HijackThis log
Can someone tell me if anything from this hijackthis log needs to be removed? Even with firewall and anti-virus running I still got hit with adware and a virus. I already removed kernels32.exe from a previous hijackthis log and ran ad-aware in safe mode. But I'm still having issues. Thanks!!
Logfile of HijackThis v1.99.1
Scan saved at 2:25:34 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ehome\ehtray.ex
C:\PROGRA~1\COMMON~1\AOL\A
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileA
C:\WINDOWS\system32\ctfmon
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
C:\Program Files\Symantec\LiveUpdate\
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\WINDOWS\system32\inetsr
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Photodex\ProShowProd
C:\WINDOWS\system32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\system32\dllhos
C:\WINDOWS\eHome\ehmsas.ex
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Google\Gmail Notifier\bak\gnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office Pro\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Installations\hijackthis_1
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-1
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",se
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.ex
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O16 - DPF: {31E68DE2-5548-4B23-88F0-C
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {474F00F5-3853-492C-AC3A-4
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {493ACF15-5CD9-4474-82A6-9
O16 - DPF: {55027008-315F-4F45-BBC3-8
O16 - DPF: {74C861A1-D548-4916-BC8A-F
O16 - DPF: {AB86CE53-AC9F-449F-9399-D
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5
O16 - DPF: {CB50428B-657F-47DF-9B32-6
O16 - DPF: {E473A65C-8087-49A3-AFFD-C
O16 - DPF: {EB387D2F-E27B-4D36-979E-8
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProd
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 2:25:34 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ehome\ehtray.ex
C:\PROGRA~1\COMMON~1\AOL\A
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileA
C:\WINDOWS\system32\ctfmon
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
C:\Program Files\Symantec\LiveUpdate\
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\WINDOWS\system32\inetsr
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Photodex\ProShowProd
C:\WINDOWS\system32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\system32\dllhos
C:\WINDOWS\eHome\ehmsas.ex
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Google\Gmail Notifier\bak\gnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office Pro\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Installations\hijackthis_1
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-1
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",se
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.ex
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O16 - DPF: {31E68DE2-5548-4B23-88F0-C
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {474F00F5-3853-492C-AC3A-4
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {493ACF15-5CD9-4474-82A6-9
O16 - DPF: {55027008-315F-4F45-BBC3-8
O16 - DPF: {74C861A1-D548-4916-BC8A-F
O16 - DPF: {AB86CE53-AC9F-449F-9399-D
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5
O16 - DPF: {CB50428B-657F-47DF-9B32-6
O16 - DPF: {E473A65C-8087-49A3-AFFD-C
O16 - DPF: {EB387D2F-E27B-4D36-979E-8
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProd
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I cleaned the O20 - AppInit_DLLs and it was okay for a little while, now everything got worse. Before I only deleted Kernels32.exe and now it's back. I don't have that log file anymore, but it was like this C:\WINDOWS\SYSTEM32\KERNEL
I do have gmail notifier, but I'll remove it anyway, I can always re-install it. I'll go through and remove all the other files mentioned as well. I uploaded a new hijack this log to https://filedb.experts-exchange.com/incoming/ee-stuff/2993-hijackthis.txt If there's anything new that should be removed, please let me know. Thanks!
I do have gmail notifier, but I'll remove it anyway, I can always re-install it. I'll go through and remove all the other files mentioned as well. I uploaded a new hijack this log to https://filedb.experts-exchange.com/incoming/ee-stuff/2993-hijackthis.txt If there's anything new that should be removed, please let me know. Thanks!
ASKER
The proxy server is okay too. I put that one in there.
The reason I suspect a file infector is because of this line -->C:\Google\Gmail Notifier\bak\gnotify.exe
gnotify.exe is in the bak folder which could mean that the above is the original file moved to the bak folder....
example below:
C:\WINDOWS\system32\igfxtr
C:\WINDOWS\system32\bak\ig
It's okay to paste your hijackthis log here in this zone.
If there was a perfect zone for posting hijackthis logs, then this is it, :)
gnotify.exe is in the bak folder which could mean that the above is the original file moved to the bak folder....
example below:
C:\WINDOWS\system32\igfxtr
C:\WINDOWS\system32\bak\ig
It's okay to paste your hijackthis log here in this zone.
If there was a perfect zone for posting hijackthis logs, then this is it, :)
Did you delete those files with killbox?
The relevant hijackthis entries are still there!
Let's look at a combofix log, my internet connection is very bad tonight, my reply will be so slow or I may not be able to reply till morning.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
The relevant hijackthis entries are still there!
Let's look at a combofix log, my internet connection is very bad tonight, my reply will be so slow or I may not be able to reply till morning.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
ASKER
I didn't do killbox yet. That's what I ran this morning before fixing today. I cleaned in hijack this, ran ad-aware again and am about to do the killbox. I'll upload a new log once I have that complete.
ASKER
I don't see killbox on that site. They have
SpywareStrike Removal
ATF Cleaner
VundoFix
Look2Me-Destroyer
SpywareStrike Removal
ATF Cleaner
VundoFix
Look2Me-Destroyer
Killbox's link is a direct download, just click on the link that I posted.
You can also use ATF Cleaner to empty your temp folders(cleans all users temp)
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
OR:
CCleaner:
http://www.ccleaner.com/download/
It's nearly midnight here so I'll check back tomorrow.
You can also use ATF Cleaner to empty your temp folders(cleans all users temp)
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
OR:
CCleaner:
http://www.ccleaner.com/download/
It's nearly midnight here so I'll check back tomorrow.
ASKER
I did use the link you sent. I guess they don't have killbox anymore, so it directs me to the home page. I went to the downloads page and it's not listed. I downloaded CCLeaner and will be trying that next. I was able to delete the C:\WINDOWS\pmnlkk.dll file, just can't get the C:\WINDOWS\system32\ir4l32
ASKER
I found that ir4l32.dll in the registry under Winlogon and InProcServer32. Not sure if I should be deleting that file or not.
I re-ran hijackthis and ad-aware and AVG in safe mode, removed/healed everything you listed, except the ir4l32.dll because it is being used by another program and can't be deleted. I checked the startup options in msconfig and found a blank entry and unchecked that. And I still have a problem. As soon as I went onto IE, I got another pop-up and AVG popped up to say it detected a virus.
I re-ran hijackthis and ad-aware and AVG in safe mode, removed/healed everything you listed, except the ir4l32.dll because it is being used by another program and can't be deleted. I checked the startup options in msconfig and found a blank entry and unchecked that. And I still have a problem. As soon as I went onto IE, I got another pop-up and AVG popped up to say it detected a virus.
something is stopping you from downloading Killbox because that link is still good, it works for me.
About this file -->ir4l32.dll I'm 99.99% sure that it is bad, because it's random, winlogon key is the usual place in the registry where nasties hook themselves so they start before windows starts.
You can always submit that file to jotti to check it -->http://virusscan.jotti.org/
there is another way of deleting that one, avenger can delete it. You can't manually delete a file hooked with winlogon without deleting the registry first because some malware will caused you not being able to log back in after reboot.
I think "ir4l32.dll" is the main culprit. We can easily delete it with Avenger.
Can you run the combofix so we can see the files modified in the last 3 months,
If you have a file infector, the files infected should show up in this scan --> http://noahdfear.geekstogo.com/FindAWF.exe
About this file -->ir4l32.dll I'm 99.99% sure that it is bad, because it's random, winlogon key is the usual place in the registry where nasties hook themselves so they start before windows starts.
You can always submit that file to jotti to check it -->http://virusscan.jotti.org/
there is another way of deleting that one, avenger can delete it. You can't manually delete a file hooked with winlogon without deleting the registry first because some malware will caused you not being able to log back in after reboot.
I think "ir4l32.dll" is the main culprit. We can easily delete it with Avenger.
Can you run the combofix so we can see the files modified in the last 3 months,
If you have a file infector, the files infected should show up in this scan --> http://noahdfear.geekstogo.com/FindAWF.exe
ASKER
The ComboFix log file is empty, It only shows the start time/date. I'm in safe mode running a virus scan right now so I can't download these other programs. I'll try it again once the scan is complete.
Combofix log is empty??????
that is really weird.....
that is really weird.....
ASKER
Could it be because I ran it in safe mode?
ASKER
Here is the logfile of the FineAWF.exe
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
02/02/2005 03:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\BITTOR~1\BAK
01/12/2007 01:35 AM 43,008 bittorrent.exe
1 File(s) 43,008 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
06/14/2006 03:24 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
07/30/2006 02:01 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\TUNEBITE\BAK
07/05/2006 07:20 AM 1,957,977 tunebite.exe
1 File(s) 1,957,977 bytes
Directory of C:\WINDOWS\EHOME\BAK
08/10/2004 09:04 PM 59,392 ehtray.exe
1 File(s) 59,392 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/10/2004 02:00 PM 15,360 ctfmon.exe
06/08/2005 12:59 PM 77,824 hkcmd.exe
01/30/2003 06:55 PM 311,296 hphmon03.exe
06/08/2005 01:03 PM 114,688 igfxpers.exe
4 File(s) 519,168 bytes
Directory of C:\HP\DRIVERS\HPLSBW~1\BAK
05/10/2005 07:50 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1
09/14/2006 07:55 AM 61,440 apdproxy.exe
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\CITRIX\GOTOMYP
12/06/2005 03:47 PM 230,496 g2svc.exe
1 File(s) 230,496 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMAN
12/27/2005 02:54 PM 48,800 ccApp.exe
1 File(s) 48,800 bytes
Directory of C:\PROGRA~1\GRISOFT\AVG7\B
03/05/2007 11:05 AM 411,648 avgcc.exe
1 File(s) 411,648 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOO
02/26/2005 12:34 AM 245,760 HPBootOp.exe
1 File(s) 245,760 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BA
05/12/2005 08:12 AM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\PLAXO\262~1.9\
04/17/2006 03:48 PM 182,855 PlaxoHelper.exe
1 File(s) 182,855 bytes
Directory of C:\PROGRA~1\PURENE~1\PORTM
04/05/2004 04:33 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes
Directory of C:\PROGRA~1\ADOBE\ACROBA~1
03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes
Directory of C:\PROGRA~1\COMMON~1\AHEAD
01/12/2006 04:40 PM 155,648 NeroCheck.exe
09/13/2006 11:12 AM 139,264 NMBgMonitor.exe
2 File(s) 294,912 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\A
10/20/2004 09:40 AM 34,904 AOLDial.exe
1 File(s) 34,904 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\A
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\INSTA
02/16/2005 04:15 PM 221,184 ISUSPM.exe
1 File(s) 221,184 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\
09/27/2005 11:26 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\HP\DIGITA~1\{3
06/02/2005 01:35 AM 49,152 hphupd08.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\JAVA\JRE15~1.0
11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\1
11/02/2005 10:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\
01/30/2003 06:55 PM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
6883122 Apr 14 2006 "C:\Documents and Settings\Paul\Desktop\BitT
43008 Jan 12 2007 "C:\Program Files\BitTorrent\bak\bitto
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.
278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHel
102400 Jan 22 2007 "C:\WINDOWS\Installer\{446
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.
282624 Jul 30 2006 "C:\Program Files\QuickTime\bak\qttask
8037624 Aug 14 2006 "C:\tunebite.exe"
1957977 Jul 5 2006 "C:\Program Files\tunebite\bak\tunebit
8037264 Jul 9 2006 "C:\Documents and Settings\Colleen\My Documents\Newsbin Download\alt.binaries.ware
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.e
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtr
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmo
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\c
77824 Jun 8 2005 "C:\hp\drivers\video_Intel
77824 Jun 8 2005 "C:\WINDOWS\system32\bak\h
311296 Jan 30 2003 "C:\WINDOWS\system32\bak\h
311296 Jan 30 2003 "C:\temp\photosmart\enu\dr
311296 Jan 30 2003 "C:\Program Files\hp photosmart\hphinstall\enu\
114688 Jun 8 2005 "C:\hp\drivers\video_Intel
114688 Jun 8 2005 "C:\WINDOWS\system32\bak\i
253952 May 10 2005 "C:\hp\drivers\hplsbwatche
61440 Sep 14 2006 "C:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
230496 Dec 6 2005 "C:\Program Files\Citrix\GoToMyPC\bak\
48800 Dec 27 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58488 Aug 13 2004 "C:\Documents and Settings\Paul\Local Settings\Temp\NAV\Support\
411648 Mar 23 2007 "C:\Program Files\Grisoft\AVG7\avgcc.e
411648 Mar 5 2007 "C:\Program Files\Grisoft\AVG7\bak\avg
245760 Feb 26 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
182855 Apr 17 2006 "C:\Program Files\Plaxo\PlaxoHelper.ex
182855 Apr 17 2006 "C:\Program Files\Plaxo\2.8.1.2\PlaxoH
182855 Apr 17 2006 "C:\Program Files\Plaxo\2.6.2.9\bak\Pl
99480 Apr 5 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
976472 Oct 5 2006 "C:\Program Files\Common Files\Adobe\Updater\AdobeU
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdate
155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCh
139264 Sep 13 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMo
34904 Oct 20 2004 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.
221184 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\Update
180269 Sep 27 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\r
49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1
36972 Sep 27 2005 "C:\Program Files\Java\jre1.5.0\bin\ju
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1135834824\ee\ao
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1136148289\ee\ba
196608 Jan 30 2003 "C:\WINDOWS\system32\spool
end of report
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
02/02/2005 03:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\BITTOR~1\BAK
01/12/2007 01:35 AM 43,008 bittorrent.exe
1 File(s) 43,008 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
06/14/2006 03:24 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
07/30/2006 02:01 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\TUNEBITE\BAK
07/05/2006 07:20 AM 1,957,977 tunebite.exe
1 File(s) 1,957,977 bytes
Directory of C:\WINDOWS\EHOME\BAK
08/10/2004 09:04 PM 59,392 ehtray.exe
1 File(s) 59,392 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/10/2004 02:00 PM 15,360 ctfmon.exe
06/08/2005 12:59 PM 77,824 hkcmd.exe
01/30/2003 06:55 PM 311,296 hphmon03.exe
06/08/2005 01:03 PM 114,688 igfxpers.exe
4 File(s) 519,168 bytes
Directory of C:\HP\DRIVERS\HPLSBW~1\BAK
05/10/2005 07:50 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1
09/14/2006 07:55 AM 61,440 apdproxy.exe
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\CITRIX\GOTOMYP
12/06/2005 03:47 PM 230,496 g2svc.exe
1 File(s) 230,496 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMAN
12/27/2005 02:54 PM 48,800 ccApp.exe
1 File(s) 48,800 bytes
Directory of C:\PROGRA~1\GRISOFT\AVG7\B
03/05/2007 11:05 AM 411,648 avgcc.exe
1 File(s) 411,648 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOO
02/26/2005 12:34 AM 245,760 HPBootOp.exe
1 File(s) 245,760 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BA
05/12/2005 08:12 AM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\PLAXO\262~1.9\
04/17/2006 03:48 PM 182,855 PlaxoHelper.exe
1 File(s) 182,855 bytes
Directory of C:\PROGRA~1\PURENE~1\PORTM
04/05/2004 04:33 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes
Directory of C:\PROGRA~1\ADOBE\ACROBA~1
03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes
Directory of C:\PROGRA~1\COMMON~1\AHEAD
01/12/2006 04:40 PM 155,648 NeroCheck.exe
09/13/2006 11:12 AM 139,264 NMBgMonitor.exe
2 File(s) 294,912 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\A
10/20/2004 09:40 AM 34,904 AOLDial.exe
1 File(s) 34,904 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\A
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\INSTA
02/16/2005 04:15 PM 221,184 ISUSPM.exe
1 File(s) 221,184 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\
09/27/2005 11:26 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\HP\DIGITA~1\{3
06/02/2005 01:35 AM 49,152 hphupd08.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\JAVA\JRE15~1.0
11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\1
11/02/2005 10:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\
01/30/2003 06:55 PM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
6883122 Apr 14 2006 "C:\Documents and Settings\Paul\Desktop\BitT
43008 Jan 12 2007 "C:\Program Files\BitTorrent\bak\bitto
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.
278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHel
102400 Jan 22 2007 "C:\WINDOWS\Installer\{446
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.
282624 Jul 30 2006 "C:\Program Files\QuickTime\bak\qttask
8037624 Aug 14 2006 "C:\tunebite.exe"
1957977 Jul 5 2006 "C:\Program Files\tunebite\bak\tunebit
8037264 Jul 9 2006 "C:\Documents and Settings\Colleen\My Documents\Newsbin Download\alt.binaries.ware
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.e
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtr
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmo
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\c
77824 Jun 8 2005 "C:\hp\drivers\video_Intel
77824 Jun 8 2005 "C:\WINDOWS\system32\bak\h
311296 Jan 30 2003 "C:\WINDOWS\system32\bak\h
311296 Jan 30 2003 "C:\temp\photosmart\enu\dr
311296 Jan 30 2003 "C:\Program Files\hp photosmart\hphinstall\enu\
114688 Jun 8 2005 "C:\hp\drivers\video_Intel
114688 Jun 8 2005 "C:\WINDOWS\system32\bak\i
253952 May 10 2005 "C:\hp\drivers\hplsbwatche
61440 Sep 14 2006 "C:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
230496 Dec 6 2005 "C:\Program Files\Citrix\GoToMyPC\bak\
48800 Dec 27 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58488 Aug 13 2004 "C:\Documents and Settings\Paul\Local Settings\Temp\NAV\Support\
411648 Mar 23 2007 "C:\Program Files\Grisoft\AVG7\avgcc.e
411648 Mar 5 2007 "C:\Program Files\Grisoft\AVG7\bak\avg
245760 Feb 26 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
182855 Apr 17 2006 "C:\Program Files\Plaxo\PlaxoHelper.ex
182855 Apr 17 2006 "C:\Program Files\Plaxo\2.8.1.2\PlaxoH
182855 Apr 17 2006 "C:\Program Files\Plaxo\2.6.2.9\bak\Pl
99480 Apr 5 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
976472 Oct 5 2006 "C:\Program Files\Common Files\Adobe\Updater\AdobeU
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdate
155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCh
139264 Sep 13 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMo
34904 Oct 20 2004 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.
221184 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\Update
180269 Sep 27 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\r
49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1
36972 Sep 27 2005 "C:\Program Files\Java\jre1.5.0\bin\ju
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1135834824\ee\ao
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1136148289\ee\ba
196608 Jan 30 2003 "C:\WINDOWS\system32\spool
end of report
ASKER
Re-ran ComboFix while not in Safemode, this is the log file output:
Start Time= Tue 03/27/2007 23:56:54.57
((((((((((((((((((((((((((
C:\Program Files\Yahoo!\WidgetEngine\
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
0:00:20.23
((((((((((((((((((((((((((
2007-03-27 10:13:40 ( .D... ) "C:\Program Files\CCleaner"
2007-03-27 10:11:26 ( .D... ) "C:\Program Files\Mozilla Firefox"
2007-03-23 16:04:22 0 ( A.... ) "C:\WINDOWS\system32\dlh9j
2007-03-23 08:28:28 9216 ( A.... ) "C:\WINDOWS\system32\avgwl
2007-03-23 00:23:20 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2007-03-23 00:23:14 110592 ( A.... ) "C:\WINDOWS\system32\avgfw
2007-03-23 00:09:34 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2007-03-23 00:08:34 ( .D... ) "C:\Program Files\Lavasoft"
2007-03-23 00:07:44 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2007-03-22 15:17:56 19664 ( A.... ) "C:\WINDOWS\system32\ir4l3
2007-03-05 11:05:06 ( .D... ) "C:\Program Files\Grisoft"
2007-02-13 14:14:02 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2007-02-07 16:08:58 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2006-05-27 21:18:34 393 ( A.... ) "C:\Program Files\Shortcut to Program Files.lnk"
((((((((((((((((((((((((((
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\softwa
"SMSERIAL"="sm56hlpr.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"ehTray"="C:\\WINDOWS\\eho
"AOL Spyware Protection"="\"C:\\PROGRA~
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.e
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-858
"AVG7_CC"="C:\\PROGRA~1\\G
"MSConfig"="C:\\WINDOWS\\P
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
"Installed"="1"
[HKEY_LOCAL_MACHINE\softwa
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\softwa
"Installed"="1"
[HKEY_LOCAL_MACHINE\softwa
"isDeleteMe"="\"C:\\WINDOW
[HKEY_LOCAL_MACHINE\softwa
"flags"=dword:00000008
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
"NoCDBurning"=dword:000000
[HKEY_CURRENT_USER\softwar
"ctfmon.exe"="C:\\WINDOWS\
"tunebite.exe"="C:\\Progra
[HKEY_USERS\.default\softw
"AVG7_Run"="C:\\PROGRA~1\\
[HKEY_USERS\.default\softw
"NoDriveTypeAutoRun"=dword
[HKEY_USERS\s-1-5-18\softw
"AVG7_Run"="C:\\PROGRA~1\\
[HKEY_USERS\s-1-5-18\softw
"NoDriveTypeAutoRun"=dword
[HKEY_LOCAL_MACHINE\softwa
"{438755C2-A8BA-11D1-B96B-
"{8C7461EF-2B13-11d2-BE35-
[HKEY_LOCAL_MACHINE\softwa
"{AEB6717E-7E19-11d0-97EE-
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
"key"="SOFTWARE\\Microsoft
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoft
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Wed 03/28/2007 0:00:38.43
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
Start Time= Tue 03/27/2007 23:56:54.57
((((((((((((((((((((((((((
C:\Program Files\Yahoo!\WidgetEngine\
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
0:00:20.23
((((((((((((((((((((((((((
2007-03-27 10:13:40 ( .D... ) "C:\Program Files\CCleaner"
2007-03-27 10:11:26 ( .D... ) "C:\Program Files\Mozilla Firefox"
2007-03-23 16:04:22 0 ( A.... ) "C:\WINDOWS\system32\dlh9j
2007-03-23 08:28:28 9216 ( A.... ) "C:\WINDOWS\system32\avgwl
2007-03-23 00:23:20 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2007-03-23 00:23:14 110592 ( A.... ) "C:\WINDOWS\system32\avgfw
2007-03-23 00:09:34 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2007-03-23 00:08:34 ( .D... ) "C:\Program Files\Lavasoft"
2007-03-23 00:07:44 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2007-03-22 15:17:56 19664 ( A.... ) "C:\WINDOWS\system32\ir4l3
2007-03-05 11:05:06 ( .D... ) "C:\Program Files\Grisoft"
2007-02-13 14:14:02 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2007-02-07 16:08:58 ( .D... ) "C:\Documents and Settings\Colleen\Applicati
2006-05-27 21:18:34 393 ( A.... ) "C:\Program Files\Shortcut to Program Files.lnk"
((((((((((((((((((((((((((
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\softwa
"SMSERIAL"="sm56hlpr.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"ehTray"="C:\\WINDOWS\\eho
"AOL Spyware Protection"="\"C:\\PROGRA~
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.e
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-858
"AVG7_CC"="C:\\PROGRA~1\\G
"MSConfig"="C:\\WINDOWS\\P
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
"Installed"="1"
[HKEY_LOCAL_MACHINE\softwa
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\softwa
"Installed"="1"
[HKEY_LOCAL_MACHINE\softwa
"isDeleteMe"="\"C:\\WINDOW
[HKEY_LOCAL_MACHINE\softwa
"flags"=dword:00000008
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
"NoCDBurning"=dword:000000
[HKEY_CURRENT_USER\softwar
"ctfmon.exe"="C:\\WINDOWS\
"tunebite.exe"="C:\\Progra
[HKEY_USERS\.default\softw
"AVG7_Run"="C:\\PROGRA~1\\
[HKEY_USERS\.default\softw
"NoDriveTypeAutoRun"=dword
[HKEY_USERS\s-1-5-18\softw
"AVG7_Run"="C:\\PROGRA~1\\
[HKEY_USERS\s-1-5-18\softw
"NoDriveTypeAutoRun"=dword
[HKEY_LOCAL_MACHINE\softwa
"{438755C2-A8BA-11D1-B96B-
"{8C7461EF-2B13-11d2-BE35-
[HKEY_LOCAL_MACHINE\softwa
"{AEB6717E-7E19-11d0-97EE-
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
"key"="SOFTWARE\\Microsoft
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoft
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Wed 03/28/2007 0:00:38.43
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
ASKER
I was able to download killbox on another computer and send it over to the infected computer. It was able to delete that ir4l32.dll file. Hoping that should do the trick?
Sorry, it doesn't look good.
Yes! you have the file infector there and a lot of your legit files have been infected. What I would suggest is a reformat and start from scratch.
OR:
Kaspersky free trial, supposedly able to fix the infected files, you could try that, that might be easier.
Kaspersky free trial:
http://www.kaspersky.com/trials.html
or try deleting those infected files yourself and then copy back the original files.
All those legit files listed are no longer the correct ones the original legit files are now moved into those "bak" folders, as you can see in the log.( i just pick 2 examples from your log)
C:\WINDOWS\ehome\ehtray.ex
C:\WINDOWS\ehome\bak\ehtra
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\bak\ct
You could make a batchfile to delete all those infected files and copy the original from the bak folders,
examples of your batchfile would be like this(you'll have a long list of it), for the infected example "ehtray.exe" and "ctfmon.exe"
@echo off
If exist "C:\WINDOWS\ehome\ehtray.e
copy "C:\WINDOWS\ehome\bak\ehtr
If exist "C:\WINDOWS\system32\ctfmo
copy "C:\WINDOWS\system32\bak\c
You do that with all of the infected files that you have there......or just use Kaspersky....easy enough to uninstall it later on.
Yes! you have the file infector there and a lot of your legit files have been infected. What I would suggest is a reformat and start from scratch.
OR:
Kaspersky free trial, supposedly able to fix the infected files, you could try that, that might be easier.
Kaspersky free trial:
http://www.kaspersky.com/trials.html
or try deleting those infected files yourself and then copy back the original files.
All those legit files listed are no longer the correct ones the original legit files are now moved into those "bak" folders, as you can see in the log.( i just pick 2 examples from your log)
C:\WINDOWS\ehome\ehtray.ex
C:\WINDOWS\ehome\bak\ehtra
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\bak\ct
You could make a batchfile to delete all those infected files and copy the original from the bak folders,
examples of your batchfile would be like this(you'll have a long list of it), for the infected example "ehtray.exe" and "ctfmon.exe"
@echo off
If exist "C:\WINDOWS\ehome\ehtray.e
copy "C:\WINDOWS\ehome\bak\ehtr
If exist "C:\WINDOWS\system32\ctfmo
copy "C:\WINDOWS\system32\bak\c
You do that with all of the infected files that you have there......or just use Kaspersky....easy enough to uninstall it later on.
Oooops, didn't see you already deleted -->ir4l32.dll file
make sure these are deleted as well:
C:\WINDOWS\system32\dlh9jk
C:\WINDOWS\system32\tmp6A.
You need to also remove the registry entry in hijackthis:
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",se
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32
Then that still leaves you with the file infector issue.
make sure these are deleted as well:
C:\WINDOWS\system32\dlh9jk
C:\WINDOWS\system32\tmp6A.
You need to also remove the registry entry in hijackthis:
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",se
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32
Then that still leaves you with the file infector issue.
ASKER
Luckily, none of those are coming up in the hijackthis log now, except to say that the file is missing. I think luckily too, alot of those bak files may actually be legit. Most of the dates on those are well before the infected date, which I know is 3/22/07 and I checked some of them on that virusscan.jotti site and so far so good. It may not be as bad as it looks.
Logfile of HijackThis v1.99.1
Scan saved at 9:26:26 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\system32\spools
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileA
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
C:\Program Files\Symantec\LiveUpdate\
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\WINDOWS\system32\inetsr
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Photodex\ProShowProd
C:\WINDOWS\system32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ehome\ehtray.ex
C:\WINDOWS\system32\dllhos
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
C:\WINDOWS\eHome\ehmsas.ex
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\system32\ctfmon
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates
C:\Program Files\Yahoo!\WidgetEngine\
C:\Program Files\Yahoo!\WidgetEngine\
C:\Program Installations\hijackthis_1
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.ex
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O16 - DPF: {31E68DE2-5548-4B23-88F0-C
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {474F00F5-3853-492C-AC3A-4
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {493ACF15-5CD9-4474-82A6-9
O16 - DPF: {55027008-315F-4F45-BBC3-8
O16 - DPF: {74C861A1-D548-4916-BC8A-F
O16 - DPF: {AB86CE53-AC9F-449F-9399-D
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5
O16 - DPF: {CB50428B-657F-47DF-9B32-6
O16 - DPF: {EB387D2F-E27B-4D36-979E-8
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
O20 - Winlogon Notify: ir4l32 - ir4l32.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProd
Logfile of HijackThis v1.99.1
Scan saved at 9:26:26 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\system32\spools
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileA
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
C:\Program Files\Symantec\LiveUpdate\
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\WINDOWS\system32\inetsr
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Photodex\ProShowProd
C:\WINDOWS\system32\svchos
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ehome\ehtray.ex
C:\WINDOWS\system32\dllhos
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
C:\WINDOWS\eHome\ehmsas.ex
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\system32\ctfmon
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates
C:\Program Files\Yahoo!\WidgetEngine\
C:\Program Files\Yahoo!\WidgetEngine\
C:\Program Installations\hijackthis_1
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.ex
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-4
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwa
O16 - DPF: {31E68DE2-5548-4B23-88F0-C
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {474F00F5-3853-492C-AC3A-4
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {493ACF15-5CD9-4474-82A6-9
O16 - DPF: {55027008-315F-4F45-BBC3-8
O16 - DPF: {74C861A1-D548-4916-BC8A-F
O16 - DPF: {AB86CE53-AC9F-449F-9399-D
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5
O16 - DPF: {CB50428B-657F-47DF-9B32-6
O16 - DPF: {EB387D2F-E27B-4D36-979E-8
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
O20 - Winlogon Notify: ir4l32 - ir4l32.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProd
ASKER
So far so good! Thanks so much for all your help!!! Hopefully it stays cleared
You can fix those file mising entries in hiajckthis, they're just the leftover registry entries.
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O20 - Winlogon Notify: ir4l32 - ir4l32.dll (file missing)
>>alot of those bak files may actually be legit<<
Yes, they are the legit files, that's what the infector supposed to do, moved the legit files to the "bak" folder.
I don't think the infector changes the dates when it infects the files and moves the legit ones to the bak folder.
Anyway, if things are fine then that's great! hope it will stay that way.
Thanks for the points, and....
Good Luck!
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O20 - Winlogon Notify: ir4l32 - ir4l32.dll (file missing)
>>alot of those bak files may actually be legit<<
Yes, they are the legit files, that's what the infector supposed to do, moved the legit files to the "bak" folder.
I don't think the infector changes the dates when it infects the files and moves the legit ones to the bak folder.
Anyway, if things are fine then that's great! hope it will stay that way.
Thanks for the points, and....
Good Luck!
O20 - AppInit_DLLs:
and Maybe these:
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",se
O16 - DPF: {493ACF15-5CD9-4474-82A6-9
O16 - DPF: {E473A65C-8087-49A3-AFFD-C
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32
Please next time upload the log file using the ee tools an post a link to it here. thanks
http://www.ee-stuff.com/