Can i delete this infected file: kernel32.dll ??

[swatkat]

Download Webroot Spysweeper and CCleaner and install them.

1] Run HijackThis and click "Do only a System scan". Then select these entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *searchmiracle.com/sp.php

Then close all other open programs except HijackThis, and click "Fix Checked" in HijackThis.

2] Exit from HijackThis. Yes, delete these files and folders:-
C:\WINNT\EliteSideBar
elitefaw32.exe

Delete these files if you find it:-
C:\protas.exe
c:\winnt\protector.exe

And go this folder c:\documents and settings\rohan\favorites\ and delete all folders and files inside the Favorites folder. (Do not delete the Favorites folder!)

3] Run WebRoot SpySweeper, Click "Options" button and then click "Sweep Options" tab, and here select all the Hard Disk Partitions.
Select these items in the "What to Sweep" Options box:-
"Sweep Memory"
"Sweep Registry"
"Sweep All User Accounts"
"Do Not Sweep System Restore Folders"

In the "Where to Sweep" Options box, select "Sweep All Folders on selected drives".
Then click "Sweep Now" button in left pane, and click "Start". After the scan, remove all the malwares it may find.

Run CCleaner, click "Options" button and here go to "Settings" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner".


4] Restart the System. Run HijackThis again and post a fresh log.


Did you run MS AntiSpyware before fixing with HijackThis? Also, did WebRoot Spysweeper found anything? IS the Kernel32.dll is alright now (Is Norton detecting any virus)?

 

[rohanbee]

I have not touched the kernel32 file yet. Just shot of an e-mail to norton as well. Lets see their response.

Yes, i did run Ms antispyware before fixing with Hijackthis. But is that bad/wrong???

I am downloading the softwares now and will revert back to you..........
By the way should keep the softwares such as cwshredder and spfix??? ..........

 

[swatkat]

No problems in running MS AntiSpyware before HijackThis, but it will remove some baddies, due to this they do not appear in HijackThis, that's all.

Yes, you can keep CWShredder, SpSeHjFix.

 

[swatkat]

To prevent the installation of bad Tracking cookies, BHOs, Toolbars, ActiveX components, you can use SpywareBlaster. Just run it, and click "Enable All Protection" and close it! It prevents the installations of bad extensions for Internet Explorer.

After fixing using HijackThis, if possible, perform an online virus scan at Panda ActiveScan, and save the log file it gives.
Then post this log along with the HijackThis log.

 

[rohanbee]

Its not about keeping the softwares i just wanna make sure that my Pc doesn't get cluttered. Just tell me how i can further use these softwares to do some preventive protection of my Pc rather than be in a situation like this one..........

 

[rohanbee]

Here is what spy sweeper gave up: --
04:06 PM: |··· Start of Session, Wednesday, May 18, 2005 ···|
04:06 PM: Spy Sweeper 3.5.0 (Build 199) started
04:06 PM: Updating spyware definitions
04:07 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
04:07 PM: Sweep initiated using definitions version 421
04:07 PM: Sweeping memory for threats.
04:08 PM: Memory sweep has completed. Elapsed time 00:00:24
04:08 PM: Registry sweep initiated.
04:08 PM: Found: 25 EliteBar registry traces.
04:08 PM: Found: 2 EliteBar SearchMiracle Hijacker registry traces.
04:08 PM: Registry sweep completed. Elapsed time 00:00:46
04:08 PM: Full sweep on all local drives initiated.
04:08 PM: Now sweeping drive C:
04:12 PM: Found Cookie: revenue.net Cookie, version 1, c:\documents and settings\rohan\cookies\rohan@revenue[1].txt
04:22 PM: Found: 1 file traces.
04:22 PM: Full Sweep has completed. Elapsed time 00:15:04
20,700 files swept
28 item traces located
04:25 PM: Removal process initiated
04:25 PM: Quarantining: EliteBar
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq
04:25 PM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser||{825cf5bd-8862-4430-b771-0c15c5ca8def}
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||tm
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||ad
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||am
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||at
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||ac
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||u
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||i
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||tr
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||leck
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||country
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||city
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||state
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||rx
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||rx2.8
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||rx2.9
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||rx3.0
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||rx3.1
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||rx3.2
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||rx3.3
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||fu3.4
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||fu3.5
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||fu3.6
04:25 PM: Registry: HKEY_CURRENT_USER\software\lq||lu3.7
04:25 PM: Quarantining: EliteBar SearchMiracle Hijacker
04:25 PM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer||searchurl
04:25 PM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main||search bar
04:25 PM: Quarantining: revenue.net Cookie
04:25 PM: Cookie: c:\documents and settings\rohan\cookies\rohan@revenue[1].txt
04:25 PM: Cleaning Traces
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser|| ({825cf5bd-8862-4430-b771-0c15c5ca8def})
04:25 PM: Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main|| (search bar) || (*ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm)
04:25 PM: Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer|| (searchurl) || (*ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (u)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (tr)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (tm)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (state)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.3)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.2)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.1)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (rx3.0)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (rx2.9)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (rx2.8)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (rx)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (lu3.7)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (leck)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (i)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (fu3.6)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (fu3.5)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (fu3.4)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (country)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (city)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (at)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (am)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (ad)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (ac)
04:25 PM: Removing registry: HKEY_CURRENT_USER\software\lq
04:25 PM: Removal process completed. Elapsed time 00:00:26
3 items (28 traces) quarantined.

 

[swatkat]

Ok...Perform a full system scan using Norton, and check whether it detecs the Startpage.m or any other spyware/virus.
Also, post a fresh HijackThis log.

 

[Charley]

@Swatkat, give me a check on this log too. Tks.

Logfile of HijackThis v1.99.1
Scan saved at 1:14:03 PM, on 5/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PKWARE\PKZIPW\pkzipw.exe
C:\PKTMP000.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - *surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - *www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = dataone
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 61.1.96.69,61.1.96.71

 

[rohanbee]

Ok...Perform a full system scan using Norton, and check whether it detecs the Startpage.m or any other spyware/virus.
Also, post a fresh HijackThis log.

Ok as per your instructions and more did the following:-
Did a norton av scan with latest updated virus definitions. It shows the system as completely clean. One file still in quarantine kernel32.dll (iam still thinking over wether to do do what you told me scared shitless as to what might happen if things go wrong)

Did scans with microsfot anti-spyware -- nothing detected

Scanned with Spysweeper -- 1 item found elite search bar....?? every time i run spy sweeper it finds it. This time i deleted from quarantine as well. Running another sweep!

Downloaded Windows 2000 service pack 4 and re-started to take effect.

 

[rohanbee]

Swatkat here is my latest file..........

Logfile of HijackThis v1.99.1
Scan saved at 5:01:15 PM, on 5/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\IoctlSvc.exe
C:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NILaunch.exe
C:\Program Files\Caere\OmniPagePro80\opware32.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\USB 2.0 Flash Drive Utility\PLBkMon.exe
C:\WINNT\System32\HotfixQ0306270.exe
C:\WINNT\system32\atiupdpl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\lotus\register\remind32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *www.pcquest.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = *www.pcquest.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PCQuest
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro80\opware32.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [TSE_PLUtil] C:\Program Files\USB 2.0 Flash Drive Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINNT\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=*www.pcquest.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - *go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINNT\system32\IoctlSvc.exe
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\Program Files\Symantec\Quarantine\Server\qserver.exe

 

[swatkat]

Hi,
Log looks clean! Now what about Kernel32.dll issue? Did you get any reply from Norton?

 

[rohanbee]

Thank the Lord, god & you swatkat.

Norton: Nope nothing till now. They do you give you a warnig that reply's can be delayed for many days due to heavy on-slought of pending inquires. yes, thats quite conviniet for them isn't it.

about the kernel32.dll can you try it on your system before i try it
just kidding!!!

 

[amitsaudy]

Maan that sure was a post mortem of the OS.
I ve been followin this thread right from the start
n its been very informative(Thanx to Swatkat)

 

[rohanbee]

Yes and poor me. No thanks to the guy who had to actually suffer so that others could learn . I would not want this hell again.

Also Swat my Spysweeper is going to run out of its free trial in 12 days. Is there any other free spyware apart from SpyBot that i can use.
Or...
should i pay spysweeper and get the subscription!!