Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91601 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Trojans and Malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 Aiken

Aiken

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 03 March 2007 - 10:50 AM

I have run Spybot and Adaware, followed by Hijack this. I would like to make sure everything is clean and bad trojans, etc. are all removed. If one of your experts would take a look at this log to make sure I got everything off that should be off, it would be most appreciated. I posted an earlier log about a week ago, but didn't pick up any advice at that time. Perhaps someone could help me finish this project. Thank you. Cary Aiken :wavey:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:11 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.earthlink.net/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [CF1DelUnicows] cmd /C del C:\DOCUME~1\Owner\LOCALS~1\Temp\unicows.dll
O4 - HKCU\..\RunOnce: [CF1DelEXE] cmd /C del C:\DOCUME~1\Owner\LOCALS~1\Temp\Customer-5.3.1.10.exe
O4 - HKCU\..\RunOnce: [CF1DelMsvcr] cmd /C del C:\DOCUME~1\Owner\LOCALS~1\Temp\msvcr71.dll
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS2\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS3\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Boingo Wireless, Inc. - (no file)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE (file missing)

    Advertisements

Register to Remove


#2 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 03 March 2007 - 03:53 PM

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Post back with the smitfraudfix log and a new HijackThis log

#3 Aiken

Aiken

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 04 March 2007 - 07:24 PM

SmitFraudFix v2.147 Scan done at 20:17:30.29, Sun 03/04/2007 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode hosts C:\ C:\WINDOWS C:\WINDOWS\system C:\WINDOWS\Web C:\WINDOWS\system32 C:\WINDOWS\system32\LogFiles C:\Documents and Settings\Owner C:\Documents and Settings\Owner\Application Data Start Menu C:\DOCUME~1\owner\FAVORI~1 C:\DOCUME~1\owner\FAVORI~1\Online Security Test.url FOUND ! Desktop C:\Program Files Corrupted keys Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="http://www.wabe.org/...es/main_bg.gif" "SubscribedURL"="http://www.wabe.org/...es/main_bg.gif" "FriendlyName"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl" [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" pe386-msguard-lzx32-huy32 Scanning wininet.dll infection End

#4 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 05 March 2007 - 12:25 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Please post:
  • c:\rapport.txt
  • AVG-antispyware log
  • A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.

#5 Aiken

Aiken

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 08 March 2007 - 01:52 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:43:20 AM, on 3/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.earthlink.net/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS2\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS3\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Boingo Wireless, Inc. - (no file)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE (file missing)

#6 Aiken

Aiken

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 08 March 2007 - 01:54 AM

--------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 2:41:16 AM 3/8/2007 + Scan result: C:\backup\Program Files\yq0v8h4l\bshw3kyc.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined). HKU\S-1-5-21-436374069-1801674531-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined). HKU\S-1-5-21-436374069-1801674531-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined). C:\System Volume Information\_restore{E62D106F-4745-409A-96B2-D2B3994C2AA9}(2)\RP45\A0017886.exe -> Downloader.Zlob.bjc : Cleaned with backup (quarantined). C:\System Volume Information\_restore{E62D106F-4745-409A-96B2-D2B3994C2AA9}(2)\RP45\A0017887.exe -> Downloader.Zlob.bjc : Cleaned with backup (quarantined). C:\backup\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup (quarantined). :mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.247:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. C:\backup\Documents and Settings\Dianne Aiken\Cookies\dianne aiken@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned. C:\backup\Documents and Settings\Dianne Aiken\Cookies\dianne aiken@reciperewards.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned. :mozilla.116:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. C:\backup\Documents and Settings\Dianne Aiken\Cookies\dianne aiken@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned. :mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned. :mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Centrport : Cleaned. :mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Centrport : Cleaned. :mozilla.152:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Com : Cleaned. :mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.382:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.423:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.424:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.425:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.426:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.328:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.329:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.330:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Overture : Cleaned. C:\backup\Documents and Settings\Cary Aiken\Cookies\cary aiken@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\backup\Documents and Settings\Dianne Aiken\Cookies\dianne aiken@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\backup\Documents and Settings\Dianne Aiken\Cookies\dianne aiken@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. :mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fvkhoirv.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned. ::Report end

#7 Aiken

Aiken

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 08 March 2007 - 01:55 AM

SmitFraudFix v2.147 Scan done at 22:32:36.76, Wed 03/07/2007 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl" [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" Killing process hosts Generic Renos Fix GenericRenosFix by S!Ri Deleting infected files C:\DOCUME~1\owner\FAVORI~1\Online Security Test.url Deleted Deleting Temp Files Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" Registry Cleaning Registry Cleaning done. SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll End

#8 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 08 March 2007 - 01:15 PM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log and a new HijackThis log

Also, let me know how it running now

Edited by random/random, 08 March 2007 - 01:16 PM.


#9 Aiken

Aiken

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 09 March 2007 - 11:11 PM

I was unable to get Kaspersky to run. I would check accept, but it would not load. Something about security settings to medium and administrator rights. I was able to quarantine R-3. Things are working better. Is there an alternative to Kaspersky? I have spent well over 2 hours trying to get it to work, trying different settings, etc. to no avail. Here is my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:36 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.earthlink.net/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS2\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS3\Services\Tcpip\..\{731B8C8F-1327-4071-9B27-57655939E8B4}: NameServer = 207.69.188.185,207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Boingo Wireless, Inc. - (no file)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE (file missing)

#10 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 10 March 2007 - 03:01 AM

Run Panda's ActiveScan from here and perform a full system scan.

1. Once you are on the Panda site click the
Scan your PC
button
2. A new window will open...click the big
Check Now
button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
10. Click on
Local Disks
to start the scan
11. Post Panda scan results in your next reply

#11 Aiken

Aiken

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 10 March 2007 - 05:43 PM

I am sorry, but I am afraid I cannot get either panda or kaspersky towork. After spending about 5 hours now, I think it is time to give up on that line of inquiry. The active x was a problem. I think I fixed that, but only to find that my subscription anti-virus protection, PCC from EarthLink (a Norton product) is blocking the ability to run these alternate products. I think after many scans, I may be about ready to give up on getting a final scrubbing. My computer is working much better now, and I am most appreciative of your efforts. If you have any final words of advice that would incorporate the use of the PCC instead of some alternate product, please feel free to let me know. Otherwise, I think we may have gone as far with this as possible at this time. Thank you so much for you help.

#12 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 11 March 2007 - 06:17 AM

You now appear to be clean. Congratulations!

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot.

    Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis
  • Keep your antivirus and firewall updated
  • Keep windows up to date with the latest patches


    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
  • Install spywareblaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    Make sure to update it on a regular basis
  • Install IE-SPYAD
    Dowload and instructions located here
    Make sure to update it on a regular basis
  • Use a HOSTS file
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Install and use Ad-aware & Spybot search & destroy
    Instructions are located here
    Make sure to update them on a regular basis
  • Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
    Two good alternative browsers are
    Firefox
    Opera
    It is essential to update to the latest version of your browser, as the updates fix known security holes
  • Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    Change the allow paste operations via script to Disable
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
  • Clean out you temp file on a regular basis
    I use and recommend ATF Cleaner by Attribune
    To use it, follow these instructions
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Main at the top and choose Select All from the list.
    • Click the Empty Selected button.
    If you use Firefox browser:
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser:
    • Click Opera at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date


#13 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 24 March 2007 - 09:37 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users