Let's see what we can do. Also, post back a new log using the newest version of HiJackThis, since it can locate 'problems' that this version cannot see.
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) "
Auto Clean".
3. Click "
Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Run
HiJackThis then:
1. Click "
Config..."
2. Click "
Misc Tools"
3. Click "
Open Process manager"
-
Next, while holding down the
CTRL key, locate (
if present) and click on (
highlight) each of the following:
C:\WINDOWS\SYSTEM32\kernelll.pif
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Download, then unzip to "
C:\HJT", the newest version of
HiJackThis;
version 1.99.1. Then repost your log, either now, or after following the steps in the solution (
if provided in this post).
This version has features that might be more helpful in 'cleaning' up your system.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 ...
(Unless you've restricted the use of registry editing, have HiJackThis fix this.)
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Post back a new log, and let me know how everything goes.
The House call program was unable to clean or delete:
House Call Report
We have detected 2 infected file(s) with 2 virus(es) on your computer: 0 virus(es) cleaned, 0 virus(es) uncleanable, 1 virus(es) deleted, 1 virus(es) undeletable, 0 virus(es) passed.
Detected File Associated Virus Name Action taken
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab (QDow_AS2.dll) TROJ_QDOWN.L Undeletable
The new version of HiJackThis posted the following error be fore continuing it's scan:
An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #5 - Invalid procedure call or argument
Please email me at
merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
This is my most recent scan, as I'm sure you will notice the new version of HiJackThis was unable to fix the three boxes you said to tick before cleaning. The process did show itself as stopped in the configuration screen but reappears as active here. I hope there is something I can do, I await your response. Thanks again for your efforts
Logfile of HijackThis v1.99.1
Scan saved at 7:38:50 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Let's see if we can 'kill' this program from the active task list:
Run
HiJackThis then:
1. Click "
Config..."
2. Click "
Misc Tools"
3. Click "
Open Process manager"
-
Next, while holding down the
CTRL key, locate (
if present) and click on (
highlight) each of the following:
C:\WINDOWS\SYSTEM32\kernelll.pif
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Don't reboot your system until we're done, and let me know if your able to end the process (if so, make sure it doesn't come back).
If you like me to recommend you to another board, i'll be glad to do so. Otherwise, let's make sure that running process is 'dead' in the windows task list, then delete go immediately and delete the file, then post back and let me know how it went?
I was very careful to follow all your directions the first time but I tried terminating the running process kernelll.dll again and the same thing happens. It says it's dead, I can click refresh and it still says it's dead but when I try to tick the three entries in the scan screen again they will not go away and if I go back to config and click running processes I find it running again at the end of the list when I kill it again the same thing happens. Maybe you know someone else that might be familiar with this specific threat that might help, it's a pretty tricky one and I'm sure stumped.
I sure appreciate any more suggestions you may have to offer.
That really seemed to mess some stuff. Almost none of my programs work now including norton anti-virus and help and support. When I click on anthing windows pops up a screen asking what program I'd like to run the file with. I checked the properties on the shortcuts and they are unchanged. I cant even get HiJackThis to run now.
I'm slightly confused here, so help me to understand what's going on with your system. Two posts up, everything was working ok (it's kernalll.pif not kernalll.dll - which isn't the same as kernal.xxx by the way), and there wasn't any problems with any of your software, correct? Now, after 'killing' the app that comes back this time, in the following post, nothing is working correctly? That's some tricky malware ... :(
Have you tried system restore? or has that been disabled with no restore points available?
Two posts up I had the same problem I started with. No Task Manager and no regedit. When I deleted the file most of my software including cmd, just caused a box to pop up asking what program I wanted to run the program with. Before I checked with the board here I tried renaming kernelll.pif and made a copy of the original when I did. I just used it to put the file back in my system because my programs stopped working when I removed it. System restore was unavailable although it is funtioning again now. It was wiped clean when this problem first started and I just have a couple of recent restore points now. There are two files both 210 KB one with the .pif extension the other with no extension at all. When I just remove the one with the .pif extension windows still shows it as a running process in the same location even when its gone. When I remove them both all L breaks loose and nothing seems to work.
Have you tried a program like Kaspersky's anti-virus? It might be able to locate and fix the 'bug'. There's a free 30 day trial period on the pro version.
No I have not tried that and have never heard of it before but I have noticed that at least one of my anti-virus or spyware programs added the sites to my hosts file. Going to take a look now....
This is what happened, Kapersky found and deleted multiple viruses. Now my system is not running most of the programs it has on it AGAIN! The same thing happened a couple of posts ago when I was able to stop the kernelll.pif service with hijackthis and then delete the files myself. Please take a look at the activity section of Kapersky's log and my most recent HiJackThis and let me know if you can tell what's wrong with it now.
Memory object kernelll.pif\kernelll.pif Is a trojan Backdoor.Win32.MoSucker.y. 3/10/2005 11:53:14 PM
Memory object kernelll.pif\kernelll.pif Deleted. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Is a trojan Backdoor.Win32.MoSucker.y. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Backup copy created. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Could not be deleted. Reason: object blocked. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Could not be deleted. Reason: file not found. 3/10/2005 11:54:01 PM
C:\WINDOWS\SYSTEM32\KERNELLL.PIF Not processed. Reason: object not found. 3/10/2005 11:54:04 PM
C:\WINDOWS\SYSTEM32\KERNELLL.PIF Not processed. Reason: object not found. 3/10/2005 11:54:04 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip\GateScan3.exe Packed. 3/10/2005 11:54:04 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:04 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip Backup copy created. 3/10/2005 11:54:05 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip\GateScan3.exe Deleted. 3/10/2005 11:54:05 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Packed. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Backup copy created. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Deleted. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip\GateScan3.exe Packed. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip Backup copy created. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip\GateScan3.exe Deleted. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Packed. 3/10/2005 11:54:52 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:52 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Backup copy created. 3/10/2005 11:54:52 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Deleted. 3/10/2005 11:54:52 PM
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab\QDow_AS2.dll Is a trojan Trojan-Downloader.Win32.QDown.l. 3/10/2005 11:54:54 PM
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab Backup copy created. 3/10/2005 11:54:54 PM
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab\QDow_AS2.dll Deleted. 3/10/2005 11:54:54 PM
Logfile of HijackThis v1.99.1
Scan saved at 7:45:13 PM, on 3/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Please let me know what you think...
Is there supposed to be some sort of kernelll.XXX file needed for the system to run that could have been written over or inadvertantly deleted with the virus????
needit
1 Message
0
March 6th, 2005 14:00
Midnight Star
4.8K Posts
0
March 7th, 2005 00:00
Hello! and welcome to the Dell forums.
-
Let's see what we can do. Also, post back a new log using the newest version of HiJackThis, since it can locate 'problems' that this version cannot see.
Go to www.trendmicro.com, and then:
1. Click " Free Online Scan".
2. Click " Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
-
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\WINDOWS\SYSTEM32\kernelll.pif
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution ( if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [kernelll] C:\WINDOWS\SYSTEM32\kernelll.pif
O4 - HKLM\..\RunOnce: [kernelll] C:\WINDOWS\SYSTEM32\kernelll.pif /RunOnce
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
... (Unless you've restricted the use of registry editing, have HiJackThis fix this.)
Now, with all windows closed except HiJackThis, click " Fix checked".
Post back a new log, and let me know how everything goes.
-
Mike.
abetterway
16 Posts
0
March 7th, 2005 23:00
Detected File Associated Virus Name Action taken
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab (QDow_AS2.dll) TROJ_QDOWN.L Undeletable
The new version of HiJackThis posted the following error be fore continuing it's scan:
Error #5 - Invalid procedure call or argument
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
Click OK to continue the rest of the scan.
Logfile of HijackThis v1.99.1
Scan saved at 7:38:50 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\WILDTA~1\Apps\GAMECH~1.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\mmtask.exe
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE
C:\PROGRA~1\COMMON~1\Dell\EUSW\Support.exe
C:\PROGRA~1\Dell\MEDIAE~1\PCMSER~1.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\FreeRam\FREERA~1.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HIJACK~1.EXE
C:\WINDOWS\SYSTEM32\kernelll.pif
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [kernelll] C:\WINDOWS\SYSTEM32\kernelll.pif
O4 - HKLM\..\RunOnce: [kernelll] C:\WINDOWS\SYSTEM32\kernelll.pif /RunOnce
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [LoadWatcher] C:\Program Files\Digi-Watcher.com\Watcher 2.22\Watcher.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\DOCUME~1\ALLUSE~1\DOCUME~1\FreeRam\FREERA~1.EXE" -win
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (WHIP! Control) - ftp://ftp-2.autodesk.com/pub/autocad/plugin/whip.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Midnight Star
4.8K Posts
0
March 8th, 2005 21:00
Let's see if we can 'kill' this program from the active task list:
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
-
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\WINDOWS\SYSTEM32\kernelll.pif
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Don't reboot your system until we're done, and let me know if your able to end the process (if so, make sure it doesn't come back).
-
Mike.
Midnight Star
4.8K Posts
0
March 8th, 2005 23:00
If you like me to recommend you to another board, i'll be glad to do so. Otherwise, let's make sure that running process is 'dead' in the windows task list, then delete go immediately and delete the file, then post back and let me know how it went?
-
Mike.
abetterway
16 Posts
0
March 8th, 2005 23:00
abetterway
16 Posts
0
March 9th, 2005 01:00
Midnight Star
4.8K Posts
0
March 9th, 2005 02:00
That does seem kinda strange...
I'm slightly confused here, so help me to understand what's going on with your system. Two posts up, everything was working ok (it's kernalll.pif not kernalll.dll - which isn't the same as kernal.xxx by the way), and there wasn't any problems with any of your software, correct? Now, after 'killing' the app that comes back this time, in the following post, nothing is working correctly? That's some tricky malware ... :(
Have you tried system restore? or has that been disabled with no restore points available?
-
Mike.
abetterway
16 Posts
0
March 9th, 2005 03:00
Midnight Star
4.8K Posts
0
March 9th, 2005 04:00
Yeah, it does sound like something 'malicious' is going on in there. Did any of your anti-virus software on online virus scans pick anything up?
-
Mike.
abetterway
16 Posts
0
March 9th, 2005 11:00
Microsoft Anti Virus asked if I was sure about installing kernelll.pif as the code looked suspicious
Comments posted by the program now list Pirater Trojan
BackDoor-EE.gen
Midnight Star
4.8K Posts
0
March 10th, 2005 21:00
abetterway,
Have you tried a program like Kaspersky's anti-virus? It might be able to locate and fix the 'bug'. There's a free 30 day trial period on the pro version.
-
Mike.
Midnight Star
4.8K Posts
0
March 11th, 2005 00:00
abetterway,
It can finds things that others will miss.
-
Mike.
abetterway
16 Posts
0
March 11th, 2005 00:00
abetterway
16 Posts
0
March 12th, 2005 00:00
Memory object kernelll.pif\kernelll.pif Is a trojan Backdoor.Win32.MoSucker.y. 3/10/2005 11:53:14 PM
Memory object kernelll.pif\kernelll.pif Deleted. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Is a trojan Backdoor.Win32.MoSucker.y. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Backup copy created. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Could not be deleted. Reason: object blocked. 3/10/2005 11:53:14 PM
C:\WINDOWS\SYSTEM32\kernelll.pif Could not be deleted. Reason: file not found. 3/10/2005 11:54:01 PM
C:\WINDOWS\SYSTEM32\KERNELLL.PIF Not processed. Reason: object not found. 3/10/2005 11:54:04 PM
C:\WINDOWS\SYSTEM32\KERNELLL.PIF Not processed. Reason: object not found. 3/10/2005 11:54:04 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip\GateScan3.exe Packed. 3/10/2005 11:54:04 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:04 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip Backup copy created. 3/10/2005 11:54:05 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester.zip\GateScan3.exe Deleted. 3/10/2005 11:54:05 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Packed. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Backup copy created. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\Download\CybernetPay\EmailTester\GateScan3.exe Deleted. 3/10/2005 11:54:46 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip\GateScan3.exe Packed. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip Backup copy created. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester.zip\GateScan3.exe Deleted. 3/10/2005 11:54:47 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Packed. 3/10/2005 11:54:52 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Is a malicious program Email-Flooder.Win32.Aenima.20. 3/10/2005 11:54:52 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Backup copy created. 3/10/2005 11:54:52 PM
C:\Documents and Settings\All Users\Documents\My Documents\LEADS\CybernetPay\EmailTester\GateScan3.exe Deleted. 3/10/2005 11:54:52 PM
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab\QDow_AS2.dll Is a trojan Trojan-Downloader.Win32.QDown.l. 3/10/2005 11:54:54 PM
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab Backup copy created. 3/10/2005 11:54:54 PM
C:\Documents and Settings\ENTER\Local Settings\Temporary Internet Files\Content.IE5\OJ7FMGL5\QDow_AS2[1].cab\QDow_AS2.dll Deleted. 3/10/2005 11:54:54 PM
========================= HIJACKTHIS=================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Scan saved at 7:45:13 PM, on 3/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [LoadWatcher] C:\Program Files\Digi-Watcher.com\Watcher 2.22\Watcher.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\DOCUME~1\ALLUSE~1\DOCUME~1\FreeRam\FREERA~1.EXE" -win
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (WHIP! Control) - ftp://ftp-2.autodesk.com/pub/autocad/plugin/whip.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Is there supposed to be some sort of kernelll.XXX file needed for the system to run that could have been written over or inadvertantly deleted with the virus????
Mike