poppa jeff

IRCNite and Krap

Recommended Posts

Hi,

In my daily deep scan in addition to cookies and riskware, a few varieties of IRCNite and Krap were found. In addition, when the scan was finished, I was asked to submit suspect files for deeper investigation. the files were c:\documents and settings\autoruns.exe which i agreed to. An image of the request is attached. These were also submitted the last few days. I ran the requested scans. The quick scan did not reveal the problems found earlier, so i also attached the log of the earlier deep scan, (a2scan_100727-150014.txt) below. My system has been running slow for a long time. it does not seem to be any worse now, but any advice would be appreciated.

Share this post


Link to post
Share on other sites

Hi poppa jeff, welcome to the forum

The malware fighters will review your log files, but:

1) C:\Program Files\HP\Digital Imaging\bin\lffpx7.dll is False Positive detection and was fixed already (update EAM)

2) cookies are never representing threats;

3) The Riskware is not necessary dangerous and the Remote Access software often is flagged as Riskware – you can whitelist it in case you trust the software. Many vendors are installing it for remote support and other purposes

(as an example - C:\hp\bin\KillIt.exe that is installed by ) Hewlett Packard -HP)

4) detections in the System Restore Point are inactive and can be used only by the System Restore feature

Antiviruses cannot manipulate with data in that protected area. The only way to clean Sys Restore is to turn it Off ; Reboot and switch it back On.

After the log files are reviewed - you will be advised when & how to clean Restore Point

If you are experiencing system's misbehaviour - pleas briefly describe the symptoms

My regards

Share this post


Link to post
Share on other sites

Hi Lynx, "preciate the quick reply, good to know the info you gave in points #1,2,3&4. My real concerns are the items:

C:\hp\recovery\wizard\SWR_Wizard.exe detected: Backdoor.Win32.IRCNite.pl!A2

C:\hp\support\HPSysInfo.exe detected: Backdoor.Win32.IRCNite.pl!A2

C:\Program Files\Google\Google Earth\plugin\googleearth_free.dll detected: Backdoor.Win32.IRCNite.po!A2

C:\Program Files\GPLGS\gsdll32.dll detected: Backdoor.Win32.IRCNite.pl!A2

C:\Program Files\HP\Digital Imaging\bin\lffpx7.dll detected: Packed.Win32.Krap.hm!A2

Am patiently awaiting the malware fighters input.

Thanks

jeff

Share this post


Link to post
Share on other sites

Thanks for reply Jeff

As it was pointed - sure the log files will be reviewed

At the same time lffpx7.dll was FP and should be fixed already – update & rescan

C:\Program Files\GPLGS\gsdll32.dll could be a legit file as well - Ghost Script, say belonging to PDF converter

...etc ...I don't have GoogleEarth installed currently so I cannot test

In any case and irrespectively while you are waiting please submit flagged files to Emsisoft developers as it is described in Submitting suspected False Positives for analysis

My regards

Share this post


Link to post
Share on other sites

Hi Pappa Jeff, glad you left a message for me :) Please update EAM run a quick scan and post that log with new logs from ISeeYouXP and HighJackFree. I'll have a look for you.

Share this post


Link to post
Share on other sites

Hi Jean, The quick scan i ran earlier, before I updated, did not find anything, probably wont now, i'll run it, then a full scan. Just read your comment...neighbor. turned off tea timer.

thanks

jeff

Share this post


Link to post
Share on other sites

Hi Jean,

as i expected, the quick scan did not find anything...I was asked again to submit suspect files for deeper investigation, as in my first post. the files were c:\documents and settings\autoruns.exe which i agreed to. logs attached. i will run a deep scan and post the log in the morning, it usually takes over an hour and it getting late here.

thanks

jeff

Share this post


Link to post
Share on other sites

Hi Jean,

i just noticed a new file on my desktop that was not there when i started this process. it is

"ehthumbs.db". properties says it was created in 2006, but i know it hasnt been sitting on my desk until tonight. i scaned it and it wasnt malware, but can you tell me what it may be and can it be deleted or put somewhere else?

thanks

jeff

Share this post


Link to post
Share on other sites

To whom it may concern I am working this thread and will delete/un-approve all interjections unless I have requested assistance. The conversation will now be between myself and Poppa Jeff.

Share this post


Link to post
Share on other sites

This will explain thumbnails for you a bit more. I'm not sure why it showed up now but it is harmless. What is most important for you to do at this point is get Service Pack 3 on your machine. I still have not fully examined all logs but you need that Service Pack to survive on the WWW. Microsoft will not be supporting XP much longer so a new system is also something to think about but getting what you have fully updated is crucial.

I also notice you are running EAM and SpySweeper, running two active antimalware programs can cause system slow down and actually get you infected as they will 'fight' with one another.

Share this post


Link to post
Share on other sites

Hi Jean,

"preciate your running interference on whoever was jumping in... Actually my spy sweeper just expired and one of the things i was going to ask was related,, so thanks for the answer...i'll let it fall by the wayside...anything special i need to know to delete spysweeper?

here is the full scan i ran last nite...i will update to sp3 on my XP. thanks for the thumbnail info, apparently i was looking at my pictures to find a good one for my profile so the images were opened, how can i get the file off my desktop and back where it belongs. if i delete it will windows recreate it later in the correct folder?

Thanks for the help

jeff

Share this post


Link to post
Share on other sites

Spysweeper should uninstall with add/remove programs. You may have a leftover folder in C:/All Users/your user name/application data, and program files. Using a program like CCleaner should find all the junk files and remove them. It is free even though they are asking for donations. After you have installed SP3 the System Restore points are showing some suspicious files... so delete those and create a new clean Restore Point.

Share this post


Link to post
Share on other sites

Hi Jean,

a new situation developed... deleted spy sweeper, installed xp sp3- almost installed, got to the point where it said "finishing installation performing cleanup" and hung there, i left it for dinner, two hours later, no change...my computer properties still showed sp2 but add delete showed sp3 installed. shut it down (a mistake??) and attempted to reboot...would not boot in normal or last good configuration modes, started in safe with networking...here i am. checked and my computer properties shows sp3 installed. well, i think thats all...any advice??? should i run any scans?

thanks

jeff

Share this post


Link to post
Share on other sites

:o I will ask one of my mentors. I have no idea why.. can you use System Restore and go back to SP2? Running scans in Safe Mode is pointless. Have you tried to reboot again?

Let me ask around and do some Googling. If I don't get back to you tonight I will tomorrow. Having a bit of a family emergency right now and my mind is just not working well.

Share this post


Link to post
Share on other sites

OK from what I find AMD in particular does have issues. I had no idea and I'm so sorry. The other thing would be the slight possibility you do have malware.

This is a problem for anyone with an AMD processor. From what I read the Registry Edit seems most popular but you must read exactly and I would back up the registry.

HP solution for XP SP3 Restart Bug:

* Boot Computer in Safe Mode

* Use Windows Explorer to browse to C:\Windows\System32\Drivers

* Right-click intelppm.sys and rename it to XXXintelppm.syx

* Restart Windows

If the computer is unable to boot into safe mode do the following:

* Press F8 during startup and load the Microsoft Windows Recovery Console

* Type the number that corresponds to your Windows installation

* Log in as an administrator

* Type cd c:\windows\system32\drivers at the command prompt

* Type rename intelppm.sys XXXintelppm.syx

* Restart Windows

The Microsoft fix for the Windows XP Service Pack 3 Restart Bug:

* Boot the Computer into Safe Mode

* Press Windows R, type regedit, hit enter

* Go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Intelppm

* right-click the Start entry in the right pane and select modify

* Enter 4 in the Value Data box

* Close regedit, restart the computer

I still haven't spoken with anyone I just found that so if you want to wait for further confirmation I don't blame you.

Share this post


Link to post
Share on other sites

Hi Jean, Hope your issue is resolved and family is OK. I havent tried to use system restore yet...i seem to recall when i was looking for sp3 info at MS, part of the install info said if necessary, sp3 can just be deleted with add/delete and it would go back to sp2??? the other info you found seems worth a try but i wont do anything till i hear from you. not tonight, maybe late on thursday. perhaps you will have more info then. i wont shut it down...just let er run with screen off.

thanks

jeff

Share this post


Link to post
Share on other sites

Hi Jeff we think that fix will work just fine. You can uninstall SP3 via add/remove. That word delete makes me cringe because there is a huge difference between delete and uninstalling lol.

There is quite a bit of info on the official MS site for preparing to install SP3. I have same AMD 64 as you on a laptop. I don't use it much and have not put the SP3 on either :unsure: . You may have saved me from some great panic and frustration.

Family stuff is a wait and see with prospect of open heart surgery on Saturday.

I think if you do the regedit for SP3 you should be fine. Let me know.

Share this post


Link to post
Share on other sites

Hi Jean, tried the microfoft fix. in the regedit location: hkey-etc, there was no controlset001. there was controlset, controlset002, controlset003. there was no start entry in controlset, there was in controlset002- but i did not want to vary the process...i did the HP solution you gave me in your post and it appears to have solved the problem...booting ok.

So... i have not run any scans or run cc cleaner since this sp3 adventure...or since i uninstalled spysweeper. should i not be running tea timer/spybot resident at this point. if not should i uninstall spybot or just disable resident? Shall i run scans,iseeyou,hijackfree??

anyway, preciate all your help so far.

hope the wait and see re fam works out,,,one of our grandkids recently had heart valve repair...went well, amen.

jeff

Share this post


Link to post
Share on other sites

I don't think you need to run any scans. If you like Tea Timer use it. It will interfere with malware fixes is why we turned it off. CCleaner is not a malware program it cleans up junk files that are left behind from all sorts of different things. It is just amazing how much in a short period of time is accumulated. I run it every few weeks and it finds 300MB or more of junk files. Go through the settings carefully, and be prepared to have to re-enter saved passwords etc. I wouldn't use the registry cleaner unless you have a back up. It can be a bit too aggressive.

My cousin has so many other health problems from being a Vietnam vet and Agent Orange victim and that is why surgery is a major risk. Thanks for your concern.

Many infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep your EAM updated and scan regularly. You will also need at least one other scanning program MBAM or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and anti-virus are also essential. The Windows firewall in XP and Vista is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.

Spybot Search & Destroy Be sure to immunize! This is the best feature of the program IMO.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

Web of Trust

hpHosts

The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

Hope everything is running well for you and it stays that way.

Share this post


Link to post
Share on other sites

Hi, not running well. here's the latest. this afternoon i right clicked my a2 icon on systray and a popup said some files were not something(i think it said not current-not sure) asked if i wanted to update (which i had auto updated at 2:00pm) said yes... it did. then, and i may not have the sequence correct, but the following occurred. online armor asked about a2 emsi processes which i allowed and trusted. i noticed on process explorer that instead of the usual 3 emsi processes running, there was only 1: a2service.exe. My a2 icon on systray had disappeared. a2 would not open from its icon in my security folder. and when i opened oa, my computer froze, i could not open or close programs, could not shut down ... had to use the power on button to shut down. rebooted ok, still no a2 icon in systray, no emsi processes on process explorer...afraid to try to run from the shortcut icon...oa firewall seems to be running but no eam. havent a clue...

thanks

jeff

Share this post


Link to post
Share on other sites

ok, now that i posted the current situation, i will retry to open eam and run a scan...before that i will run both iseeyouxp and hjf and will post results.

jeff

Share this post


Link to post
Share on other sites

Jeff have you run CCleaner? I think you have too much stuff running, Adaware and SBS&D pick one. I would dump Adaware it's become a bloatware product for years now. Use it as a backup if you want but not active.

I will go over logs thoroughly tomorrow tonight I am out of it LOL and have some work that actually pays to do. :P

Share this post


Link to post
Share on other sites

I don't think you ever had an infection. You had a F/P and too many resident programs running at once. There are some things that can be cleaned up and I will post them later.

Share this post


Link to post
Share on other sites

OK sorry for taking so long, busy times.

Run HJF in scan only and put a check next to the following lines.

O2 - BHO: - AutorunsDisabled -

O2 - BHO: - Disabled:{0347C33E-8762-4905-BF09-768834316C61} -

O2 - BHO: - Disabled:{053F9267-DC04-4294-A72C-58F732D338C0} -

O2 - BHO: - Disabled:{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

O2 - BHO: - Disabled:{53707962-6F74-2D53-2644-206D7942484F} -

O2 - BHO: - Disabled:{724d43a9-0d85-11d4-9908-00400523e39a} -

O2 - BHO: - Disabled:{7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

O2 - BHO: - Disabled:{9030D464-4C02-4ABF-8ECC-5164760863C6} -

O2 - BHO: - Disabled:{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

O2 - BHO: - Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9} -

O2 - BHO: - Disabled:{E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

O2 - BHO: - Disabled:{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} -

O2 - BHO: - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

Put a check next to the above lines and click fix.

Non essential processes that will slow performance:

KBD.EXE present O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"

You are running EAM and AdAware active at the same time that will cause issues. Run only one active prevention shield type program. You have AdWatch and TeaTimer going. I think TeaTimer is of more value Ads can be blocked so many ways with less resources used. (Just not an AdAware fan anymore. Once it was king now it's bloatware.)

Several of the services that are running could be turned off also and speed up things a bit. WinPatrol is great for exploring what you can turn off and what you need to let run.

I think we are done here though since there never really was malware.

Share this post


Link to post
Share on other sites

Hi Jean,

Running pretty good at this point,I disabled ad aware, i ran HJF, dont see an option to run in scan only (as you suggested), nor could i find any results that look like the list you have in your last post. i do see those results when i save the log in HJT compatible, please clarify this.

Did you mean that it is OK to run EAM and Tea Timer both active?

'preciate all your help-thanks

jeff

Share this post


Link to post
Share on other sites

Hi Jeff,

You can use HJT to remove them they are just clutter no harm no good. I don't think EAM and TeaTimer will conflict with each other.

I hope you did the updates sent out early from MS they are critical.

You probably already do the regular maintenance to keep the system running smooth of chkdisk and defragmenting. I notice fragmentation over 5% will make a difference in performance and I always run the disk check first because some errors can't be fixed if they are compressed. I also run a registry cleaner when I think of it. :lol:

Share this post


Link to post
Share on other sites

Hi Jean,

OK that makes sense, I should use HJT, not HJF to do the removalof the clutter, yes i do the MS updates as they are released. have diskkeeper running regularly, i'll change that to on demand and run dskchk first.

i have a number of utilities, get daily info from giveaway of the day and am exposed to lots of junk, but sometimes if they look good i take it...some i never run and should either use or uninstall. these are the ones i have, if you have the time to yea or nea them you have certainly earned my trust:

cc cleaner, thanks; advanced system care, glary utilities(never used), win utilities, and per your recommend- win patrol. in firefox, i use web of trust, ad block plus, ( uninstalled ad aware), and no script. anyway, seems to be running pretty good, now i just have to get into a good routine to run them all. would this be the time to create a restore poin t and get rid of all the old ones??

thanks again, jeff

(i guess after your response, we can close this topic(or whatever we do here).

j

Share this post


Link to post
Share on other sites

Hi Jean,

OK that makes sense, I should use HJT, not HJF to do the removal of the clutter, yes i do the MS updates as they are released. have diskkeeper running regularly, i'll change that to on demand and run dskchk first.

HJF should show the files as well because that is where I got them from in that log, but what ever works for you. They are not malware, just cleaning up. Piriform (makers of CCleaner) have a defragging program too. I think not running DiskKeeper active will increase your performance some also. What ever you can shut down helps.

i have a number of utilities, get daily info from giveaway of the day and am exposed to lots of junk, but sometimes if they look good i take it...some i never run and should either use or uninstall. these are the ones i have, if you have the time to yea or nea them you have certainly earned my trust:

cc cleaner, thanks; advanced system care, glary utilities(never used), win utilities, and per your recommend- win patrol. in firefox, i use web of trust, ad block plus, ( uninstalled ad aware), and no script.

I have not heard of glary, ASC and WinUtilities are essentially the same thing. I would be cautious of the registry cleaner part of any program if you are using several. Is the no script a Firefox add on?

anyway, seems to be running pretty good, now i just have to get into a good routine to run them all. would this be the time to create a restore point and get rid of all the old ones??

thanks again, jeff

Yes now would be a good time to clean up Restore points also. I look over the offerings at GAOTD too. LOL free is my favorite kind of software.

(i guess after your response, we can close this topic(or whatever we do here).

j

Share this post


Link to post
Share on other sites

Hi jean, I agree. dont know if it is related to anything we did, BUT: i ran cc cleaner to clean my restore points, set to remove all except the last 3 points...did not run system restore first...afterward i tried to open system restore and it will not open. i looked at the system restore tab on "my computer properties system restore" and found that system restore is not shut off- says monitoring. i have not tried to run system restore since i began this topic...any advice

thanks

jeff

Share this post


Link to post
Share on other sites

Hi, went to the link

http://bertk.mvps.org/html/reinstall.html

his instruction seem to be for xp sp2, i have sp3...loaded just recently that may have been the beginning of this problem with system restore

i attempted to follow them, and there was a file needed...

SRCLIENT.DLL

per his instructions, i looked in the c:\Windows\ServicePackFiles\i386 folder, it could not load from there.

he does have instructions for loading from the downloaded sp2 files, i DO have the sp3 self extracting cabinet folder saved from my sp3 installation...should i try following the instructions he gives for sp2 using the sp3 folder??? or should i go to his support forum and post there...

thanks

jeff

Share this post


Link to post
Share on other sites

Hi Jeff sorry for delay. I've been really busy. This is no longer a malware issue, actually never was ;) but I don't have the time to see what is going on at another site etc. I would recommend you post there since they seem to have a fix.

You can always post at my site too, but let's keep this forum on topic.

Share this post


Link to post
Share on other sites

It's been a pleasure Jeff, feel like I made a new friend. :D

Since this topic has been resolved I will now close it. If you have issues and need assistance please begin your own topic. The fixes and advice in this thread are for this user only and should not be used for any other machine.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.