Simply put, I downloaded some things that I knew were dangerous. P2P stuff. About twenty minutes after downloading I changed my mind and uninstalled. I ran some scans which came up clean, but my HJT log has some crazy stuff that has never been there before. I already removed 3 things, but got nervous and decided to come back for a visit.

Logfile of HijackThis v1.99.1
Scan saved at 10:33:48 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.ccleaner.com/index.php?
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142050658658
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140500544249
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B796325-1B86-4BBC-A612-DD957FD7C51E}: NameServer = (Both of my DNS numbers where listed here)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Hi K

Sorry for the delay, Your log looks fine K, what were the items you removed ? , If its the area that is a different color you was concerned about then they are valid, 2 from Microsoft, 1 Live Messenger beta entry and the 017 Nameserver seems fine if you know the IP number, generally if its your ISP or your (home or company) network address then leave it.

Does Ewido and Pandascan show clear ? , Run Activescan from Here if needed.

Andy

Cool Beans dude! I don't remember what the entries were that I removed. It occurred to me yesterday that it was probably a good idea for you to see them. Oh, well! If there really was a problem then they will come back.

I will do a Panda Scan just to make sure.



Many thanks
K

Cool Beans

The things you removed should be in the Backups area of Hijack This, If any are spyware/adware then we could check for any remaining files but it's fine if they were harmless entries, If you have any problems or Panda finds anything except cookies let me know,

Yes it should. But, I told it not to make a backup. (I'm a damn genious sometimes)

I'll run the macho scann just to be safe.

Kaspersky said that I'm infected by CCleaner. LOL (I thought that was funny)

What does it mean when it says infected - skipped?

[attachmentid=609]


I guess that MrG missed these guys, or it notices it as an infection but skips it as a risk???

Yeah, CCleaner comes with Yahoo! toolbar, it sucks.

"Hey lets make a cleaner tool designed to clean out crap that comes bundled with junk!"

Hi K

I think it's right that Kaspersky detects the process killer (PsKill) on the pc incase it was put there by malware as it would have the ability to stop Firewall, Antivirus or other processes on the system. I assume it detects NSIS because the installer includes the PsKill tool.

I just scanned the PsKill file on my pc and it shows:

Scanned file: pskill.exe - Infected
pskill.exe - infected by not-a-virus:RiskTool.Win32.PsKill.k

The tool could be a problem if it was added by malware so Kaspersky is just making us aware of it. The CCleaner guys might be able to use process.exe (from beyondlogic.org) or pv.exe (from prcview.com) as they show clean on Kaspersky's site (process.exe does get detected by Panda Activescan as a potentially unwanted tool). The simple option would be to use Microsoft's Taskkill.exe to avoid any AV problems

Its good you noticed it K as it might make novice users worried about trying Ccleaner, the Admin guys may have to consider changing the way it stops the file rather than try get Kaspersky to change the detection especially with the tool being potentially dangerous in the wrong hands, the file its attempting to stop is probably its own so Im sure they could use a different method if it becomes a problem.

Andy