WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Bzub/small/tiny/agent.ir/agent.dp/etc.

Started by careless75 , Mar 23 2007 08:43 AM

Please log in to reply

33 replies to this topic

#1 careless75

New Member

Authentic Member
17 posts

Posted 23 March 2007 - 08:43 AM

Hi, recently noticed hlnahln.dll in system32. It did'nt look right so I tried to delete it manually in normal and safe mode, to no avail. I ran everything suggested and found alot more. PLEASE HELP.

Logfile of HijackThis v1.99.1
Scan saved at 6:30:32 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
C:\WINDOWS\System32\imapi.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Autodesk\FlexLM\adskflex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\Rar$EX00.448\HijackThis.exe

O2 - BHO: IGMONObj Class - {02464DDC-3187-11D8-8004-0020ED227566} - D:\Program Files\iGetter\Integration\IGMON.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all with iGetter - D:\Program Files\iGetter\Integration\igetall.html
O8 - Extra context menu item: Download with iGetter - D:\Program Files\iGetter\Integration\iget.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.micro...jects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.co...snmusax4331.cab
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

here's the AVG log:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:35:33 AM 3/22/2007

+ Scan result:

HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029} -> Adware.Generic : Cleaned with backup (quarantined).
D:\Program Files\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP1\A0000012.exe -> Backdoor.Small.na : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP1\A0000024.old -> Backdoor.Small.na : Cleaned with backup (quarantined).
C:\Documents and Settings\Jason\Local Settings\Temp\mkovt.exe -> Downloader.Tiny.fl : Cleaned with backup (quarantined).
C:\Recycled\839969.exe -> Hijacker.StartPage.qp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP1\A0000025.old -> Logger.Agent.ir : Cleaned with backup (quarantined).
C:\WINDOWS\system\bpmdm32.dll -> Logger.Agent.ir : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP1\A0000027.old -> Logger.BZub.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP1\A0000026.old -> Logger.BZub.hx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP1\A0000008.sys -> Rootkit.Agent.dp : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.258:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.30:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.46:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.48:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.49:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.107:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Jason\Cookies\jason@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Jason\Local Settings\Temp\Cookies\jason@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\WINDOWS\Temp\Cookies\jason@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.147:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.41:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.42:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.43:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.184:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Gemius : Cleaned.
:mozilla.185:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Gemius : Cleaned.
:mozilla.335:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.336:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.337:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.338:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.339:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Jason\Cookies\jason@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.50:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.51:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.52:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.53:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.300:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.301:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.302:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.280:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.314:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.315:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.316:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.317:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.318:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.319:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.320:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.321:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.322:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.323:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.157:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.158:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.159:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.160:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.161:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.340:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.341:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.342:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.343:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.344:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.81:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.113:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.114:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.115:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.116:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.44:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.45:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.358:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.359:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.360:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.60:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.62:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.367:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.368:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.369:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.370:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.371:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.372:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.373:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.374:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.377:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\fxwnrnhw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001095.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001096.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001097.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001098.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001099.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001100.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001103.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP2\A0001120.dll -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{694BAB1C-F120-4331-98E9-616C3A89B34C}\RP1\A0000033.sys -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\WINDOWS\system32\IEFilter.dll -> Trojan.Agent.fd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\IEFilter1.dll -> Trojan.Agent.fd : Cleaned with backup (quarantined).

::Report end

any help would be greatly appreciated. I use this computer for school and need to get it back in shape asap. Thanks.

Advertisements

Register to Remove

#2 Markka

Advanced Member

Banned
784 posts

Posted 23 March 2007 - 09:03 AM

Hi and welcome to the forums.

I'm Markka and I will be helping you with your malware issues. I check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient.

#3 careless75

New Member

Authentic Member
17 posts

Posted 23 March 2007 - 09:07 AM

Hi and thanks Markka, as you can see... I think I'm in some trouble :oops:

#4 Markka

Advanced Member

Banned
784 posts

Posted 23 March 2007 - 09:19 AM

Yes you are. You have there some infections

But don't do anything before I tell to you. I will give to you cleaning instructions as soon as possible.

But I can't post to you anything before some HJT-teacher is checked my cleaning isntructions.

#5 Markka

Advanced Member

Banned
784 posts

Posted 23 March 2007 - 10:39 AM

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

I don't see any antivirus or firewall running on your computer. How is this possible?

I recommend to install some free antivirus and firewall.

Firewalls: (install only one!)

Antiviruses: (install only one!)

Post:

a fresh HijackThis log
Contents of C:\vundofix.txt

#6 careless75

New Member

Authentic Member
17 posts

Posted 23 March 2007 - 11:04 AM

VundoFix said: No files were found.

As for antivirus and firewall... I've been running SpySweeper, is this program not adequate?

Here's new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:21 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
C:\WINDOWS\System32\imapi.exe
D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
D:\Program Files\Autodesk\FlexLM\adskflex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\Rar$EX00.830\HijackThis.exe

O2 - BHO: IGMONObj Class - {02464DDC-3187-11D8-8004-0020ED227566} - D:\Program Files\iGetter\Integration\IGMON.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all with iGetter - D:\Program Files\iGetter\Integration\igetall.html
O8 - Extra context menu item: Download with iGetter - D:\Program Files\iGetter\Integration\iget.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.micro...jects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.co...snmusax4331.cab
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#7 Markka

Advanced Member

Banned
784 posts

Posted 24 March 2007 - 03:06 AM

SpySweeper is not antivurs

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens,Click Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\hlnahln.dll
- C:\WINDOWS\system32\nlhanlh.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Post a fresh HijackThis log and contents of C:\vundofix.txt.

#8 careless75

New Member

Authentic Member
17 posts

Posted 24 March 2007 - 07:32 AM

Sorry...more specificly, i'm running webroot spysweeper with antivirus. if you feel this program is inadequate, maybe i should get rid of it and use something else? i'm under the impression i should not use more than one.

also, when i open Vundofix, there is no box to check, just buttons: scan vundo and remove vundo. i did, however, add the two files.

here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:45 AM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
C:\WINDOWS\System32\imapi.exe
D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
D:\Program Files\Autodesk\FlexLM\adskflex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Jason\Desktop\scanner.exe\scanner.exe

O2 - BHO: IGMONObj Class - {02464DDC-3187-11D8-8004-0020ED227566} - D:\Program Files\iGetter\Integration\IGMON.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all with iGetter - D:\Program Files\iGetter\Integration\igetall.html
O8 - Extra context menu item: Download with iGetter - D:\Program Files\iGetter\Integration\iget.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.micro...jects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.co...snmusax4331.cab
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

vundofix log:

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 11:43:25 AM 3/23/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hlnahln.dll
C:\WINDOWS\system32\hlnahln.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\hlnahln.dll
C:\WINDOWS\system32\hlnahln.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 8:03:41 AM 3/24/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

#9 Markka

Advanced Member

Banned
784 posts

Posted 25 March 2007 - 01:13 AM

Sorry...more specificly, i'm running webroot spysweeper with antivirus. if you feel this program is inadequate, maybe i should get rid of it and use something else?

Okay so you have antivirus but you don't have a firewall. So install some free firewall.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Process Explorer by Systernals from HERE.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of hlnahln once and then click the kill button.

After you have killed all of the hlnahln.dll under winlogon click OK.

Also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

Example:

hlnahln.bak
hlnahln.ini
hlnahln.reg etc

or

hlnahln.dll
hlnahln.bak
hlnahln.ini etc

Next double click on explorer.exe and again click once on each instance of hlnahln then click the kill button.

Also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. See above for examples

Click on the Threads tab at the top.

Once you have done that click OK again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please Download Killbox by Option^Explicit and save it to your desktop.

Note: This is the latest version of Killbox, if you have already killbox delete it and use this version.

Unzip the killbox.zip file
Double-click on killbox.exe to run it.
Choose these options:
- Delete on reboot
- After that click on all files button
Copy the complete text in quote box below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\hlnahln.dll
Go to the File menu of Killbox, and choose Paste from Clipboard.
Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt.
Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

It should look like this -> Posted Image

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Open HijackThis, Click Do a system scan only, checkmark these and press fix checked:

O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh HijackThis log.

#10 careless75

New Member

Authentic Member
17 posts

Posted 25 March 2007 - 11:57 PM

Hi.

The process explorer link provided was bad so I googled it and downloaded from microsoft site. I'm sure it's the same thing but thought you should know. When I clicked on the Threads tab under winlogon.exe there were no hlnahln.dll entries, only several !CreateThread+0x27 entries. Under Explorer.exe there were several and I killed them.

Next I downloaded Killbox and followed instructions...No PendingFileRenameOperations prompt.

backed up registery and created fix.reg then ran as instructed...no problems

ran HJT scan and checked hlnahln.dll entries.

P.S. when my computer is rebooting I keep getting a blue screen that says: checking disk for inconsistencies, some times it reboots over and over again until I cut the power manually and turn it back on. Then it again goes to blue screen and checks disk but starts after that. It's getting a little frightening, I don't want to crash my system.

also, please notice HJT log: KernalFaultCheck / dumprep 0 -k. I don't know what this and I've noticed it when I run startup.exe, I know it did not use to be there so I wonder if this is part of the same infection.

Logfile of HijackThis v1.99.1
Scan saved at 12:31:12 AM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
C:\WINDOWS\System32\imapi.exe
D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Autodesk\FlexLM\adskflex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Jason\Desktop\scanner.exe\scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.micro...jects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.co...snmusax4331.cab
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Advertisements

Register to Remove

#11 Markka

Advanced Member

Banned
784 posts

Posted 27 March 2007 - 06:29 AM

Please Download Killbox by Option^Explicit and save it to your desktop.

Note: This is the latest version of Killbox, if you have already killbox delete it and use this version.

Unzip the killbox.zip file
Double-click on killbox.exe to run it.
Choose these options:
- Delete on reboot
- After that click on all files button
Copy the complete text in quote box below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\hlnahln.dll
Go to the File menu of Killbox, and choose Paste from Clipboard.
Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt.
Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

Open HijackThis, Click Do a system scan only, checkmark these and press fix checked:

O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll

Post a fresh HijackThis log

#12 careless75

New Member

Authentic Member
17 posts

Posted 27 March 2007 - 03:43 PM

Hi Markka-

I ran killbox again and this time got the message: PendingFileRenameOperations. Registery data has been removed by external process.

It did not shut down my computer after this message and prompted to be closed.

I also noticed that Killbox is making a copy of hlnahln.dll and saving it in Killbox folder.

Here's the log:
Pocket Killbox version 2.0.0.648
Running on Windows XP as Jason(Administrator)
was started @ Tuesday, March 27, 2007, 7:53 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\hlnahln.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 7:55:27 AM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\hlnahln.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 7:56:27 AM
Killbox Closed(Exit) @ 7:56:46 AM

HJT did not work either.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:30:30 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
C:\WINDOWS\System32\imapi.exe
D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Autodesk\FlexLM\adskflex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jason\Desktop\scanner.exe\scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.micro...jects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.co...snmusax4331.cab
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I really appreciate your help and am very anxious to get this problem resolved.
Thanks, Jason

#13 Markka

Advanced Member

Banned
784 posts

Posted 28 March 2007 - 07:10 AM

Hello and sorry for the delay

Download VirtumundoBeGone by secured2k
http://secured2k.hom...mundoBeGone.exe
Save the file to your desktop
Close all running programs (including your Internet Browser)
Double-click VirtumundoBeGone.exe on the desktop
Read the introductory information, and then click Continue
Click Start
When asked if you want to continue, click Yes to run the fix
Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and "copy/paste" a new HijackThis log file along with the VBG.TXT into this thread.

#14 careless75

New Member

Authentic Member
17 posts

Posted 29 March 2007 - 12:57 PM

Hi Markka-

I downloaded and ran VirtumundoBeGone as instructed. It didn't seem to work. The log says file not found but hlnahln.dll is clearly still located in my system32 folder.

I also ran both virtumundo and HJT in safe mode, that didn't work either.

Just so you know, I've been noticing other similar files are appearing in my system32 folder. I say they are similar because they are randomly named and have dll.bak files with them just like the hlnahln.dll file. I have been removing these manually by renaming thier extensions in safe mode and then deleting them on reboot. This has been succesfull with all of them except the hlnahln.dll. This has been going on since I first noticed the problem. Just thought you should know.

Also, what is that KernelFaultCheck file "dumprep 0 -k"; see HJT log, I've never seen it before and would like to get rid of it if it shouldn't be there.

Here's the VGB.TXT and the HJT log:

[03/29/2007, 13:31:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jason\Desktop\VirtumundoBeGone.exe" )
[03/29/2007, 13:31:13] - Detected System Information:
[03/29/2007, 13:31:13] - Windows Version: 5.1.2600, Service Pack 2
[03/29/2007, 13:31:13] - Current Username: Jason (Admin)
[03/29/2007, 13:31:13] - Windows is in NORMAL mode.
[03/29/2007, 13:31:13] - Searching for Browser Helper Objects:
[03/29/2007, 13:31:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/29/2007, 13:31:13] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/29/2007, 13:31:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/29/2007, 13:31:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/29/2007, 13:31:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/29/2007, 13:31:13] - BHO 3: {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} ()
[03/29/2007, 13:31:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/29/2007, 13:31:13] - Checking for HKLM\...\Winlogon\Notify\hlnahln
[03/29/2007, 13:31:13] - Key not found: HKLM\...\Winlogon\Notify\hlnahln, continuing.
[03/29/2007, 13:31:13] - Finished Searching Browser Helper Objects
[03/29/2007, 13:31:13] - Finishing up...
[03/29/2007, 13:31:13] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 1:33:15 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
C:\WINDOWS\System32\imapi.exe
D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
D:\Program Files\Autodesk\FlexLM\adskflex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Jason\Desktop\scanner.exe\scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57BE69EF-EF95-414B-9FEB-92F6F0DCE916} - C:\WINDOWS\system32\hlnahln.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: systray.exe.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.micro...jects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.co...snmusax4331.cab
O20 - Winlogon Notify: qinckgml - C:\WINDOWS\SYSTEM32\hlnahln.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - D:\Program Files\Autodesk\FlexLM\Lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - D:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Thanks Markka

#15 Markka

Advanced Member

Banned
784 posts

Posted 30 March 2007 - 09:01 AM

Also, what is that KernelFaultCheck file "dumprep 0 -k"; see HJT log, I've never seen it before and would like to get rid of it if it shouldn't be there.

That line is related to Windows, but you can fix that O4-line. But Don't delete that file!

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
(How to extract (decompress) zipped or compressed files, help in the link here:
http://www.lvsonline...ut/index.shtml)

2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\hlnahln.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57BE69EF-EF95-414B-9FEB-92F6F0DCE916}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qinckgml

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text you copied above to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log.

Body Background

skin color theme