Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

surprise.exe file hit me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: surprise.exe file hit me

Unread postby devsenemy » May 3rd, 2009, 4:04 pm

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 05/03/2009
The current time is: 12:59:22.42


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 05:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DISC\BAK

03/16/2006 02:12 AM 1,077,248 DISCover.exe
03/16/2006 02:11 AM 61,440 DiscUpdMgr.exe
2 File(s) 1,138,688 bytes

Directory of C:\PROGRA~1\HPDIGI~1\BAK

03/20/2006 09:05 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 02:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 09:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/22/2005 10:14 PM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/09/2004 09:00 PM 15,360 ctfmon.exe
02/07/2006 08:36 AM 77,824 hkcmd.exe
02/07/2006 08:40 AM 118,784 igfxpers.exe
3 File(s) 211,968 bytes

Directory of C:\PROGRA~1\AIM\AIMPRO~1\BAK

01/29/2007 11:57 PM 5,039,696 aimpro.exe
1 File(s) 5,039,696 bytes

Directory of C:\PROGRA~1\GOOGLE\PICASA3\BAK

12/05/2006 06:44 PM 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/15/2006 10:34 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

12/15/2005 06:18 PM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

10/12/2005 07:30 PM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\WORDPE~1\PROGRAMS\BAK

04/06/2006 01:55 AM 77,892 QFSCHD130.EXE
1 File(s) 77,892 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 05:30 PM 81,920 issch.exe
08/11/2005 05:30 PM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/13/2006 09:08 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/01/2005 11:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
1077248 Mar 16 2006 "C:\Program Files\DISC\bak\DISCover.exe"
61440 Mar 16 2006 "C:\Program Files\DISC\bak\DiscUpdMgr.exe"
90112 Mar 20 2006 "C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
342312 Apr 2 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 7 2009 "C:\WINDOWS\Installer\{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}\iTunesIco.exe"
413696 Jan 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 9 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Feb 7 2006 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Feb 7 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 7 2006 "C:\hp\drivers\video_Intel\igfxpers.exe"
118784 Feb 7 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
5039696 Jan 29 2007 "C:\Program Files\AIM\AIM Pro\bak\aimpro.exe"
755264 Jan 5 2009 "C:\Program Files\Google\Picasa3\PicasaUpdater.exe"
366400 Dec 5 2006 "C:\Program Files\Google\Picasa3\bak\PicasaMediaDetector.exe"
685640 Jan 5 2009 "C:\Program Files\Google\Picasa3\cdautorun\PicasaRestore.exe"
4912968 Nov 10 2006 "C:\Documents and Settings\HP_Administrator\Desktop\CRAP\Desktop Icons\picasaweb-current-setup.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Dec 15 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
139264 Oct 12 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
77892 Apr 6 2006 "C:\Program Files\WordPerfect Office X3\Programs\bak\QFSCHD130.EXE"
35696 Feb 27 2009 "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
73728 Aug 28 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
205480 Aug 30 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
249856 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
185896 Oct 2 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 13 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
49152 Jun 1 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
36975 Aug 27 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
126976 Jul 12 2007 "C:\Program Files\Java\jdk1.6.0_02\jre\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report


After I did this scan, I tried to sign back on to my Mozilla Firefox browser which I ALWAYS use and it says it crashed. I am now on IE browser which I don't like. Could this scan have done something to my MFF brower?
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am
Advertisement
Register to Remove

Re: surprise.exe file hit me

Unread postby chryssi2001 » May 4th, 2009, 7:15 am

Hello devsenemy,

After I did this scan, I tried to sign back on to my Mozilla Firefox browser which I ALWAYS use and it says it crashed. I am now on IE browser which I don't like. Could this scan have done something to my MFF brower?

I don't believe so, as it didn't remove anything. It just shows the infected files.
This infection created infected files for some programs, and you may need to re-install them after we clean it.
----------------------------------------------
Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\DISC\bak\DISCover.exe"
"C:\Program Files\DISC\bak\DiscUpdMgr.exe"
"C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\Program Files\AIM\AIM Pro\bak\aimpro.exe"
"C:\Program Files\Google\Picasa3\bak\PicasaMediaDetector.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
"C:\Program Files\WordPerfect Office X3\Programs\bak\QFSCHD130.EXE"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: surprise.exe file hit me

Unread postby devsenemy » May 4th, 2009, 12:16 pm

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 05/04/2009
The current time is: 8:01:18.88


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 05:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DISC\BAK

03/16/2006 02:12 AM 1,077,248 DISCover.exe
03/16/2006 02:11 AM 61,440 DiscUpdMgr.exe
2 File(s) 1,138,688 bytes

Directory of C:\PROGRA~1\HPDIGI~1\BAK

03/20/2006 09:05 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 02:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 09:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/22/2005 10:14 PM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/09/2004 09:00 PM 15,360 ctfmon.exe
02/07/2006 08:36 AM 77,824 hkcmd.exe
02/07/2006 08:40 AM 118,784 igfxpers.exe
3 File(s) 211,968 bytes

Directory of C:\PROGRA~1\AIM\AIMPRO~1\BAK

01/29/2007 11:57 PM 5,039,696 aimpro.exe
1 File(s) 5,039,696 bytes

Directory of C:\PROGRA~1\GOOGLE\PICASA3\BAK

12/05/2006 06:44 PM 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/15/2006 10:34 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

12/15/2005 06:18 PM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

10/12/2005 07:30 PM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\WORDPE~1\PROGRAMS\BAK

04/06/2006 01:55 AM 77,892 QFSCHD130.EXE
1 File(s) 77,892 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 05:30 PM 81,920 issch.exe
08/11/2005 05:30 PM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/13/2006 09:08 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/01/2005 11:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
1077248 Mar 16 2006 "C:\Program Files\DISC\bak\DISCover.exe"
61440 Mar 16 2006 "C:\Program Files\DISC\bak\DiscUpdMgr.exe"
90112 Mar 20 2006 "C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
342312 Apr 2 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 7 2009 "C:\WINDOWS\Installer\{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}\iTunesIco.exe"
413696 Jan 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 9 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Feb 7 2006 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Feb 7 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 7 2006 "C:\hp\drivers\video_Intel\igfxpers.exe"
118784 Feb 7 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
5039696 Jan 29 2007 "C:\Program Files\AIM\AIM Pro\bak\aimpro.exe"
755264 Jan 5 2009 "C:\Program Files\Google\Picasa3\PicasaUpdater.exe"
366400 Dec 5 2006 "C:\Program Files\Google\Picasa3\bak\PicasaMediaDetector.exe"
685640 Jan 5 2009 "C:\Program Files\Google\Picasa3\cdautorun\PicasaRestore.exe"
4912968 Nov 10 2006 "C:\Documents and Settings\HP_Administrator\Desktop\CRAP\Desktop Icons\picasaweb-current-setup.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Dec 15 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
139264 Oct 12 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
77892 Apr 6 2006 "C:\Program Files\WordPerfect Office X3\Programs\bak\QFSCHD130.EXE"
35696 Feb 27 2009 "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
73728 Aug 28 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
205480 Aug 30 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
249856 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
185896 Oct 2 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 13 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
49152 Jun 1 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
36975 Aug 27 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
126976 Jul 12 2007 "C:\Program Files\Java\jdk1.6.0_02\jre\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report


_____________________

Here you go....

Firefox is working fine now, don't know why I got a message that it crashed, but it is good now!
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby chryssi2001 » May 4th, 2009, 1:55 pm

Hello devsenemy,

Firefox is working fine now, don't know why I got a message that it crashed, but it is good now!

Nice, well it may temporary crashed. :)
----------------------------------------------
Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\hp\KBD\bak
C:\Program Files\DISC\bak
C:\Program Files\DISC\bak
C:\Program Files\HP DigitalMedia Archive\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\CREATOR\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\AIM\AIM Pro\bak
C:\Program Files\Google\Picasa3\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Intel\Intel Matrix Storage Manager\bak
C:\Program Files\WordPerfect Office X3\Programs\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_01\bin\bak

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Select Option 3 from the menu and press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the folders and will perform another scan for bak folders.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.
Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: surprise.exe file hit me

Unread postby devsenemy » May 4th, 2009, 4:12 pm

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 05/04/2009
The current time is: 13:05:51.66


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 05:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DISC\BAK

03/16/2006 02:12 AM 1,077,248 DISCover.exe
03/16/2006 02:11 AM 61,440 DiscUpdMgr.exe
2 File(s) 1,138,688 bytes

Directory of C:\PROGRA~1\HPDIGI~1\BAK

03/20/2006 09:05 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 02:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 09:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/22/2005 10:14 PM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/09/2004 09:00 PM 15,360 ctfmon.exe
02/07/2006 08:36 AM 77,824 hkcmd.exe
02/07/2006 08:40 AM 118,784 igfxpers.exe
3 File(s) 211,968 bytes

Directory of C:\PROGRA~1\AIM\AIMPRO~1\BAK

01/29/2007 11:57 PM 5,039,696 aimpro.exe
1 File(s) 5,039,696 bytes

Directory of C:\PROGRA~1\GOOGLE\PICASA3\BAK

12/05/2006 06:44 PM 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/15/2006 10:34 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

12/15/2005 06:18 PM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

10/12/2005 07:30 PM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\WORDPE~1\PROGRAMS\BAK

04/06/2006 01:55 AM 77,892 QFSCHD130.EXE
1 File(s) 77,892 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 05:30 PM 81,920 issch.exe
08/11/2005 05:30 PM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/13/2006 09:08 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/01/2005 11:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
1077248 Mar 16 2006 "C:\Program Files\DISC\bak\DISCover.exe"
61440 Mar 16 2006 "C:\Program Files\DISC\bak\DiscUpdMgr.exe"
90112 Mar 20 2006 "C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
342312 Apr 2 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 7 2009 "C:\WINDOWS\Installer\{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}\iTunesIco.exe"
413696 Jan 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 9 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Feb 7 2006 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Feb 7 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 7 2006 "C:\hp\drivers\video_Intel\igfxpers.exe"
118784 Feb 7 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
5039696 Jan 29 2007 "C:\Program Files\AIM\AIM Pro\bak\aimpro.exe"
755264 Jan 5 2009 "C:\Program Files\Google\Picasa3\PicasaUpdater.exe"
366400 Dec 5 2006 "C:\Program Files\Google\Picasa3\bak\PicasaMediaDetector.exe"
685640 Jan 5 2009 "C:\Program Files\Google\Picasa3\cdautorun\PicasaRestore.exe"
4912968 Nov 10 2006 "C:\Documents and Settings\HP_Administrator\Desktop\CRAP\Desktop Icons\picasaweb-current-setup.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Dec 15 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
139264 Oct 12 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
77892 Apr 6 2006 "C:\Program Files\WordPerfect Office X3\Programs\bak\QFSCHD130.EXE"
35696 Feb 27 2009 "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
73728 Aug 28 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
205480 Aug 30 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
249856 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
185896 Oct 2 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 13 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
49152 Jun 1 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
36975 Aug 27 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
126976 Jul 12 2007 "C:\Program Files\Java\jdk1.6.0_02\jre\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report

______________________________

Here you go...

Is this all working towards recovering my .pst data for my Outlook 2007?

Ooops, wait a min. one more step 4. Done.
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby chryssi2001 » May 5th, 2009, 7:44 am

Hello devsenemy,

Please go to my post here run AWF option 1 again and post back the report.

Is this all working towards recovering my .pst data for my Outlook 2007?

I started cleaning infections which may have caused the Outlook2007 problem. We still have more cleaning to do.

Where did you see this file?
surprise.exe
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: surprise.exe file hit me

Unread postby devsenemy » May 5th, 2009, 12:06 pm

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 05/05/2009
The current time is: 7:17:18.59


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 05:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DISC\BAK

03/16/2006 02:12 AM 1,077,248 DISCover.exe
03/16/2006 02:11 AM 61,440 DiscUpdMgr.exe
2 File(s) 1,138,688 bytes

Directory of C:\PROGRA~1\HPDIGI~1\BAK

03/20/2006 09:05 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 02:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 09:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/22/2005 10:14 PM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/09/2004 09:00 PM 15,360 ctfmon.exe
02/07/2006 08:36 AM 77,824 hkcmd.exe
02/07/2006 08:40 AM 118,784 igfxpers.exe
3 File(s) 211,968 bytes

Directory of C:\PROGRA~1\AIM\AIMPRO~1\BAK

01/29/2007 11:57 PM 5,039,696 aimpro.exe
1 File(s) 5,039,696 bytes

Directory of C:\PROGRA~1\GOOGLE\PICASA3\BAK

12/05/2006 06:44 PM 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/15/2006 10:34 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

12/15/2005 06:18 PM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

10/12/2005 07:30 PM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\WORDPE~1\PROGRAMS\BAK

04/06/2006 01:55 AM 77,892 QFSCHD130.EXE
1 File(s) 77,892 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 05:30 PM 81,920 issch.exe
08/11/2005 05:30 PM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/13/2006 09:08 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/01/2005 11:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
1077248 Mar 16 2006 "C:\Program Files\DISC\bak\DISCover.exe"
61440 Mar 16 2006 "C:\Program Files\DISC\bak\DiscUpdMgr.exe"
90112 Mar 20 2006 "C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
342312 Apr 2 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 7 2009 "C:\WINDOWS\Installer\{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}\iTunesIco.exe"
413696 Jan 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 9 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Feb 7 2006 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Feb 7 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 7 2006 "C:\hp\drivers\video_Intel\igfxpers.exe"
118784 Feb 7 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
5039696 Jan 29 2007 "C:\Program Files\AIM\AIM Pro\bak\aimpro.exe"
755264 Jan 5 2009 "C:\Program Files\Google\Picasa3\PicasaUpdater.exe"
366400 Dec 5 2006 "C:\Program Files\Google\Picasa3\bak\PicasaMediaDetector.exe"
685640 Jan 5 2009 "C:\Program Files\Google\Picasa3\cdautorun\PicasaRestore.exe"
4912968 Nov 10 2006 "C:\Documents and Settings\HP_Administrator\Desktop\CRAP\Desktop Icons\picasaweb-current-setup.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Dec 15 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
139264 Oct 12 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
77892 Apr 6 2006 "C:\Program Files\WordPerfect Office X3\Programs\bak\QFSCHD130.EXE"
35696 Feb 27 2009 "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
73728 Aug 28 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
205480 Aug 30 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
249856 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
185896 Oct 2 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 13 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
49152 Jun 1 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
36975 Aug 27 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
126976 Jul 12 2007 "C:\Program Files\Java\jdk1.6.0_02\jre\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report


_________________________

I don't know where I saw it really, sorry.
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby chryssi2001 » May 5th, 2009, 3:36 pm

Hello devsenemy,

I don't know where I saw it really, sorry.

Ok never mind, let's continue.
----------------------------------------------
Let's try to find it with a search. Start > Search > For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:
surprise.exe

When you find it, if you move your mouse on the file icon it will show you the path, pay attention where the file is located, and copy back the path.
For example the path may be like this:
C:\Windows\system\surpise.exe
or any other path (path is in red colour).
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 13
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u13-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
----------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, after i tell you that your computer is clean.
----------------------------------------------
REMOVE VIEWPOINT

You have Viewpoint, Viewpoint Manager, Viewpoint Media Player installed on your system. These programs are not malware but are considered as foistware instead of malware since they are installed without user's approval, and for this reason I recommend you remove them.

To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
c:\windows\system32\7C218E6431.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myofficeinmotion.com/esuite/control/main << Fix this line only if you didn't set it as your Start Page.
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=42273&p=434330#p434330
    
    Collect::
    c:\windows\system32\gumejisi.exe
    c:\windows\system32\BIT11.tmp
    c:\windows\system32\tosikuli.exe
    
    Folder::
    C:\Program Files\Viewpoint
    
    Driver::
    Viewpoint Manager Service
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Jotti results.
Combofix report.
A new HijackThis log.
Let me know if you found surprise.exe file and the path.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: surprise.exe file hit me

Unread postby devsenemy » May 6th, 2009, 12:17 am

Followed instructions:

No surprise.exe found
-------------------
Uninstalled old Java and followed your direction to install new Java
------------------
Spybot no longer on my PC, as I uninstalled it earlier in our posts.
------------------
Removed viewpoint
------------------
Let me go run the jotti and follow rest of instructions. Will post my additional reply below.

Thanks
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby devsenemy » May 6th, 2009, 12:21 am

jotti scan:

Scan taken on 06 May 2009 04:18:14 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

----------------------

Hijack fix done. Left my homepage alone. Fixed other.
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby devsenemy » May 6th, 2009, 12:37 am

COMBO FIX

ComboFix 09-05-05.03 - HP_Administrator 05/05/2009 21:28.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.321 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)

file zipped: c:\windows\system32\BIT11.tmp
file zipped: c:\windows\system32\gumejisi.exe
file zipped: c:\windows\system32\tosikuli.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\BIT11.tmp
c:\windows\system32\gumejisi.exe
c:\windows\system32\tosikuli.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 20:37 . 2009-05-05 20:37 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 17:59 . 2009-05-03 17:30 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Meebo
2009-04-26 03:55 . 2009-04-26 03:55 -------- d-----w c:\program files\Trend Micro
2009-04-26 03:23 . 2009-04-26 03:23 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\PCHealth
2009-04-26 01:24 . 2004-10-17 04:46 178176 ----a-w c:\windows\system32\StellarProfile.dll
2009-04-26 01:24 . 2006-04-17 18:56 1207808 ----a-w c:\windows\system32\PhoenixDll.dll
2009-04-26 01:24 . 2009-04-26 03:02 -------- d-----w c:\program files\Stellar Phoenix Outlook PST Repair
2009-04-21 22:31 . 2009-04-21 22:32 -------- d-----w c:\program files\pdf24
2009-04-16 14:48 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 14:48 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 14:48 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 14:48 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 14:48 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 14:48 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 14:48 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 14:48 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 14:48 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 14:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 14:47 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 14:11 . 2009-04-16 14:11 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-16 14:11 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 14:11 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 14:11 . 2009-04-16 14:11 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 14:11 . 2009-05-01 15:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 19:46 . 2009-04-14 19:46 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-14 19:41 . 2009-04-14 19:41 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-14 19:41 . 2009-04-14 19:41 -------- d-----w c:\program files\NOS
2009-04-09 18:33 . 2009-04-09 18:33 -------- d-----r c:\program files\Skype
2009-04-08 21:50 . 2009-04-25 14:46 256 ----a-w c:\windows\system32\pool.bin
2009-04-08 21:15 . 2007-01-18 17:24 26496 ----a-r c:\windows\system32\drivers\RimSerial.sys
2009-04-08 21:15 . 2009-05-03 17:28 -------- d-----w c:\program files\Common Files\Research In Motion
2009-04-08 05:07 . 2009-04-08 05:07 -------- d-----w c:\program files\iPod
2009-04-08 05:07 . 2009-04-08 05:07 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 20:37 . 2006-06-14 03:40 -------- d-----w c:\program files\Java
2009-05-05 20:35 . 2008-05-29 01:18 -------- d-----w c:\program files\IncrediMail
2009-05-05 20:32 . 2008-05-10 18:50 -------- d-----w c:\program files\iWin.com
2009-05-03 17:33 . 2008-11-25 20:06 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-03 17:29 . 2006-06-14 04:08 262552 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 17:29 . 2009-03-16 17:00 -------- d-----w c:\program files\ClockIt
2009-05-03 17:26 . 2006-11-05 06:43 -------- d-----w c:\program files\WordPerfect Office X3
2009-04-27 14:45 . 2006-06-14 04:18 -------- d-----w c:\program files\Microsoft Works
2009-04-27 14:12 . 2009-04-05 03:21 -------- d-----w c:\program files\Microsoft Small Business
2009-04-24 15:57 . 2008-11-25 20:10 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-24 15:57 . 2008-11-25 20:10 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-24 15:57 . 2008-11-25 20:10 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-04-24 15:57 . 2008-11-25 20:10 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 05:07 . 2006-11-05 03:11 -------- d-----w c:\program files\iTunes
2009-04-08 05:07 . 2007-08-12 05:19 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 12:45 . 2009-04-05 03:14 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-05 03:18 . 2006-06-14 04:19 -------- d-----w c:\program files\Microsoft.NET
2009-04-05 03:06 . 2006-06-14 04:32 -------- d-----w c:\program files\Google
2009-04-05 02:44 . 2006-11-05 06:30 4232 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-05 02:44 . 2006-11-05 06:30 168 --sh--r c:\windows\system32\7C218E6431.sys
2009-04-01 10:58 . 2008-01-23 18:29 -------- d-----w c:\program files\GamesBar
2009-03-31 22:40 . 2009-02-12 22:51 -------- d-----w c:\program files\American Airlines DealFinder
2009-03-31 22:39 . 2006-11-05 03:10 -------- d-----w c:\program files\QuickTime
2009-03-29 00:27 . 2008-07-29 15:21 -------- d-----w c:\program files\Safari
2009-03-22 23:38 . 2006-06-14 03:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 23:38 . 2009-03-22 23:38 -------- d-----w c:\program files\Rockstar Games
2009-03-20 06:40 . 2009-03-20 06:40 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 09:54 . 2008-04-09 19:57 -------- d-----w c:\program files\Stamps.com Internet Postage
2009-03-06 14:22 . 2004-08-10 04:00 284160 ------w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-03-29 00:06 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2008-11-14 16:04 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-10 04:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 04:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 04:00 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 04:00 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 04:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-11-06 11:00 2145280 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 04:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2006-11-06 11:00 2023936 ------w c:\windows\system32\ntkrnlpa.exe
2008-05-06 06:57 . 2008-05-06 06:57 0 ----a-w c:\program files\temp01
2007-08-24 04:18 . 2007-08-24 04:18 774144 ----a-w c:\program files\RngInterstitial.dll
1999-01-15 17:51 . 2008-01-24 04:11 266 ----a-w c:\program files\internet explorer\plugins\Efile.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_14.53.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-05 20:37 . 2009-05-05 20:37 16384 c:\windows\Temp\Perflib_Perfdata_570.dat
+ 2009-05-05 20:37 . 2009-05-05 20:37 148888 c:\windows\system32\javaws.exe
+ 2009-05-05 20:37 . 2009-05-05 20:37 144792 c:\windows\system32\javaw.exe
+ 2009-05-05 20:37 . 2009-05-05 20:37 144792 c:\windows\system32\java.exe
+ 2005-08-31 04:05 . 2009-05-03 17:33 715152 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-01-06 17:05 . 2005-02-03 00:44 61440 c:\hp\KBD\bak\KBD.EXE

2007-05-11 10:06 . 2007-05-11 10:06 40048 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

2007-01-30 06:57 . 2007-01-30 06:57 5039696 c:\program files\AIM\AIM Pro\bak\aimpro.exe

2005-08-12 00:30 . 2005-08-12 00:30 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2007-08-29 00:43 . 2007-08-29 00:43 73728 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2005-08-12 00:30 . 2005-08-12 00:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
2007-08-30 17:50 . 2007-08-30 17:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2006-06-14 04:08 . 2006-06-14 04:08 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2008-10-02 08:51 . 2008-10-02 08:51 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

2006-03-16 09:12 . 2006-03-16 09:12 1077248 c:\program files\DISC\bak\DISCover.exe

2006-03-16 09:11 . 2006-03-16 09:11 61440 c:\program files\DISC\bak\DiscUpdMgr.exe

2006-12-06 01:44 . 2006-12-06 01:44 366400 c:\program files\Google\Picasa3\bak\PicasaMediaDetector.exe

2006-02-16 05:34 . 2006-02-16 05:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe

2006-06-14 03:27 . 2005-06-02 06:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe

2005-12-16 01:18 . 2005-12-16 01:18 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe

2006-03-20 16:05 . 2006-03-20 16:05 90112 c:\program files\HP DigitalMedia Archive\bak\DMAScheduler.exe

2006-06-14 03:53 . 2005-10-13 02:30 139264 c:\program files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe

2006-10-30 17:36 . 2006-10-30 17:36 256576 c:\program files\iTunes\bak\iTunesHelper.exe
2009-04-02 23:11 . 2009-04-02 23:11 342312 c:\program files\iTunes\iTunesHelper.exe

2007-09-22 15:55 . 2007-03-14 10:43 83608 c:\program files\Java\jre1.6.0_01\bin\bak\jusched.exe

2007-06-29 13:24 . 2007-06-29 13:24 286720 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 23:18 . 2009-01-05 23:18 413696 c:\program files\QuickTime\QTTask.exe

2006-04-06 08:55 . 2006-04-06 08:55 77892 c:\program files\WordPerfect Office X3\Programs\bak\QFSCHD130.EXE

2006-06-14 04:20 . 2004-12-14 09:23 663552 c:\windows\CREATOR\bak\Remind_XP.exe

2004-08-10 10:04 . 2005-09-30 04:01 67584 c:\windows\ehome\bak\ehtray.exe
2004-08-10 10:04 . 2005-08-06 03:56 64512 c:\windows\ehome\ehtray.exe

2006-06-14 04:20 . 2005-07-23 05:14 237568 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-10 04:00 . 2004-08-10 04:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-10 04:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2006-06-14 03:51 . 2006-02-07 15:36 77824 c:\windows\system32\bak\hkcmd.exe

2006-06-14 03:51 . 2006-02-07 15:40 118784 c:\windows\system32\bak\igfxpers.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-24 1947928]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-02 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 15:57 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)
"Pml Driver HPZ12"=0 (0x0)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"gusvc"=2 (0x2)
"ELService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"MyWebSearchService"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVCOMSer"=2 (0x2)
"iWinGamesInstaller"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"InstallShield Licensing Service"=3 (0x3)
"idsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BcmSqlStartupSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/25/2008 1:10 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/25/2008 1:10 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/25/2008 1:10 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 9:05 AM 298776]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4/14/2009 12:41 PM 33176]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-13 21:55]

2009-05-03 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-01-05 14:29]

2009-05-05 c:\windows\Tasks\User_Feed_Synchronization-{8F2F561B-2337-4E60-92EF-6A2E65DC15BB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.myofficeinmotion.com/esuite/control/main
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Lance Norris\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk
DPF: {87587503-20F0-4FF5-8DA3-0106C4C03FDC} - hxxp://www.vibephone.com/vm/vmdata/down ... uncher.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\j34ozj15.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff2&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.myofficeinmotion.com/esuite/control/main
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff2&p=
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 21:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-06 21:35
ComboFix-quarantined-files.txt 2009-05-06 04:35
ComboFix2.txt 2009-05-03 17:42
ComboFix3.txt 2009-05-03 17:08
ComboFix4.txt 2009-05-02 15:01

Pre-Run: 125,604,958,208 bytes free
Post-Run: 125,598,224,384 bytes free

305 --- E O F --- 2009-04-29 10:01
Upload was successful
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby devsenemy » May 6th, 2009, 12:43 am

This is the error message I keep getting when trying to open Outlook 2007 (which I upgraded from Outlook 2003 and which worked fine for about a month or so):

Cannot start Microsoft Office Outook. Cannot open the Outlook window. The set of folders cannot be opened. Errors have been detected in the file C:\Documents and Settings\HP_Administrator\Local Settings\Application\Data\Microsoft|Outlook|Outlook.pst. Quit Outlook and all mail-enabled applications, and then use the Inbox repair tool (Scanpst.exe) to diagnose and repair errors in the file. For more information about the Inbox repair tool, see Help.

I cannot even open it. This is the message that pops up. I cannot locate the .pst file referenced, and i ahve tried the scanpst.exe.
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby chryssi2001 » May 6th, 2009, 7:15 am

Hello devsenemy,

If you go Start > Programs can you find Outlook 2007? Is there a repair option?

Did you try to re-download it? Does it show in your Add/Remove programs?
Does it have a repair option there?

What i suspect is the possibility there is an infected email, which may corrupted the program.
Even if not an infected email, it looks that the program is corrupted.

Can you try to go in Safe mode and see it it works, or you get a repair option there?

These are the instructions which explain how you can go in Safe Mode:

Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Now try all the above plus using this:scanpst.exe

Searching for this problem i also found this:
Go to c:\program files\microsoft office\office 12*\
run the file called scanpst.exe

browse to the location where your *.pst file is and let the repair tool run,
it'll probably find some errors in it so just press 'repair'.

Give it a try. *Office might a different number for you.

If all these fails, see if you can uninstall-reinstall Outlook 2007. If you don't want to do that, i can send you after we are done to a General Troubleshooting forum, and get help for this program.
----------------------------------------------
F-Secure Online Scan

Scan online using F-Secure Online Scanner Next Generation using Internet Explorer
http://support.f-secure.com/enu/home/ols3.shtml
  • Click on the link "F-Secure Online Scanner Next Generation".
  • You may receive an alert on the address bar at this point to install the ActiveX control.
  • Click on that alert and then Click Install ActiveX component.
  • Read the license agreement and click "Accept".
  • Click "Full System Scan" to download the scanning components and begin scan and cleaning.
  • When done click "Show report" and copy/paste its contents into your next reply.
----------------------------------------------
Post back:
F-Secure report.
A new HijackThis log.
Tell me how the pc is running except the Outlook problem.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: surprise.exe file hit me

Unread postby devsenemy » May 6th, 2009, 9:26 am

Scan online using F-Secure Online Scanner Next Generation using Internet Explorer
http://support.f-secure.com/enu/home/ols3.shtml

Click on the link "F-Secure Online Scanner Next Generation".
You may receive an alert on the address bar at this point to install the ActiveX control.
Click on that alert and then Click Install ActiveX component.
Read the license agreement and click "Accept".
Click "Full System Scan" to download the scanning components and begin scan and cleaning.
When done click "Show report" and copy/paste its contents into your next reply.


When I click on your link to go to support.f-secure.com.... I come to a support home page. I don't see a link for "F-Secure Online Scanner Next Generation". I did a google search with this information and found http://support.f-secure.com/enu/home/ols.shtml however it does not say "next generation". Is this the right scan I should do?
devsenemy
Regular Member
 
Posts: 17
Joined: April 26th, 2009, 12:10 am

Re: surprise.exe file hit me

Unread postby chryssi2001 » May 6th, 2009, 10:45 am

Sorry about this, here are new instructions with a proper link.
----------------------------------------------
F-Secure Online Scan
Note: You will need to use Internet explorer for this scan.
  • Go here to run an online scan from F-Secure
  • Click on Start scanning
  • This will open a new internet explorer window
  • It will require an activex control, please install it
  • Click Accept
  • Click Full System Scan
  • It will now download the scanner, this may take a while, please be patient
  • It will then start scanning, wait for the scan to finish
  • Click Automatic cleaning (recommended)
  • Wait for it finish the cleaning process
  • Click show report
  • This will open up a window with the results of the scan, copy and paste those results as a reply to this topic.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 316 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware