Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Popups, Can't Find The Cause.


  • This topic is locked This topic is locked
14 replies to this topic

#1 bauhausin

bauhausin

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 13 February 2007 - 02:26 PM

I keep getting a registry change alert from macafee. After disabling them due to the annoyance, I received popups. Macaffee, Spybot, and Ad-Aware can't find anything.

Logfile of HijackThis v1.99.1
Scan saved at 1:22:03 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\program files\internet explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O19 - User stylesheet: C:\Documents and Settings\HP_Owner\My Documents\adblock.css
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Thanks!!

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 14 February 2007 - 11:27 PM

Hello bauhausin,

What do the popups say? Are they messenger popups?


Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". This scan may take a few hours. It all depends on the number of files on your computer.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

*******************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.

1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log, a fresh Hijackthis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bauhausin

bauhausin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 17 February 2007 - 06:12 PM

Sorry for the response delay! I was having problems with my e-mail. I was receiving advertisement popups, to answer the question.

Here is the bitdefender log. I will post the other step results in the next post. Thanks!

BitDefender Online Scanner



Scan report generated at: Sat, Feb 17, 2007 - 12:23:03





Scan path: C:\;D:\;E:\;G:\;H:\;I:\;J:\;K:\;







Statistics

Time
01:55:18

Files
885261

Folders
9052

Boot Sectors
3

Archives
16889

Packed Files
90476




Results

Identified Viruses
2

Infected Files
23

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
22




Engines Info

Virus Definitions
388700

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Desktop\AIM.lnk=>C:\Program Files\AIM\aim.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\Documents and Settings\All Users\Desktop\AIM.lnk=>C:\Program Files\AIM\aim.exe
Disinfection failed

C:\Documents and Settings\All Users\Desktop\AIM.lnk=>C:\Program Files\AIM\aim.exe
Deleted

C:\Documents and Settings\All Users\Desktop\AIM.lnk
Update failed

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
Disinfection failed

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
Deleted

C:\hp\KBD\KBD.EXE
Infected with: Trojan.Proxy.Mitglieder.B

C:\hp\KBD\KBD.EXE
Disinfection failed

C:\hp\KBD\KBD.EXE
Deleted

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Disinfection failed

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Deleted

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
Disinfection failed

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
Deleted

C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
Disinfection failed

C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
Deleted

C:\Program Files\iTunes\iTunesHelper.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\Program Files\iTunes\iTunesHelper.exe
Disinfection failed

C:\Program Files\iTunes\iTunesHelper.exe
Deleted

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
Disinfection failed

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
Delete failed

C:\Program Files\QuickTime\qttask.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\Program Files\QuickTime\qttask.exe
Disinfection failed

C:\Program Files\QuickTime\qttask.exe
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005114.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005114.exe
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005114.exe
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005115.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005115.exe
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005115.exe
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005116.EXE
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005116.EXE
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005116.EXE
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005117.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005117.exe
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005117.exe
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005118.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005118.exe
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005118.exe
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005119.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005119.exe
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005119.exe
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005120.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005120.exe
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005120.exe
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005121.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005121.exe
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005121.exe
Deleted

C:\WINDOWS\SMINST\RECGUARD.EXE
Infected with: Trojan.Proxy.Mitglieder.B

C:\WINDOWS\SMINST\RECGUARD.EXE
Disinfection failed

C:\WINDOWS\SMINST\RECGUARD.EXE
Deleted

C:\WINDOWS\system\hpsysdrv.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\WINDOWS\system\hpsysdrv.exe
Disinfection failed

C:\WINDOWS\system\hpsysdrv.exe
Deleted

C:\WINDOWS\system32\hkcmd.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\WINDOWS\system32\hkcmd.exe
Disinfection failed

C:\WINDOWS\system32\hkcmd.exe
Deleted

C:\WINDOWS\system32\hphmon06.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\WINDOWS\system32\hphmon06.exe
Disinfection failed

C:\WINDOWS\system32\hphmon06.exe
Deleted

C:\WINDOWS\system32\ps2.exe
Infected with: Trojan.Proxy.Mitglieder.B

C:\WINDOWS\system32\ps2.exe
Disinfection failed

C:\WINDOWS\system32\ps2.exe
Deleted

C:\WINDOWS\Temp\ja.exe
Infected with: DeepScan:Generic.Malware.SP!Yd!Pk!.8231D455

C:\WINDOWS\Temp\ja.exe
Disinfection failed

C:\WINDOWS\Temp\ja.exe
Deleted

#4 bauhausin

bauhausin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 17 February 2007 - 08:06 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:58:23 PM 2/17/2007

+ Scan result:



C:\Program Files\AIM\AIM\aim.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\iTunes\iTunesHelper.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005123.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005124.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005125.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005126.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005127.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP45\A0005128.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP46\A0005131.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP46\A0005132.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP46\A0005133.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP46\A0005134.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP46\A0005135.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\hp\KBD\KBD.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 7:02:50 PM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O19 - User stylesheet: C:\Documents and Settings\HP_Owner\My Documents\adblock.css
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


So far the mcafee warning has yet to pop up, and it usually does upon restart. So, so far so good!

Edited by bauhausin, 17 February 2007 - 08:07 PM.


#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 17 February 2007 - 11:25 PM

Hi bauhausin,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Looks better, but we still have some work to do.
You have an infection which replaces legitimate files with infected ones.


Download SilentRunners.vbs
Unzip it to a permanent folder.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
When the scan is done, notepad will open with a log in it. Please close this again.
I'll need that log later.
Normally that log is saved automatically in your silent runners-folder.
Post the log it created.


We need to locate the legitimate backups and restore those...

Please download FindAWF:
http://noahdfear.geekstogo.com/FindAWF.exe
Save the file to the Desktop
Double-click: FindAWF.exe
If a Security Alert shows, allow the program to run.
When done, a text file awf.txt is produced.
Please post it in your reply.

Edited by SifuMike, 18 February 2007 - 12:13 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 bauhausin

bauhausin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 18 February 2007 - 03:36 PM

Replacing legitimate files? I think I noticed that. My AIM program just disappeared a few days ago, and I've had to reinstall it 2 times already.

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AIM" = "C:\PROGRA~1\AIM\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" [file not found]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows ® Server 2003 DDK provider"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" [file not found]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"HPHUPD06" = "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [file not found]
"HPHmon06" = "C:\WINDOWS\system32\hphmon06.exe" [file not found]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [file not found]
"PS2" = "C:\WINDOWS\system32\ps2.exe" [file not found]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "c:\program files\mcafee\virusscan\scriptcl.dll" ["McAfee, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\Sonic RecordNow!\shlext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
MCVSRIGHTCLICKSCANNER\(Default) = "{162EFDC5-2957-465D-887B-590AF4A7E84D}"
-> {HKLM...CLSID} = "McVSRightclickScanner Class"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\mcodsax.dll" ["McAfee, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
MCVSRIGHTCLICKSCANNER\(Default) = "{162EFDC5-2957-465D-887B-590AF4A7E84D}"
-> {HKLM...CLSID} = "McVSRightclickScanner Class"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\mcodsax.dll" ["McAfee, Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "HP_Owner" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"SpySubtract" -> shortcut to: "C:\Program Files\InterMute\SpySubtract\sslaunch.exe -autostart" ["InterMute, Inc."]
"TabUserW.exe" -> shortcut to: "C:\WINDOWS\system32\WTablet\TabUserW.exe" ["Wacom Technology, Corp."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"McDefragTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe "C:\WINDOWS\system32\defrag.exe" C: -f" ["McAfee, Inc."]
"McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
-> {HKLM...CLSID} = "HP view"
\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
-> {HKLM...CLSID} = "HP view"
\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
-> {HKLM...CLSID} = "HP view"
\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "HP view"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRA~1\AIM\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""c:\Program Files\Common Files\LightScribe\LSSrvc.exe"" [empty string]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McAfee HackerWatch Service, McAfee HackerWatch Service, ""C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe"" ["McAfee, Inc."]
McAfee Log Manager, McLogManagerService, "C:\PROGRA~1\McAfee\MSC\mclogsrv.exe" ["McAfee, Inc."]
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Privacy Service, MPS9, "C:\PROGRA~1\McAfee\MPS\mps.exe" ["McAfee, Inc."]
McAfee Protection Manager, mcpromgr, "C:\PROGRA~1\McAfee\MSC\mcpromgr.exe" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe" ["McAfee, Inc."]
McAfee Redirector Service, McRedirector, "c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe" ["McAfee, Inc."]
McAfee Scanner, McODS, "C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
McAfee Task Scheduler, mctskshd.exe, "C:\PROGRA~1\McAfee\MSC\mctskshd.exe" ["McAfee, Inc."]
McAfee Update Manager, mcmispupdmgr, "C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe" ["McAfee, Inc."]
McAfee User Manager, mcusrmgr, "C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe" ["McAfee, Inc."]
TabletService, TabletService, "C:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 53 seconds, including 20 seconds for message boxes)




Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 08:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\DELLAI~1\BAK

05/12/2003 03:02 PM 270,336 dlbkbmgr.exe
1 File(s) 270,336 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 09:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

02/07/2007 11:19 PM 181 hpsysdrv.DAT
05/07/1998 05:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,917 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 10:00 PM 15,360 ctfmon.exe
11/02/2004 04:59 PM 126,976 hkcmd.exe
06/07/2004 07:42 PM 659,456 hphmon06.exe
10/25/2004 10:17 PM 90,112 ps2.exe
4 File(s) 891,904 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 10:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\AIM\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

06/07/2004 07:53 PM 49,152 hphupd06.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/07/2005 09:22 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 03:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
67160 Aug 5 2005 "C:\Program Files\AIM\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\AIM\bak\aim.exe"
270336 May 12 2003 "C:\Program Files\Dell AIO Printer A920\bak\dlbkbmgr.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 17 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
246 Jan 23 2007 "C:\WINDOWS\system\hpsysdrv.dat"
181 Feb 7 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
90112 Oct 25 2004 "C:\hp\drivers\keyboard\PS2.EXE"
90112 Oct 25 2004 "C:\WINDOWS\system32\bak\ps2.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\AIM\bak\aim.exe"
49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
180269 Sep 7 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
77824 Feb 18 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"


end of report

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 18 February 2007 - 06:22 PM

Hi bauhausin,

Ok great, now we'll move the clean files back to the places they belong...

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to My Computer and browse to the following folder:
C:\HP\KBD\BAK
Inside the BAK folder is a file named KBD.EXE
Right click it with your mouse and choose Cut
The go back to the main folder, C:\HP\KBD\
Click the background with your mouse, choose Paste
Now you should have the KBD.EXE file in the C:\HP\KBD\ folder.
Now go ahead and delete the BAK folder


The same thing for other files:

C:\Program Files\Dell AIO Printer A920\bak
Inside the BAK folder are files named dlbkbmgr.exe
Select the files with you mouse, right click it wiht your mouse and choose Cut
The go back to the main folder, C:\Program Files\Dell AIO Printer A920\
Click the background with your mouse, choose Paste
Now you should have the dlbkbmgr.exe file in the C:\Program Files\Dell AIO Printer A920\ folder
Now go ahead and delete the BAK folder

Nine more to go:

C:\Program Files\iTunes\bak
Inside the BAK folder is a file named iTunesHelper.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\iTunes\
Click the background with your mouse, choose Paste
Now you should have the iTunesHelper.exe file in the C:\Program Files\iTunes\ folder.
Now go ahead and delete the BAK folder



eight more to go:
C:\Program Files\QuickTime\bak
Inside the BAK folder is a file named qttask.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\QuickTime\
Click the background with your mouse, choose Paste
Now you should have the qttask.exe file in the C:\Program Files\QuickTime\ folder.
Now go ahead and delete the BAK folder

seven more to go:
C:\WINDOWS\SMINST\BAK
Inside the BAK folder is a file named RECGUARD.EXE
Right click it with your mouse and choose Cut
The go back to the main folder, C:\WINDOWS\SMINST\
Click the background with your mouse, choose Paste
Now you should have the RECGUARD.EXE file in the C:\WINDOWS\SMINST\ folder.
Now go ahead and delete the BAK folder

six more to go:
C:\WINDOWS\SYSTEM\BAK
Inside the BAK folder is a files named hpsysdrv.DAT hpsysdrv.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\WINDOWS\SYSTEM\
Click the background with your mouse, choose Paste
Now you should have the hpsysdrv.DAT hpsysdrv.exe files in the C:\WINDOWS\SYSTEM\ folder.
Now go ahead and delete the BAK folder

five more to go:
C:\WINDOWS\SYSTEM32\BAK
Inside the BAK folder is files named ctfmon.exe hkcmd.exe hphmon06.exe ps2.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\WINDOWS\SYSTEM32\
Click the background with your mouse, choose Paste
Now you should have the ctfmon.exe hkcmd.exe hphmon06.exe ps2.exe files in the C:\WINDOWS\SYSTEM32\ folder.
Now go ahead and delete the BAK folder


four more to go:
C:\hp\drivers\hplsbwatcher\bak\
Inside the BAK folder is files named lsburnwatcher.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\hp\drivers\hplsbwatcher\
Click the background with your mouse, choose Paste
Now you should have the lsburnwatcher.exe file in the C:\hp\drivers\hplsbwatcher\ folder.
Now go ahead and delete the BAK folder

Three more to go:
C:\Program Files\AIM\bak\
Inside the BAK folder is files named aim.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\AIM\
Click the background with your mouse, choose Paste
Now you should have the aim.exe file in the C:\Program Files\AIM\ folder.
Now go ahead and delete the BAK folder


Two more to go:
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak
Inside the BAK folder is files named hphupd06.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}
Click the background with your mouse, choose Paste
Now you should have the hphupd06.exe file in the C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D} folder.
Now go ahead and delete the BAK folder

One more

C:\Program Files\Common Files\Real\Update_OB\bak
Inside the BAK folder is files named realsched.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Common Files\Real\Update_OB
Click the background with your mouse, choose Paste
Now you should have the realsched.exe file in the C:\Program Files\Common Files\Real\Update_OB folder.
Now go ahead and delete the BAK folder


Restart the computer normally.



1.) Please download DelDomains by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.

2.) Please download ResetProtocolDefaults by WinHelp2002 and save it to your desktop:
Locate ResetProtocolDefaults.reg which should be on your desktop.
Right-click and select: Merge.
OK the prompt.
Reboot your computer


Run FindAWF again and post the log.

Edited by SifuMike, 18 February 2007 - 10:17 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 bauhausin

bauhausin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 20 February 2007 - 03:19 PM

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLAI~1\BAK

05/12/2003 03:02 PM 270,336 dlbkbmgr.exe
1 File(s) 270,336 bytes

Directory of C:\PROGRA~1\AIM\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 03:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

270336 May 12 2003 "C:\Program Files\Dell AIO Printer A920\bak\dlbkbmgr.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\AIM\bak\aim.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
77824 Feb 18 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"


end of report

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 20 February 2007 - 03:39 PM

Hi bauhausin,

Looks much better. :thumbsup: But, we still have three clean files to move back were they belong.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to My Computer and browse to the following folder:

C:\Program Files\Dell AIO Printer A920\bak
Inside the BAK folder are files named dlbkbmgr.exe
Select the files with you mouse, right click it wiht your mouse and choose Cut
The go back to the main folder, C:\Program Files\Dell AIO Printer A920\
Click the background with your mouse, choose Paste
Now you should have the dlbkbmgr.exe file in the C:\Program Files\Dell AIO Printer A920\ folder
Now go ahead and delete the BAK folder


Two more to go:
Go to My Computer and browse to the following folder:

C:\Program Files\AIM\bak\
Inside the BAK folder is files named aim.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\AIM\
Click the background with your mouse, choose Paste
Now you should have the aim.exe file in the C:\Program Files\AIM\ folder.
Now go ahead and delete the BAK folder


Last one : :flowers:
Go to My Computer and browse to the following folder:

C:\Program Files\Java\jre1.5.0_10\bin\bak\
Inside the BAK folder is a file named jusched.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Java\jre1.5.0_10\bin\
Click the background with your mouse, choose Paste
Now you should have the jusched.exe file in the C:\Program Files\Java\jre1.5.0_10\bin\ folder.
Now go ahead and delete the BAK folder

Restart the computer normally.

Run FindAWF again and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 bauhausin

bauhausin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 22 February 2007 - 04:59 PM

I think I fixed them all this time :thumbsup:


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 22 February 2007 - 05:12 PM

Hi bauhausin,

Looks good :thumbsup:

Post a fresh Hijackthis log and tell me how your computer is running.

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press 'save list'
A notepad file will open.
Post the content here in your reply.
Close HijackThis.

Edited by SifuMike, 22 February 2007 - 05:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 bauhausin

bauhausin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 23 February 2007 - 02:10 PM

Just this HijackThis log correct?

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AOL Instant Messenger
AVG Anti-Spyware 7.5
Azureus
Dell AIO Printer A920
Easy Internet Sign-up
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZplus450
Intel® Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iScrobbler
iTunes
Java™ SE Runtime Environment 6
KBD
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Mozilla Firefox (2.0.0.1)
muvee autoProducer 3.5 magicMoments - HPD
Photosmart 320,370,7400,8100,8400 Series
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Sonic Express Labeler
Sonic RecordNow!
SoulSeek Client 156c
SpySubtract
Tablet
Tradewinds from Hewlett-Packard Desktops (remove only)
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175

My computer is running fantastic. I haven't received any registry change warnings or pop-ups. Thank you so much for your help, I will certainly be donating to you! :thumbsup:

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 23 February 2007 - 06:32 PM

Hi bauhausin,

Everything looks fine.

Thank you for the donation. :flowers:

Hate to be like Columbo, but could you do just one more thing... :thumbsup:

Let's reset your files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!

Edited by SifuMike, 23 February 2007 - 06:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 bauhausin

bauhausin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 01 March 2007 - 09:15 PM

I apologize for the donation delay! I'm just waiting on my paycheck. Thought I would update you on the status so it doesn't seem like I lied. Thanks yet again! :thumbsup:

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 10 March 2007 - 07:15 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users