Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

jec4312

366 Posts

635

August 29th, 2006 14:00

bps spyware

Hi, I did an ad aware scan and it pointed up 2 registry references to BPS spyware. Ad aware said this was low risk, TAC score of 3. I have googled, and found references which said it was a program that gave false positives. Whatever, I want to get rid of it. To this end, I ran a Hijack This scan and could not see any reference to it, so I am posting below the scan and wonder if someone can take a look and see if you can see it? Is it ok to quarantine the refs in Ad Aware? Or should I go in to the registry and delete from there?

Appreciate your help.

Logfile of HijackThis v1.99.1
Scan saved at 15:32:28, on 28/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://plus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetMeter (2).lnk = C:\Program Files\NetMeter\NetMeter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E38EBF8-094E-4EB3-861A-B5F814BCAC7E}: NameServer = 212.159.13.49,212.159.13.50
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Nothing was picked up before I downloaded kerio firewall, does it come with that?

Bugbatter

4 Apprentice

 • 

20.5K Posts

August 29th, 2006 17:00

This was a false positive that Ad-aware fixed with its update yesterday. If you have put BPS in Quarantine, restore it, update Ad-aware and run Ad-aware again.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.

Message Edited by Bugbatter on 08-31-200607:54 PM

jec4312

366 Posts

August 29th, 2006 17:00

Thanks for your quick reply bugbatter. I'm off to update ad aware, and I'll run another scan.

Bugbatter

4 Apprentice

 • 

20.5K Posts

August 29th, 2006 18:00

You're welcome.

Quote:
Ad-Aware SE1R121 28.08.2006

This fixes a False Positive in BPS SpywareRemover.
This fixes a False Positive in TrojanBackdoor.Serv-U.

New Definitions:
========================
Adware.180Solutions.Seekmo +8
Adware.Axfibula
Win32.Hacktool.AmericanPride
Win32.Hacktool.Brontok
Win32.Hacktool.VncNoAuth
Win32.Worm.Viking +7

Updated Definitions:
========================
Adware.NewWeb
Adware.WSearch +7
AlertSpy
CoulombDialer
Dialer +7
Spyagent
SPySpotter
SPywareNo
SystemDoctor +2
Webhancer
Win32.Backdoor.Agent +6
Win32.Backdoor.Rbot +4
Win32.Downloader
Win32.Generic.PWS +7
Win32.Mydoom.A +7
Win32.Trojan.Agent +4
Win32.Trojan.Downloader +14
Win32.TrojanClicker +2
Win32.Trojandownloader.Zlob
Win32.TrojanProxy.Agent.dl +3
Win32.TrojanSpy.Bancos +5
Win32.TrojanSpy.Banker +26
Win32.TrojanSpy.Goldun +2
MD5 checksum is: 5904b8b8437a98ae259c993bc385af49
------------------------------------------------------------

Don't forget to update your Java.

jec4312

366 Posts

August 30th, 2006 08:00

hey Bugbatter

Have updated Adaware and run a new scan - nothing showed up, thanks for help.

Thanks also for advice re Java. I have downloaded your instructions to my desktop and will read through and action later.

Bugbatter

4 Apprentice

 • 

20.5K Posts

August 30th, 2006 11:00

You're very welcome. I'm glad we could help. :)

jec4312

366 Posts

August 31st, 2006 18:00

Don't know of Bugbatter will come back to read this, but thought it might amuse one or two others. I followed Bugbatter's suggestion re Java update above, got as far as downloading new Java, deleting old, rebooting the computer, got back to the desktop - and the computer froze. Nothing moved, the cursor just showed as an eggtimer. I decided to switch off, which I could only do by holding down the off button. I rebooted and the same thing happened. This time though I was able to open C Cleaner, clicked on analyze and the program found 21.4MB of data to be removed! This is actually a record for me. I clicked ok and luckily it worked. After this, I was able to install the new Java, rebooted and so far things seem ok (note the worried hesitancy). Would anyone know why the computer froze? I'd be interested in any comments, has anyone else downloaded Java 5.0?

Bugbatter

4 Apprentice

 • 

20.5K Posts

August 31st, 2006 23:00

Good grief! That IS "amusing"! I'm glad it worked out okay. Yes, I see exactly what happened and I have edited above to remove the DOUBLE instructions. I don't know if it was the forum software or what, but the instructions posted twice as combined instructions. Therefore, you must have downloaded (or tried to) the offline installation multiple times.

Message Edited by Bugbatter on 08-31-200607:59 PM

jec4312

366 Posts

September 1st, 2006 07:00

No, actually I did spot that myself and just ignored the repeated bits at the end. It really was a strange thing that happened, and I'm so glad I had C Cleaner installed on the computer. But I have checked that the new Java seems to work - with one site I often visit, I get the Java "teacup" icon in the system tray and when I went back to the site after the download the icon appeared, so at the moment all seems well (shouldn't say that should I?)The only thing I wondered is, when you referred to deleting all previous Java installs I only found one in Add/Remove Programs, I checked very thoroughly, and I hope no other old Java files were left behind. Anyway thanks for pointing out the update. Have a good day.

Bugbatter

4 Apprentice

 • 

20.5K Posts

September 1st, 2006 12:00

It appears as if your latest version was j2re1.4.2_03 before your recent update. Some people have done regular updates so they have additional versions that have accumulated, but they don't always show up in HijackThis. That is why that line is in there about "all previous Java installs".

Was this post helpful?

View All

0 events found

No Events found!

Top