engineversion : 8.2.0.138
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.73 373114 Bytes 4/10/2009 15:32:22
AESCN.DLL : 8.1.1.10 127348 Bytes 4/10/2009 15:32:22
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:42
AEPACK.DLL : 8.1.3.12 397687 Bytes 4/10/2009 15:32:20
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:58
AEHEUR.DLL : 8.1.0.114 1700214 Bytes 4/10/2009 15:32:18
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:58
AEGEN.DLL : 8.1.1.33 340340 Bytes 4/10/2009 15:32:14
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.7 176502 Bytes 4/10/2009 15:32:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:48:00
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:16
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:30
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:10
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 12:52:26
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:12
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:46
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 20:55:14

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: e:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, April 10, 2009 10:44

Starting search for hidden objects.
'44753' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'i-Speeder.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'WMPNETWK.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'JQS.EXE' - '1' Module(s) have been scanned
Scan process 'INCDSRV.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'CCC.EXE' - '1' Module(s) have been scanned
Scan process 'WMPNSCFG.EXE' - '1' Module(s) have been scanned
Scan process 'Steam.exe' - '1' Module(s) have been scanned
Scan process 'MOM.EXE' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'SaiSmart.exe' - '1' Module(s) have been scanned
Scan process 'Profiler.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'InCD.exe' - '1' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'POINT32.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'ATI2EVXX.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'ATI2EVXX.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\' <SYSTEM>
Begin scan in 'E:\' <GAMES>
E:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioRogueAntiSpy5.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt8.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt9.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt10.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
E:\Documents and Settings\me\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-58aafd76.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B exploit
E:\Documents and Settings\me\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-1a5c19f8.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit

Beginning disinfection:
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioRogueAntiSpy5.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a517407.qua'!
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a4d740f.qua'!
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt8.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a4e7412.qua'!
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt9.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4b38e2eb.qua'!
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt10.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a4e7413.qua'!
E:\Documents and Settings\me\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-58aafd76.zip
[NOTE] The file was moved to '4a4c741d.qua'!
E:\Documents and Settings\me\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-1a5c19f8.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '49547d2e.qua'!


End of the scan: Friday, April 10, 2009 11:28
Used time: 35:29 Minute(s)

Hugh_Jazz
2009-04-10, 23:37
I guess I might also give some background to my recent computer problems. The system instability that I metioned in my first post started after I installed some wrong video drivers that caused a few nasty crashes one of which, left recovered file fragments (chk files). I didn't know that I'd installed the wrong drivers at the time, so I did the SB S&D scan thinking that the crashes might be due to viruses. That's the first time Win32.Agent.lta was detected.

I've reinstalled the proper video drivers and the crashes and VPU recovers have ceased since then. I've never known what to do with the recovered file fragments. As a habbit, I just deleted them. After the crashes and recovered file fragments happened, I followed the instructions on these forums and tried to install HijackThis. It wouldn't install at first because of a missing dll file that I did a google search to find and manually replace. FWIW, I'm thinking that the missing dll file could have been one of those chk files that I deleted, and that there may be other destroyed files that need replacing.

The whole need to search for better video drivers began a few days ago when SB S&D detected and fixed a file that, after the fix, caused some problems with Catalyst Control Center displays and Flash player. Reinstalling CCC and Flash player didn't fix the problem with the CCC displays at that time, so I did a web search and found that others had had the same problem with SB S&D and CCC. They recommended uninstalling CCC and using a ATI Tray Tools instead. I accidentally installed the wrong display drivers that were packaged with ATI Tray Tools because I didn't read instructions carefully enough. That's my story and I'm stick'n to it. :)

ps. I'm pretty much back to where I started before this whole episode began. CCC and Flash have been reinstalled and are working properly. The only problem left that I am aware of is the Win32.Agent.lta detections of SB S&D.

Shaba
2009-04-11, 11:50
No Spybot is not any antivirus but antispyware.

Both AntiVir and TeaTimer can be running at the same time.

As that issue started after latest updates, it can be a false positive.

Are there any suspicious bookmarks in Firefox?

Hugh_Jazz
2009-04-11, 23:23
Thanks for the info. There are no Firefox bookmarks that I didn't make myself as far as I can tell. I don't know how to determine "suspiciousness" beyond that. I updated Antivir and did another scan today. Antivir still says I'm clean.

Shaba
2009-04-12, 10:32
Then I see two options.

You can either report it to false positives or to remove all bookmarks from firefox and add them back.

Hugh_Jazz
2009-04-16, 07:14
Hi, I updated SB S&D today and did another scan with Firefox browser closed. There were no problems detected. I guess it was a false positive originally. Short of a really bad virus infection, I don't know how I would have found out that I didn't have proper virus protection if it wasn't for this false dectection and coming here for help. So, things seemed to have worked out for the best. Thanks again, Shaba.

Shaba
2009-04-16, 07:18
Good :)

Let's run one scan before final instructions:

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Shaba
2009-04-20, 07:12
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.