weird notepad file.

system · March 21, 2009, 8:04pm

what is the notepad file called SetupAdmin524 for?

Lisandro · March 21, 2009, 8:16pm

Where is that file?
From which program does it belong?

polonus · March 21, 2009, 8:45pm

Hi Emimen,

The unsafe files using this name are associated with the malware group:

* Adware

So give us a HijackThis logfile txt added to your next posting, get it here: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Then we can have a look at that to see with what tools to scan if there is a version of the wrong SetupAdmin524, you could also load up the file in question to have it scanned through virustotal.com and give these results attached next to your hjt logfile.txt,

polonus

system · March 22, 2009, 2:12am

C:\WINDOWS\Temp is the location it is in.

system · March 22, 2009, 2:15am

heres my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:31 PM, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM..\Run: [VTTimer] VTTimer.exe
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} -
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

–
End of file - 7059 bytes

system · March 22, 2009, 2:19am

inside the file it says.
=== Logging started: 3/17/2009 19:25:56 ===
Command Line:

Exiting with code: 0

I used virustotal to scan it and it said the result was 0/39? So i’m guessing this means nothing bad was detected?

system · March 22, 2009, 2:20am

0 out of the 39 programs that scanned it on virustotal said it was infected

system · March 22, 2009, 3:13am

An Analysis of your HJT log shows these entries as either questionable or bad :

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
http://www.threatexpert.com/report.aspx?md5=9ef206c00cf1552e2b63344b8a660082
Remains of Yahoo! Companion. Unnecessary (deactivated) entry that can be fixed.

O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
http://www.bleepingcomputer.com/startups/Alcxmntr.exe-245.html
http://www.what-is-exe.com/filenames/alcxmntr-exe.html
Conflicting reports - first says it is bad; second says it is not. Related to Realtek Audio event monitor.

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
Macromedia ActiveX control

system · March 22, 2009, 1:58pm

i deleted the setupadmin524 notepad file. I ran ccleaner and it deleted one of the temp files for it but the notepad files were still there. There were 2 notepad files and 1 was a shortcut. Am i ok now?

system · March 22, 2009, 1:59pm

thanks. I fixed those entries except for the one where there are conflicting reports.

polonus · March 22, 2009, 2:12pm

smss.exe
Hi Eminem, now everything seems OK as according to the HJT log.
Here is a summary of the tasks you have running on that machine:

smss.exe
System task

Session Manager Subsystem

winlogon.exe
System task

Microsoft Windows Logon Process

services.exe
System task

Windows Service Controller

lsass.exe
System task

Local Security Authority Service

svchost.exe
System task

Microsoft Service Host Process

svchost.exe
System task

Microsoft Service Host Process

vsmon.exe
Firewall

ZoneLabs True Vector Internet Monitor

aswUpdSv.exe
Virusscan

Avast Anti-Virus Component

ashServ.exe
Virusscan

Avast

LEXBCES.EXE
Backgroudntask

LexBce Service

LEXPPS.EXE
Backgroundtask

Lexmark Printer Sharing

spoolsv.exe
System task

Microsoft Printer Spooler Service

Explorer.EXE
System task

Microsoft Windows Explorer

AppleMobileDeviceService.exe
Backgroundtask

Apple Mobile Device Service

mDNSResponder.exe
Backgroundtask

Bonjour for Windows Component

jqs.exe
Backgroundtask

jqs.exe

MDM.EXE
Backgroundtask

Machine Debug Manager

VTTimer.exe
Application

VIA Graphics Card Driver

KBD.EXE
Backgroundtask

Multimedia keyboard manager.

hpsysdrv.exe
Application

Hewlett-Packard Monitoring Tool

AGRSMMSG.exe
Systeem taak

IBM AMR modem driver

jusched.exe
Backgroundtask

Sun Java Update Scheduler

iTunesHelper.exe
Application

Apple Itunes

zlclient.exe
Firewall

ZoneLabs Firewall Client

ashDisp.exe
Virusscan

Avast AntiVirus

ctfmon.exe
System task

Alternative User Input Services

ashMaiSv.exe
Virusscan

Avast Anti-Virus Component

ashWebSv.exe
Virusscan

avast! Web Scanner

iPodService.exe
Backgroundtask

Apple iTunes

TeaTimer.exe
Application

Spybot S&D Realtime Scanner

iexplore.exe
Application

Microsoft Internet Explorer

HijackThis.exe
Application

Hijackthis 2.0.2

That is all,

polonus

system · March 22, 2009, 2:36pm

thank you very much for all your help.

weird notepad file.

Announcements