Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please Help With Possible Infection And New Security Programs

Started by ohdearohdearohdear , Aug 26 2007 11:51 AM

  • This topic is locked This topic is locked
No replies to this topic

#1 ohdearohdearohdear

ohdearohdearohdear

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 26 August 2007 - 11:51 AM

Thank you in advance for any help you can give. I apologize if this is convoluted.

I am worried because there have been recent changes in the way my dialup internet connection works. I have been wrestling with this myself for awhile and am afraid I may have added to the problem rather than helping myself. I am hoping you can help me sort this out.

Just as background, I used AVG anti-spyware in the past, but recently realized I probably should not have been using it along with Norton Internet Security? I was using AVG Anti-Spyware, Norton Internet Security, Windows Defender, Ad-Aware SE and Adwatch, and Spybot SD (without realtime protection). A few weeks ago, AVG identified an infection with "dropper.small" and removed it. Then the computer seemed to work okay for awhile.

A few days ago, the computer slowed down terribly. I use Earthlink dialup connection to the internet, and it kept disconnecting randomly. I quit using Earthlink accelerator, because I'd had concerns for awhile that it was connecting lots of places it wasn't supposed to, like the Massachusetts Institute of Technology. I still kept getting knocked off. In addition, the computer started "waiting" for a long time before connecting to internet sites. Loading pages took a very long time. I ran Hijack This and noticed that a bunch of Symantec files had the notation "file missing" next to them. I tried to correct these, but the same notations were there.

Then I could not connect to the internet at all. I contacted Earthlink, and they helped me delete my dialup connection and build a new one. In the process, the Earthlink representative had me disable the setting of using a proxy server to connect to the internet. After I hung up and tried to reconnect, I again could not get on. I checked my settings, and they were set to use a proxy server again. I unchecked the proxy server box and was able to reconnect, but still slowly.

I tested connecting to the internet through the Earthlink task panel and through the network connections box. Either way, I kept getting disconnected. I noticed that if I connected through the task panel, I could not disconnect by using the task panel disconnect command. The task panel would make the disconnect sound and show that I was disconnected, but the network connections box kept saying I was still connected. I had to go into the network connections box and hit disconnect.

I used system restore to restore my computer to an earlier state. The first date I used wasn't much help. I tried an earlier date, and things did seem better. However, the "file missing" notations were still on the Hijack This log.

I could connect to the internet but had to go into the internet properties box each time and uncheck the box saying to use a proxy server. Then I found that I could not disconnect from the internet through the task panel OR the network connections box. If I tried to open Internet Explorer, I got an error message about not being connected to the internet. However, if I tried to reconnect, I got an error message saying that the port was already in use by another application. I clearly was still connected to the internet, because programs other than Internet Explorer were receiving information (e.g., internet answering machine). I tried logging off and logging back on, but the problem persisted. I was clearly connected, but I could not disconnect, and I could not get on Internet Explorer. I had to shut down the computer and reboot before connecting again, disabling the proxy server, and going into IE.

At one point I uninstalled and reinstalled Norton to see if the missing files would come back. I used the Norton Removal Tool from MajorGeeks.org. I noticed after I uninstalled Norton that a Symantec file (core application?) remained on my system. I reinstalled Norton Internet Security.

I continued to have the same problem with connecting to the Internet and being unable to disconnect. While running my mouse over the Earthlink Task Panel icon in the system tray, I noticed a message that said "Always On" Connection. I had never seen that notation before.

Also, I noticed that I now have a NEW icon in the system tray for my internet connection. In the past, there was only an Earthlink TaskPanel icon and a disabled LAN connection icon (the picture of two monitor screens with an X over them). Now there is also ANOTHER network connection icon (the two screens, which light up to reflect traffic over the network), that is labeled as my earthlink dialup connection. In other words, I now seem to have two icons for the Earthlink dialup network connection--one through the task panel and one that looks like a regular network connection icon.

I decided that I wanted to get rid of Symantec/Norton Internet Security Suite and go with AVG Internet Security instead. I uninstalled Norton again. I was stupid and did not run the recommended virus scan or uninstall AVG Anti-Spyware before upgrading to the full AVG Internet Security suite (which includes the AntiSpyware I already had). While I was installing the AVG Internet Security suite, I got an error message:

"Warning--Action Failed for registry value HKLM\Sortware\Classes\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}:409:creating registry value Access is Denied (5)

I googled the number and found something on Techguy.org saying to delete the registry value. I deleted it However, AVG was already installed.

I got a notice from AVG firewall that the Earthlink Task Panel was trying to connect to the internet all by itself, even though I had not told it to. I denied it for that instance.

However, I then connected to the internet through the task panel on purpose. I allowed it to connect. I started getting firewall messages to allow or disallow programs from connecting. I allowed my Earthlink address to connect, which put me on the internet. However, I blocked Earthlink IP Client from connecting, and I blocked MailSvr.exe from connecting. I was able to connect to the internet just fine without these. The MailSvr program I have been suspicious of for awhile, maybe without reason. However, it has often been running when I could not disconnect, even before all these problems started. My Earthlink mailbox (Mailclnt.exe) seems to work just fine without MailSvr.exe.

The AVG Firewall has been asking me to allow or deny certain things, and I have no earthly clue what I am doing. I am asking for help in configuring my firewall and figuring out if there are connections being made that shouldn't be made.

When I open "Configure" on the firewall, this is what I see:

All Local Interfaces
--WAN (PPP/SLIP) Interface*
--Intel® PRO/1000 MT Network Connection - Packet Scheduler Miniport*
--All Dial-up Connections*
----Earthlink (my dialup account)*
All Network Areas

All the entries where I have put an asterisk give me an option of choosing "allow all," "block all," "standalone computer," or "unassigned." I have no idea what I am supposed to do, and when I read the AVG manual it sounds like Greek to me.

Can you please help me figure out if I have a problem, and how I should configure this firewall?

Thank you so much in advance for any help you can give me!

P.s. When you respond, please speak as though you are talking to a first grader. I am totally lost here. Thank you!!!!
Virginian17

p.s. Here is my Hijack This log. However, I can't remember if I have rebooted since deleting that registry value I posted above. Thanks again, and sorry if this is convoluted or if I gave way too much information. I am just not sure what is necessary and what isn't, so I tried to tell you everything.



Logfile of HijackThis v1.99.1
Scan saved at 1:43:42 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1166216676625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185733299625
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9D6914E-7A18-4E30-AFAE-22C322B11946}: NameServer = 207.69.188.185 207.69.188.186
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

    Advertisements

Register to Remove

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·