1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Virus found please help hijack log and kasparsky scan

Discussion in 'Malware and Virus Removal Archive' started by shammie, 2006/06/17.

  1. 2006/06/17
    shammie

    shammie Well-Known Member Thread Starter

    Joined:
    2004/05/29
    Messages:
    195
    Likes Received:
    0
    Kasparsky scan found the following viruses. Please help me remove them. Hijack log included. Thank you.


    KASPERSKY ON-LINE SCANNER REPORT
    Saturday, June 17, 2006 12:09:12 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.78.0
    Kaspersky Anti-Virus database last update: 17/06/2006
    Kaspersky Anti-Virus database records: 201100
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 71773
    Number of viruses found: 5
    Number of infected objects: 13
    Number of suspicious objects: 0
    Duration of the scan process: 02:22:39

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Owner\My Documents\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
    C:\Documents and Settings\Owner\My Documents\mirc616.exe mIRC: infected - 1 skipped
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\44801BF6.htm Infected: Trojan-Downloader.HTML.Agent.aq skipped
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP134\A0006042.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP134\A0006042.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP134\A0006042.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP134\A0006076.exe/stream/data0009 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP134\A0006076.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP134\A0006076.exe NSIS: infected - 2 skipped
    C:\WINDOWS\SYSTEM32\lwr_bbi6008.exe/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
    C:\WINDOWS\SYSTEM32\lwr_bbi6008.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
    C:\WINDOWS\SYSTEM32\lwr_bbi6008.exe NSIS: infected - 2 skipped

    Scan process completed.


    Hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 12:13:26 PM, on 6/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec

    Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec

    Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet

    Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec

    Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec

    Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec

    Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program

    Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\SYSTEM32\bgsvcgen.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Norton Internet Security\Norton

    AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec

    Shared\CCPD-LC\symlcsvc.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Symantec

    Shared\ccApp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Sony Corporation\Picture

    Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony Corporation\Picture

    Package\Picture Package

    Applications\Residence.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\My

    Documents\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

    C:\Program Files\Adobe\Acrobat 7.0

    \ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-

    462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: IEWatchObj Class - {9527D42F-D666-

    11D3-B8DD-00600838CD5F} -

    C:\WINDOWS\system32\IETie.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-

    04F9-4bbc-943D-298DDF1699E1} - C:\Program

    Files\Common Files\Symantec

    Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-

    A544-FADC6B084872} - C:\Program Files\Norton

    Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security -

    {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -

    C:\Program Files\Common Files\Symantec

    Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-

    4238-8AD1-7859DF00B1D6} - C:\Program

    Files\Norton Internet Security\Norton

    AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv]

    c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard]

    C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray]

    C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds]

    C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32

    \ps2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched]

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program

    Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program

    Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Microsoft Works Update

    Detection] C:\Program Files\Microsoft

    Works\WkDetect.exe
    O4 - Global Startup: Adobe Reader Speed

    Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

    \Reader\reader_sl.exe
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD

    Maker.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk

    = C:\Program Files\Common

    Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O12 - Plugin for .spop: C:\Program Files\Internet

    Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://secure.overture.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-

    9BD8C29F7F75} (CKAVWebScan Object) -

    http://www.kaspersky.com/kos/english/kavwebscan

    _unicode.cab
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-

    D97EE825BA53} (VerifyGMN Class) -

    http://h20270.www2.hp.com/ediags/gmn/install/hpo

    bjinstaller_gmn.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-

    4EB7002E68AE} (Housecall ActiveX 6.5) -

    http://housecall65.trendmicro.com/housecall/applet

    /html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-

    5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/activescan/as5free/a

    sinst.cab
    O17 -

    HKLM\System\CCS\Services\Tcpip\..\{28BFAFD1-

    2819-4B4E-AC77-051779D71AF7}: NameServer =

    192.168.254.254
    O17 - HKLM\System\CS1

    \Services\Tcpip\..\{28BFAFD1-2819-4B4E-AC77-

    051779D71AF7}: NameServer = 192.168.254.254
    O20 - Winlogon Notify: WgaLogon -

    C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier -

    WRLogonNTF.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler -

    Symantec Corporation - C:\Program

    Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: B's Recorder GOLD Library General

    Service (bgsvcgen) - B.H.A Corporation -

    C:\WINDOWS\SYSTEM32\bgsvcgen.exe
    O23 - Service: Symantec Event Manager

    (ccEvtMgr) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec

    Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) -

    Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation

    (ccPwdSvc) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec

    Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager

    (ccSetMgr) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec

    Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido

    networks - C:\Program Files\ewido anti-

    malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager

    (IDriverT) - Macrovision Corporation - C:\Program

    Files\Common Files\InstallShield\Driver\1050\Intel

    32\IDriverT.exe
    O23 - Service: ISSvc (ISSVC) - Symantec

    Corporation - C:\Program Files\Norton Internet

    Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation

    - C:\PROGRA~1\Symantec\LIVEUP~1

    \LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect

    Service (navapsvc) - Symantec Corporation -

    C:\Program Files\Norton Internet Security\Norton

    AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation -

    C:\Program Files\Norton Internet Security\Norton

    AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) -

    Symantec Corporation - C:\PROGRA~1\COMMON~1

    \SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service

    (SNDSrvc) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -

    Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec

    Corporation - C:\Program Files\Common

    Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) -

    Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\Security

    Center\SymWSC.exe
     
    shammie,
    #1
  2. 2006/06/17
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    shammie

    Kaspersky fixed the 5 viruses it found - the list of infections total 13, the same as the list of infected objects remaining.

    I see nothing amiss in your HJT log.

    To clean up would you please ....

    Deleted the quarantined item(s) in Norton Antivirus.

    Turn off System Restore - remember to turn it on again when we have finished. Turning off System Restore will delete the restore points, some of which may contain an infection.

    Download, update and run Ad-Aware SE and Spybot through Quicklinks in my signature.

    Set up Ad-Aware as shown here and Spybot as shown here.

    Boot into Safe Mode and run Ewido which I see you have installed ....

    Click on Scanner and select a 'Complete System Scan'.
    If anything is found during scanning you will be prompted to clean the files.
    Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" and then click on OK

    Once the scan has completed save the report to a known location.

    Boot into normal mode and post the report here.

    BTW - what happened with your HJT log? - it should not be spaced out like that.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2006/06/17
    shammie

    shammie Well-Known Member Thread Starter

    Joined:
    2004/05/29
    Messages:
    195
    Likes Received:
    0
    Pete, thank you for your help. I delete items in norton quarantine, turned off system restore. In safe mode ran ewido, ad-aware, and spybot. Ewido, ad-aware found nothing, spybot found 2 windows security center anti-virus disable notify, and firewall disable notify, I fixed both.
    As far as hjt file I just copied and pasted from file.
    Thanks again
     
    shammie,
    #3
  5. 2006/06/17
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    You're welcome - remember to turn System Restore back on!
     
    PeteC,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...