Author Topic: Error 1706 and Trojans (Read 14208 times)

brenda31 · « **Reply #15 on:** February 05, 2008, 05:35:35 AM »

C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 11:04:08 38912]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 13:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-04-29 07:02 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-03-13 16:20 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 09:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 02:22:08 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-05-14 12:29:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-02-04 07:36:15 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 20:47:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 20:53:14
ComboFix-quarantined-files.txt 2008-02-05 02:53:06
ComboFix2.txt 2008-02-03 05:08:10
ComboFix3.txt 2008-01-31 01:48:20
.
2008-02-01 06:07:19 --- E O F ---

brenda31 · « **Reply #16 on:** February 05, 2008, 05:36:30 AM »

What should I do now? I had to run the combofix twice to get the log. The first time I ran it, I didn't get a log. Thanks again for your help.

oldman · « **Reply #17 on:** February 05, 2008, 06:28:06 AM »

Good, combofix did what it was supposed do.

What to do now?

Well if everything is ok, we clean up the tools we used and update your java.

If you are still experiencing problems, please let me know. If all is fine then do the following, it looks like a lot but it doesn't take much time at all.

1. Click start button, click run, copy and paste the following line into the box and click ok.

combofix /u

2. Open HJT, click misc tools button, slide the slider down, click uninstall. You will have to delete the hjt.exe

3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

4. Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

5.Your java is a bit behind, old java can be an entry point for malware.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

6. Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Take care and keep safe.

brenda31 · « **Reply #18 on:** February 06, 2008, 01:30:51 AM »

After the combofix, I am still getting HPProduct Assistant saying that the feature I am trying to use is on a CD-Rom or other removable disk that is not available. I have tried to cancel and close it up but it pops up another box that tells me Error 1706. I also notice that I am also unable to open up Excel. When I try to open Excel it tells me that I cannot because I'm attempting to install something else and to finish with that installation first. I also see in my avast log viewer, the following
2008-01-02 9:56   SYSTEM   1900   An error has occured while attempting to update. Please check the logs.
2008-01-02 5:08   SYSTEM   1900   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2008-01-02 5:08   SYSTEM   1900   An error has occured while attempting to update. Please check the logs.
2008-01-03 12:21   SYSTEM   1900   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2008-01-03 12:21   SYSTEM   1900   An error has occured while attempting to update. Please check the logs.
2008-01-13 9:20   SYSTEM   1748   Sign of "Win32:Agent-OXW [trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\KL496ZC1\load[1].php\[MEW]" file.
2008-01-13 9:22   SYSTEM   1748   Sign of "Win32:Agent-OXW [trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\admin.exe\[MEW]" file.
2008-01-24 9:25   SYSTEM   1248   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\xepvdblg.dll" file.
2008-01-24 9:28   SYSTEM   1248   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\eiwxhssg.dll" file.
2008-01-25 11:14   Antonio Escalante Jr   1196   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\ANTONI~1\LOCALS~1\Temp\umwibfek.dll" file.
2008-01-26 2:35   SYSTEM   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\apumjahd.dll" file.
2008-01-26 2:36   SYSTEM   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\egefcdha.dll" file.
2008-01-27 2:39   SYSTEM   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\mcexrlas.dll" file.
2008-01-27 2:41   SYSTEM   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\lrcimmfb.dll" file.
2008-01-28 7:28   SYSTEM   1200   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\program files\google\googletoolbar2.dll (C:\program files\google\googletoolbar2.dll) returning error, 000005AF.
2008-01-28 5:03   Brenda Mayorga   1244   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\ulqfciiq.dll" file.
2008-01-29 5:04   Brenda Mayorga   1240   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\mvlehwyc.dll" file.
2008-01-29 5:06   Brenda Mayorga   1240   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\ctulpmrr.dll" file.
2008-01-30 5:07   Brenda Mayorga   1240   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\cqamufhf.dll" file.
2008-01-30 6:04   Brenda Mayorga   1240   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\cqamufhf.dll" file.
2008-01-30 6:06   Brenda Mayorga   1240   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\njxebmxc.dll" file.
2008-01-30 7:29   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\plqwttuj.dll" file.
2008-01-30 7:29   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\plqwttuj.dll" file.
2008-01-30 7:29   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\plqwttuj.dll" file.
2008-01-30 7:29   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\mnupsrpk.dll" file.
2008-01-30 7:29   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\mnupsrpk.dll" file.
2008-01-30 7:29   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\mnupsrpk.dll" file.
2008-02-01 7:31   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\scqvjeui.dll" file.
2008-02-01 7:32   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\sdrsiciw.dll" file.
2008-02-02 7:33   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\txojtpgs.dll" file.
2008-02-02 9:24   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\ewqkdqnl.dll" file.
2008-02-02 10:38   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\mnupsrpk.dll" file.
2008-02-02 10:39   Brenda Mayorga   1200   Sign of "Win32:TratBHO [trj]" has been found in "C:\WINDOWS\system32\plqwttuj.dll" file.

oldman · « **Reply #19 on:** February 06, 2008, 01:39:38 AM »

Your logs are clean.

This seems to be a common HP problem. A google search turns up a lot of HPProduct Assistant errors.

Does it say it is trying to reconfigure a particular product? One solution I came across was to uncheck all HP related entries on the startup tab.

I'll look again.

oldman · « **Reply #20 on:** February 06, 2008, 04:48:57 AM »

I can across somrthing else that may be worth exploring.

Please download FindAWF and save it to your desktop

* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

brenda31 · « **Reply #21 on:** February 08, 2008, 03:26:07 AM »

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-02-07
The current time is: 20:21:46.43

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

oldman · « **Reply #22 on:** February 08, 2008, 04:53:24 AM »

Hi brenda31

Well AWF ruled that out. But the possibility of an infected file is still there.

I'd like you to do the cleanup list, if you haven't all ready done so. The scanner will detect the files we removed. Then go to the link below and do an online scan. You will have to pause the avast standard shield during the scan Right click the "a" icon select pause, then standard shield. Remember to resume it after the scan. Please post the results. The esset log should be located at C:\Program Files\EsetOnlineScanner\log.txt

http://www.eset.com/onlinescan/

If that comes back clean, I suggest the HP forum. As mentioned there are a lot of google hits for HPproductassist errors.

http://forums11.itrc.hp.com/service/forums/bizsupport/categoryhome.do?categoryId=411

Author Topic: Error 1706 and Trojans (Read 14208 times)

brenda31

Re: Error 1706 and Trojans

brenda31

Re: Error 1706 and Trojans

oldman

Re: Error 1706 and Trojans

brenda31

Re: Error 1706 and Trojans

oldman

Re: Error 1706 and Trojans

oldman

Re: Error 1706 and Trojans

brenda31

Re: Error 1706 and Trojans

oldman

Re: Error 1706 and Trojans