Solved

HijackThis log

Posted on 2007-03-26
23
1,215 Views
Last Modified: 2013-12-06
Can someone tell me if anything from this hijackthis log needs to be removed? Even with firewall and anti-virus running I still got hit with adware and a virus. I already removed kernels32.exe from a previous hijackthis log and ran ad-aware in safe mode. But I'm still having issues. Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 2:25:34 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Google\Gmail Notifier\bak\gnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office Pro\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Installations\hijackthis_199\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 67.80.232.224:8003
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d92dbd1ed2da} - C:\WINDOWS\system32\ir4l32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\tmp3C59.tmp.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIB7FC~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.18/uploader2.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

0
Comment
Question by:cdion
  • 13
  • 9
23 Comments
 
LVL 87

Expert Comment

by:rindi
Comment Utility
This one:

O20 - AppInit_DLLs:

and Maybe these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 67.80.232.224:8003
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d92dbd1ed2da} - C:\WINDOWS\system32\ir4l32.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\tmp3C59.tmp.dll (file missing)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",setvm
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32.dll

Please next time upload the log file using the ee tools an post a link to it here. thanks

http://www.ee-stuff.com/
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
Comment Utility
Yeah, fix these entries:
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} -

C:\WINDOWS\system32\tmp3C59.tmp.dll (file missing)
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d92dbd1ed2da} - C:\WINDOWS\system32\ir4l32.dll
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",setvm
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32.dll

Then delete the bad files:
C:\WINDOWS\system32\ir4l32.dll
C:\WINDOWS\pmnlkk.dll


Download Pocket Killbox.(easier to use killbox' "Delete on reboot")
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\ir4l32.dll
C:\WINDOWS\pmnlkk.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the

Pending Operations prompt.
*If the computer doesn't restart, just restart manually.

And run hiajckthis again and show us a fresh hijackthis log to review.
Can you also show us the entries that you already removed from hijackthis?
especially the one with "kernels32.exe"
The bad entries in the log that you removed could help us.

C:\Google\Gmail Notifier\bak\gnotify.exe <-- I'm a bit concern about this entry, it looks like the sign of trojan.awf (a file infector) I could be wrong.

What other scanners have you run?


0
 

Author Comment

by:cdion
Comment Utility
I cleaned the O20 - AppInit_DLLs and it was okay for a little while, now everything got worse. Before I only deleted Kernels32.exe and now it's back. I don't have that log file anymore, but it was like this C:\WINDOWS\SYSTEM32\KERNELS32.EXE. I've also run a scan with AVG and Ad-Aware. My AVG scan this morning cleaned up the Kernels32.exe that re-appeared. It also cleaned up C:\xx1232255.exe, C:\WINDOWS\Temp\svcipa.exe and something in my temporary internet files

I do have gmail notifier, but I'll remove it anyway, I can always re-install it. I'll go through and remove all the other files mentioned as well. I uploaded a new hijack this log to https://filedb.experts-exchange.com/incoming/ee-stuff/2993-hijackthis.txt  If there's anything new that should be removed, please let me know. Thanks!

0
 

Author Comment

by:cdion
Comment Utility
The proxy server is okay too. I put that one in there.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
The reason I suspect a file infector is because of this line -->C:\Google\Gmail Notifier\bak\gnotify.exe

gnotify.exe is in the bak folder which could mean that the above is the original file moved to the bak folder....

example below:
C:\WINDOWS\system32\igfxtray.exe << original location, replaced by infector
C:\WINDOWS\system32\bak\igfxtray.exe << original moved


It's okay to paste your hijackthis log here in this zone.
If there was a perfect zone for posting hijackthis logs, then this is it, :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Did you delete those files with killbox?
The relevant hijackthis entries are still there!

Let's look at a combofix log, my internet connection is very bad tonight, my reply will be so slow or I may not be able to reply till morning.

Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 

Author Comment

by:cdion
Comment Utility
I didn't do killbox yet. That's what I ran this morning before fixing today. I cleaned in hijack this, ran ad-aware again and am about to do the killbox. I'll upload a new log once I have that complete.
0
 

Author Comment

by:cdion
Comment Utility
I don't see killbox on that site. They have
SpywareStrike Removal
ATF Cleaner
VundoFix
Look2Me-Destroyer
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Killbox's link is a direct download, just click on the link that I posted.


You can also use ATF Cleaner to empty your temp folders(cleans all users temp)
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/


It's nearly midnight here so I'll check back tomorrow.
0
 

Author Comment

by:cdion
Comment Utility
I did use the link you sent. I guess they don't have killbox anymore, so it directs me to the home page. I went to the downloads page and it's not listed. I downloaded CCLeaner and will be trying that next. I was able to delete the C:\WINDOWS\pmnlkk.dll file, just can't get the C:\WINDOWS\system32\ir4l32.dll deleted.

0
 

Author Comment

by:cdion
Comment Utility
I found that ir4l32.dll in the registry under Winlogon and InProcServer32. Not sure if I should be deleting that file or not.

I re-ran hijackthis and ad-aware and AVG in safe mode, removed/healed everything you listed, except the ir4l32.dll because it is being used by another program and can't be deleted. I checked the startup options in msconfig and found a blank entry and unchecked that. And I still have a problem. As soon as I went onto IE, I got another pop-up and AVG popped up to say it detected a virus.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
something is stopping you from downloading Killbox because that link is still good, it works for me.

About this file -->ir4l32.dll  I'm 99.99% sure that it is bad, because it's random, winlogon key is the usual place in the registry where nasties hook themselves so they start before windows starts.
You can always submit that file to jotti to check it -->http://virusscan.jotti.org/
there is another way of deleting that one, avenger can delete it. You can't manually delete a file hooked with winlogon without deleting the registry first because some malware will caused you not being able to log back in after reboot.
I think "ir4l32.dll" is the main culprit. We can easily delete it with Avenger.

Can you run the combofix so we can see the files modified in the last 3 months,
If you have a file infector, the files infected should show up in this scan --> http://noahdfear.geekstogo.com/FindAWF.exe

0
 

Author Comment

by:cdion
Comment Utility
The ComboFix log file is empty, It only shows the start time/date. I'm in safe mode running a virus scan right now so I can't download these other programs. I'll try it again once the scan is complete.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Combofix log is empty??????
that is really weird.....
0
 

Author Comment

by:cdion
Comment Utility
Could it be because I ran it in safe mode?
0
 

Author Comment

by:cdion
Comment Utility
Here is the logfile of the FineAWF.exe


  Find AWF report by noahdfear ©2006


  bak folders found
  ~~~~~~~~~~~


 Directory of C:\HP\KBD\BAK

02/02/2005  03:44 PM            61,440 KBD.EXE
               1 File(s)         61,440 bytes

 Directory of C:\PROGRA~1\BITTOR~1\BAK

01/12/2007  01:35 AM            43,008 bittorrent.exe
               1 File(s)         43,008 bytes

 Directory of C:\PROGRA~1\ITUNES\BAK

06/14/2006  03:24 PM           278,528 iTunesHelper.exe
               1 File(s)        278,528 bytes

 Directory of C:\PROGRA~1\QUICKT~1\BAK

07/30/2006  02:01 PM           282,624 qttask.exe
               1 File(s)        282,624 bytes

 Directory of C:\PROGRA~1\TUNEBITE\BAK

07/05/2006  07:20 AM         1,957,977 tunebite.exe
               1 File(s)      1,957,977 bytes

 Directory of C:\WINDOWS\EHOME\BAK

08/10/2004  09:04 PM            59,392 ehtray.exe
               1 File(s)         59,392 bytes

 Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004  02:00 PM            15,360 ctfmon.exe
06/08/2005  12:59 PM            77,824 hkcmd.exe
01/30/2003  06:55 PM           311,296 hphmon03.exe
06/08/2005  01:03 PM           114,688 igfxpers.exe
               4 File(s)        519,168 bytes

 Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

05/10/2005  07:50 PM           253,952 lsburnwatcher.exe
               1 File(s)        253,952 bytes

 Directory of C:\PROGRA~1\ADOBE\PHOTOS~1.0\BAK

09/14/2006  07:55 AM            61,440 apdproxy.exe
               1 File(s)         61,440 bytes

 Directory of C:\PROGRA~1\CITRIX\GOTOMYPC\BAK

12/06/2005  03:47 PM           230,496 g2svc.exe
               1 File(s)        230,496 bytes

 Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/27/2005  02:54 PM            48,800 ccApp.exe
               1 File(s)         48,800 bytes

 Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

03/05/2007  11:05 AM           411,648 avgcc.exe
               1 File(s)        411,648 bytes

 Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/26/2005  12:34 AM           245,760 HPBootOp.exe
               1 File(s)        245,760 bytes

 Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/12/2005  08:12 AM            49,152 HPwuSchd2.exe
               1 File(s)         49,152 bytes

 Directory of C:\PROGRA~1\PLAXO\262~1.9\BAK

04/17/2006  03:48 PM           182,855 PlaxoHelper.exe
               1 File(s)        182,855 bytes

 Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

04/05/2004  04:33 PM            99,480 PortAOL.exe
               1 File(s)         99,480 bytes

 Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006  03:45 PM           313,472 AdobeUpdateManager.exe
               1 File(s)        313,472 bytes

 Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

01/12/2006  04:40 PM           155,648 NeroCheck.exe
09/13/2006  11:12 AM           139,264 NMBgMonitor.exe
               2 File(s)        294,912 bytes

 Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/20/2004  09:40 AM            34,904 AOLDial.exe
               1 File(s)         34,904 bytes

 Directory of C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

02/16/2005  04:15 PM           221,184 ISUSPM.exe
               1 File(s)        221,184 bytes

 Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/27/2005  11:26 PM           180,269 realsched.exe
               1 File(s)        180,269 bytes

 Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/02/2005  01:35 AM            49,152 hphupd08.exe
               1 File(s)         49,152 bytes

 Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005  01:03 PM            36,975 jusched.exe
               1 File(s)         36,975 bytes

 Directory of C:\PROGRA~1\COMMON~1\AOL\113614~1\EE\BAK

11/02/2005  10:01 PM            50,792 AOLSoftware.exe
               1 File(s)         50,792 bytes

 Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/30/2003  06:55 PM           196,608 hpztsb04.exe
               1 File(s)        196,608 bytes


  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~

     61440 Feb  2 2005 "C:\hp\KBD\bak\KBD.EXE"
   6883122 Apr 14 2006 "C:\Documents and Settings\Paul\Desktop\BitTorrent-Stable.exe"
     43008 Jan 12 2007 "C:\Program Files\BitTorrent\bak\bittorrent.exe"
    256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe1174400257"
    278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Jan 22 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
    108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
    282624 Jul 30 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
   8037624 Aug 14 2006 "C:\tunebite.exe"
   1957977 Jul  5 2006 "C:\Program Files\tunebite\bak\tunebite.exe"
   8037264 Jul  9 2006 "C:\Documents and Settings\Colleen\My Documents\Newsbin Download\alt.binaries.warez.ibm-pc.0-day\ttb3014a\tunebite.exe"
     59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"
     59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
     15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
     15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
     77824 Jun  8 2005 "C:\hp\drivers\video_Intel\hkcmd.exe"
     77824 Jun  8 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
    311296 Jan 30 2003 "C:\WINDOWS\system32\bak\hphmon03.exe"
    311296 Jan 30 2003 "C:\temp\photosmart\enu\drivers\win2k_xp\HPHmon03.exe"
    311296 Jan 30 2003 "C:\Program Files\hp photosmart\hphinstall\enu\drivers\win2k_xp\HPHmon03.exe"
    114688 Jun  8 2005 "C:\hp\drivers\video_Intel\igfxpers.exe"
    114688 Jun  8 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
    253952 May 10 2005 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
     61440 Sep 14 2006 "C:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
    230496 Dec  6 2005 "C:\Program Files\Citrix\GoToMyPC\bak\g2svc.exe"
     48800 Dec 27 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
     58488 Aug 13 2004 "C:\Documents and Settings\Paul\Local Settings\Temp\NAV\Support\ccCommon\ccCommon\ccApp.exe"
    411648 Mar 23 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
    411648 Mar  5 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
    245760 Feb 26 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
     49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
    182855 Apr 17 2006 "C:\Program Files\Plaxo\PlaxoHelper.exe"
    182855 Apr 17 2006 "C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe"
    182855 Apr 17 2006 "C:\Program Files\Plaxo\2.6.2.9\bak\PlaxoHelper.exe"
     99480 Apr  5 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
    976472 Oct  5 2006 "C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
    313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
    155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
    139264 Sep 13 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"
     34904 Oct 20 2004 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
    221184 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
    180269 Sep 27 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
     49152 Jun  2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
     36972 Sep 27 2005 "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
     36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
     50792 Nov  2 2005 "C:\Program Files\Common Files\AOL\1135834824\ee\aolsoftware.exe"
     50792 Nov  2 2005 "C:\Program Files\Common Files\AOL\1136148289\ee\bak\AOLSoftware.exe"
    196608 Jan 30 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


  end of report
0
 

Author Comment

by:cdion
Comment Utility
Re-ran ComboFix while not in Safemode, this is the log file output:

Start Time= Tue 03/27/2007 23:56:54.57

(((((((((((((((((((((((((((((((((((((((((((((((((((   Ssk's Log   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Yahoo!\WidgetEngine\UnixUtils\usr\local\wbin\echo.exe


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 0:00:20.23
((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-27     10:13:40                       ( .D... )   "C:\Program Files\CCleaner"
2007-03-27     10:11:26                       ( .D... )   "C:\Program Files\Mozilla Firefox"
2007-03-23     16:04:22            0       ( A.... )   "C:\WINDOWS\system32\dlh9jkd1q8.exe"
2007-03-23     08:28:28         9216       ( A.... )   "C:\WINDOWS\system32\avgwlntf.dll"
2007-03-23     00:23:20                       ( .D... )   "C:\Documents and Settings\Colleen\Application Data\AVG7"
2007-03-23     00:23:14       110592       ( A.... )   "C:\WINDOWS\system32\avgfwafu.dll"
2007-03-23     00:09:34                       ( .D... )   "C:\Documents and Settings\Colleen\Application Data\Lavasoft"
2007-03-23     00:08:34                       ( .D... )   "C:\Program Files\Lavasoft"
2007-03-23     00:07:44                       ( .D... )   "C:\Program Files\Common Files\Wise Installation Wizard"
2007-03-22     15:17:56        19664       ( A.... )   "C:\WINDOWS\system32\ir4l32.dll"
2007-03-05     11:05:06                       ( .D... )   "C:\Program Files\Grisoft"
2007-02-13     14:14:02                       ( .D... )   "C:\Documents and Settings\Colleen\Application Data\Viewpoint"
2007-02-07     16:08:58                       ( .D... )   "C:\Documents and Settings\Colleen\Application Data\LinkedIn"
2006-05-27     21:18:34          393       ( A.... )   "C:\Program Files\Shortcut to Program Files.lnk"


(((((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SMSERIAL"="sm56hlpr.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"isDeleteMe"="\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"C:\\DOCUME~1\\Colleen\\LOCALS~1\\Temp\\isDel.bat\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 03/28/2007  0:00:38.43
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
0
 

Author Comment

by:cdion
Comment Utility
I was able to download killbox on another computer and send it over to the infected computer. It was able to delete that ir4l32.dll file. Hoping that should do the trick?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Sorry, it doesn't look good.
Yes! you have the file infector there and a lot of your legit files have been infected. What I would suggest is a reformat and start from scratch.

OR:
Kaspersky free trial, supposedly able to fix the infected files, you could try that, that might be easier.
Kaspersky free trial:
http://www.kaspersky.com/trials.html

or try deleting those infected files yourself and then copy back the original files.
All those legit files listed are no longer the correct ones the original legit files are now moved into those "bak" folders, as you can see in the log.( i just pick 2 examples from your log)

C:\WINDOWS\ehome\ehtray.exe <-- original location Now replaced by the infector
C:\WINDOWS\ehome\bak\ehtray.exe <-- original moved to a "bak" folder

C:\WINDOWS\system32\ctfmon.exe <--original now replaced by the infector
C:\WINDOWS\system32\bak\ctfmon.exe <-- original moved to a "bak" folder



You could make a batchfile to delete all those infected files and copy the original from the bak folders,
examples of your batchfile would be like this(you'll have a long list of it), for the infected example "ehtray.exe" and "ctfmon.exe"


@echo off

If exist "C:\WINDOWS\ehome\ehtray.exe" del /q "C:\WINDOWS\ehome\ehtray.exe"
copy "C:\WINDOWS\ehome\bak\ehtray.exe" "C:\WINDOWS\ehome\ehtray.exe"

If exist "C:\WINDOWS\system32\ctfmon.exe" del /q "C:\WINDOWS\system32\ctfmon.exe"
copy "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\ctfmon.exe"


You do that with all of the infected files that you have there......or just use Kaspersky....easy enough to uninstall it later on.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Oooops, didn't see you already deleted -->ir4l32.dll file
make sure these are deleted as well:
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\tmp6A.tmp.dll


You need to also remove the registry entry in hijackthis:
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp6A.tmp.dll
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\pmnlkk.dll",setvm
O20 - Winlogon Notify: ir4l32 - C:\WINDOWS\SYSTEM32\ir4l32.dll

Then that still leaves you with the file infector issue.
0
 

Author Comment

by:cdion
Comment Utility
Luckily, none of those are coming up in the hijackthis log now, except to say that the file is missing. I think luckily too, alot of those bak files may actually be legit. Most of the dates on those are well before the infected date, which I know is 3/22/07 and I checked some of them on that virusscan.jotti site and so far so good. It may not be as bad as it looks.

Logfile of HijackThis v1.99.1
Scan saved at 9:26:26 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Installations\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d92dbd1ed2da} - C:\WINDOWS\system32\ir4l32.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp6A.tmp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIB7FC~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.18/uploader2.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ir4l32 - ir4l32.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe

0
 

Author Comment

by:cdion
Comment Utility
So far so good! Thanks so much for all your help!!! Hopefully it stays cleared
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
You can fix those file mising entries in hiajckthis, they're just the leftover registry entries.
O2 - BHO: (no name) - {489021a8-a84f-49ba-bce3-d92dbd1ed2da} - C:\WINDOWS\system32\ir4l32.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp6A.tmp.dll (file missing)
O20 - Winlogon Notify: ir4l32 - ir4l32.dll (file missing)


>>alot of those bak files may actually be legit<<
Yes, they are the legit files, that's what the infector supposed to do, moved the legit files to the "bak" folder.
I don't think the infector changes the dates when it infects the files and moves the legit ones to the bak folder.

Anyway, if things are fine then that's great! hope it will stay that way.
Thanks for the points, and....

Good Luck!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now