Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus Issues [RESOLVED]


  • This topic is locked This topic is locked

#1
Wolfson

Wolfson

    Member

  • Member
  • PipPip
  • 27 posts
Hi. My anti-virus went haywire earlier today, detecting virus after virus with "Virus Attempting to Launch" prompts. Eventually, my desktop was being changed, my homepage was being changed, etc. so I did a System Restore.

Afterward, I scanned my system with my Anti-Virus and it found a bunch of adware programs and one virus, in which it deleted tham all.

Ad-Aware and Spybot each found a few things as well. I've run everything I can, but I want to make sure the system is completely clean.

Here's a log, and thanks so much for your help.

Logfile of HijackThis v1.99.1
Scan saved at 12:20:50 AM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ADSService - Aluria Software, LLC - C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE
O23 - Service: EarthLink Protection Control Center Service (ELNKService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\\PROTEC~1\ELNKServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:
I apologize for the delay getting to your log, the helpers here are very busy.

Since it's been a few days, please post a fresh hijackthis log.
  • 0

#3
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Sam. No problem at all, I appreciate the help and I do understand how busy you guys must get. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:41:58 AM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [1] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Owner\LOCALS~1\Temp\acsuninstall.exe"
O4 - HKLM\..\RunOnce: [2] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Owner\LOCALS~1\Temp\AcsUninstallRes.dll"
O4 - HKLM\..\RunOnce: [3] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Owner\LOCALS~1\Temp\shfolder.dll"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSService - Aluria Software, LLC - C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE
O23 - Service: EarthLink Protection Control Center Service (ELNKService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\\PROTEC~1\ELNKServ.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I don't see any signs of an active malware infection, but there are a few things that we can clean up.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE



Delete this file.

C:\Windows\ALCMTR.EXE



Reboot and post a new hijackthis log.
Let me know how your computer is running. Any problems or issues?
  • 0

#5
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK, all done. The only thing is, one of the lines you listed won't delete. I tried it twice, rebooting after each try, and for some reason it still shows in a scan. I'll highlight it in the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:14:39 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\w1fo36ps.default\extensions\{a4db76ad-4807-4957-b536-f9b8cf884c21}\components\ScamBlockerUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSService - Aluria Software, LLC - C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE
O23 - Service: EarthLink Protection Control Center Service (ELNKService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\\PROTEC~1\ELNKServ.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
  • 0

#6
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
One more thing... I've been noticing a new window open in the task bar, then quickly disappear. The small icon on the window is just a white box, and the window has no title. It's been happening several times a day, I'm not sure what it could be.

Sorry I didn't mention this earlier, I didn't think much of it until I just saw it again and realized how many times I'd seen it now.
  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That warrants a closer look.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#8
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Owner - 06-09-28 1:00:28.50 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0PM9UFA9\deskbar_e[1].exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0PM9UFA9\kybrdff_e[1].exe
C:\Program Files\Deskbar


((((((((((((((((((((((((((((((( Files Created from 2006-08-28 to 2006-09-28 ))))))))))))))))))))))))))))))))))


2006-09-24 01:59 90,112 --a------ C:\WINDOWS\unvise32.exe
2006-09-23 23:33 13,352 --a------ C:\WINDOWS\BigFixClientOverride.dll
2006-09-23 18:02 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2006-09-23 16:48 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2006-09-23 16:48 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2006-09-23 16:48 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2006-09-23 16:47 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2006-09-23 16:47 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2006-09-23 16:47 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2006-09-23 16:47 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2006-09-23 16:47 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2006-09-23 16:47 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2006-09-23 16:46 51,088 --a------ C:\WINDOWS\system32\drivers\hpzid412.sys
2006-09-23 16:46 491,520 --a------ C:\WINDOWS\system32\hphmon05.exe
2006-09-23 16:46 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2006-09-23 16:46 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2006-09-23 16:45 364,544 --a------ C:\WINDOWS\system32\hphped05.exe
2006-09-23 16:45 270,336 --a------ C:\WINDOWS\system32\HPZc3212.dll
2006-09-23 16:45 258,048 --a------ C:\WINDOWS\system32\hpzcon09.dll
2006-09-23 16:45 192,512 --a------ C:\WINDOWS\system32\hpzcoi09.dll
2006-09-23 16:45 135,224 --a------ C:\WINDOWS\system32\hpzlnt09.dll
2006-09-23 01:22 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-22 22:34 73,728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-09-22 21:29 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2006-09-22 00:21 487,424 --------- C:\WINDOWS\RtlExUpd.dll
2006-09-22 00:21 294,912 --a------ C:\WINDOWS\HideWin.exe
2006-09-21 23:28 65,536 --a------ C:\WINDOWS\system32\ASE.dll
2006-09-21 23:28 65,536 --a------ C:\WINDOWS\system32\AluriaReg.dll
2006-09-21 23:28 56,432 --a------ C:\WINDOWS\system32\drivers\ADSFilter.sys
2006-09-21 23:28 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2006-09-21 23:16 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-21 23:14 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-21 22:59 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-09-21 22:58 67,072 --a------ C:\WINDOWS\POWERCFG.EXE
2006-09-21 22:58 543,232 --a------ C:\WINDOWS\zHotkey.exe
2006-09-21 22:58 532,544 --a------ C:\WINDOWS\PIC.dll
2006-09-21 22:58 36,864 --a------ C:\WINDOWS\ShowWnd.exe
2006-09-21 22:58 3,926 --a------ C:\WINDOWS\mHotkey.reg
2006-09-21 22:58 24,576 --a------ C:\WINDOWS\HKNTDLL.dll
2006-09-21 22:58 20,480 --a------ C:\WINDOWS\system32\Marker32.exe
2006-09-21 22:57 351,526 --a------ C:\WINDOWS\WBDDA34I.DLL
2006-09-21 22:53 91,136 -ra------ C:\WINDOWS\system32\msls2.dll
2006-09-21 22:53 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2006-09-21 22:53 81,408 --a------ C:\WINDOWS\system32\LFFAX11N.DLL
2006-09-21 22:53 76,288 -ra------ C:\WINDOWS\system32\PUBOLE32.DLL
2006-09-21 22:53 716,288 -ra------ C:\WINDOWS\system32\Ltwvc11n.dll
2006-09-21 22:53 59,392 --a------ C:\WINDOWS\system32\LFWMF11N.DLL
2006-09-21 22:53 56,320 --a------ C:\WINDOWS\system32\LFPSD11N.DLL
2006-09-21 22:53 54,784 -ra------ C:\WINDOWS\system32\msvci70.dll
2006-09-21 22:53 5,632 -ra------ C:\WINDOWS\system32\mfcuia32.dll
2006-09-21 22:53 41,472 -ra------ C:\WINDOWS\system32\lfgif11n.dll
2006-09-21 22:53 392,192 --a------ C:\WINDOWS\system32\LTKRN11N.DLL
2006-09-21 22:53 37,888 -ra------ C:\WINDOWS\system32\ochlp30e.dll
2006-09-21 22:53 36,864 --a------ C:\WINDOWS\system32\LFBMP11N.DLL
2006-09-21 22:53 33,280 --a------ C:\WINDOWS\system32\LFPCX11N.DLL
2006-09-21 22:53 31,744 -ra------ C:\WINDOWS\system32\hlp95en.dll
2006-09-21 22:53 31,232 --a------ C:\WINDOWS\system32\LFEPS11N.DLL
2006-09-21 22:53 285,184 --a------ C:\WINDOWS\system32\LFCMP11n.DLL
2006-09-21 22:53 27,648 --a------ C:\WINDOWS\system32\LFTGA11N.DLL
2006-09-21 22:53 262,656 --a------ C:\WINDOWS\system32\LTDIS11n.dll
2006-09-21 22:53 26,112 --a------ C:\WINDOWS\system32\LFPCD11N.DLL
2006-09-21 22:53 212,480 -ra------ C:\WINDOWS\system32\PCDLIB32.DLL
2006-09-21 22:53 172,032 -ra------ C:\WINDOWS\system32\Lfpng11n.dll
2006-09-21 22:53 152,064 --a------ C:\WINDOWS\system32\LFTIF11N.DLL
2006-09-21 22:53 133,904 -ra------ C:\WINDOWS\system32\mfcans32.dll
2006-09-21 22:53 127,488 --a------ C:\WINDOWS\system32\LTIMG11N.DLL
2006-09-21 22:53 118,784 -ra------ C:\WINDOWS\system32\ltfil11n.DLL
2006-09-21 22:53 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-21 22:52 53,248 --a------ C:\WINDOWS\system32\NeroCo.dll
2006-09-21 22:52 1,658,880 --------- C:\WINDOWS\UNNeroBurnRights.exe
2006-09-21 22:51 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2006-09-21 22:51 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2006-09-21 22:51 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2006-09-21 22:51 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2006-09-21 22:51 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2006-09-21 22:51 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2006-09-21 22:51 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2006-09-21 22:51 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-09-21 22:51 118,784 --a------ C:\WINDOWS\system32\Msstdfmt.dll
2006-09-21 22:51 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2006-09-21 22:51 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2006-09-21 22:51 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2006-09-21 22:50 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-09-21 22:50 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2006-09-21 22:50 1,044,480 --a------ C:\WINDOWS\system32\roboex32.dll
2006-09-21 22:47 90,112 --a------ C:\WINDOWS\SoundMan.exe
2006-09-21 22:47 9,697,280 --a------ C:\WINDOWS\RTLCPL.EXE
2006-09-21 22:47 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-09-21 22:47 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-09-21 22:47 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-09-21 22:47 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-09-21 22:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-09-21 22:47 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-09-21 22:47 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-09-21 22:47 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-09-21 22:47 40,960 --------- C:\WINDOWS\system32\ChCfg.exe
2006-09-21 22:47 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-09-21 22:47 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-09-21 22:47 2,951,680 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2006-09-21 22:47 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-09-21 22:47 2,805,248 --a------ C:\WINDOWS\ALCWZRD.EXE
2006-09-21 22:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-09-21 22:47 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2006-09-21 22:47 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-09-21 22:47 14,396,416 --a------ C:\WINDOWS\RTHDCPL.EXE
2006-09-21 22:40 471,298 --a------ C:\WINDOWS\wallpg.exe
2006-09-21 22:36 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-09-21 22:36 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-09-21 22:36 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-09-21 22:35 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2006-09-21 22:35 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2006-09-21 22:35 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2006-09-21 22:34 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2006-09-21 22:34 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2006-09-21 22:27 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2006-09-21 22:27 685,056 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2006-09-21 22:27 39,018 --a------ C:\WINDOWS\system32\HSFCI011.dll
2006-09-21 22:27 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2006-09-21 22:27 220,032 --a------ C:\WINDOWS\system32\drivers\HSFHWBS2.sys
2006-09-21 22:27 154,112 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2006-09-21 22:27 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-09-21 22:27 12,288 --a------ C:\WINDOWS\system32\e100bmsg.dll
2006-09-21 22:27 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2006-09-21 22:27 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-28 00:59 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-27 18:52 -------- d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2006-09-27 14:07 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-27 13:37 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-09-27 13:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2006-09-27 13:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-27 13:26 -------- d-------- C:\Program Files\CyberLink
2006-09-27 01:46 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-09-27 00:58 -------- d-------- C:\Program Files\Internet Explorer
2006-09-26 19:42 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-09-26 19:24 -------- d-------- C:\Program Files\Java
2006-09-26 17:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-26 11:53 -------- d-------- C:\Program Files\Pure Networks
2006-09-26 11:53 -------- d-------- C:\Program Files\Common Files
2006-09-26 11:15 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-26 10:05 -------- d-------- C:\Program Files\Common Files\Command Software
2006-09-25 13:08 4789 --a------ C:\Documents and Settings\Owner\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-09-25 01:15 -------- d-------- C:\Program Files\Hewlett-Packard
2006-09-24 23:27 -------- d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2006-09-24 15:20 -------- d-------- C:\Program Files\MotionArtist 3.0
2006-09-24 15:20 -------- d-------- C:\Documents and Settings\Owner\Application Data\RelevantReach
2006-09-24 14:47 -------- d-------- C:\Documents and Settings\Owner\Application Data\Alien Skin
2006-09-24 14:35 -------- d-------- C:\Program Files\Alien Skin
2006-09-24 01:59 -------- d-------- C:\Program Files\SWiSHmax
2006-09-24 01:29 -------- d-------- C:\Program Files\DVD Shrink
2006-09-24 01:10 -------- d-------- C:\Program Files\SlySoft
2006-09-23 23:33 -------- d-------- C:\Program Files\BigFix
2006-09-23 22:55 -------- d-------- C:\Documents and Settings\Owner\Application Data\Opera
2006-09-23 20:26 -------- d-------- C:\Program Files\Adobe
2006-09-23 18:02 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-23 16:53 -------- d-------- C:\Program Files\OpenOffice.org 2.0
2006-09-23 16:50 -------- d-------- C:\Program Files\Overland
2006-09-23 16:50 -------- d-------- C:\Program Files\HP
2006-09-23 16:50 -------- d-------- C:\Program Files\Common Files\HP
2006-09-23 16:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Printer Info Cache
2006-09-23 16:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Image Zone Express
2006-09-23 15:58 -------- d-------- C:\Program Files\Bryce 5
2006-09-23 15:15 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-09-23 15:08 -------- d-------- C:\Program Files\WinRAR
2006-09-23 13:23 -------- d-------- C:\Program Files\LIUtilities
2006-09-23 13:23 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-23 00:41 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-09-23 00:24 -------- d-------- C:\Program Files\Curious Labs
2006-09-22 23:36 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-09-22 22:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\ScamBlocker
2006-09-22 22:18 -------- d-------- C:\Program Files\Common Files\EarthLink
2006-09-22 22:15 -------- d-------- C:\Program Files\Windows NT
2006-09-22 21:40 -------- d-------- C:\Program Files\Messenger
2006-09-22 21:39 -------- d-------- C:\Program Files\Windows Media Player
2006-09-22 21:37 -------- d-------- C:\Program Files\Outlook Express
2006-09-22 21:37 -------- d-------- C:\Program Files\Common Files\System
2006-09-22 21:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-09-22 20:49 -------- d-------- C:\Program Files\XBox 360 Controller for Windows Software
2006-09-22 19:56 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-09-22 19:56 -------- d-------- C:\Program Files\Real
2006-09-22 00:21 -------- d-------- C:\Program Files\Realtek
2006-09-21 23:56 -------- d-------- C:\Program Files\Lavasoft
2006-09-21 23:56 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-09-21 23:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\EarthLink Toolbar
2006-09-21 23:38 -------- d-------- C:\Program Files\EarthLink TotalAccess
2006-09-21 23:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\Earthlink
2006-09-21 23:29 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-21 22:58 -------- d-------- C:\Program Files\Digital Media Reader
2006-09-21 22:57 -------- d-------- C:\Documents and Settings\Owner\Application Data\SampleView
2006-09-21 22:54 -------- d-------- C:\Program Files\Microsoft Picture It! 9
2006-09-21 22:53 -------- d-------- C:\Program Files\Microsoft Works
2006-09-21 22:52 -------- d-------- C:\Program Files\Microsoft Office
2006-09-21 22:52 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-21 22:52 -------- d-------- C:\Program Files\Ahead
2006-09-21 22:51 -------- d-------- C:\Program Files\Viewpoint
2006-09-21 22:51 -------- d-------- C:\Program Files\QuickTime
2006-09-21 22:51 -------- d-------- C:\Program Files\Learn2.com
2006-09-21 22:51 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-21 22:51 -------- d-------- C:\Program Files\AOL Toolbar
2006-09-21 22:50 -------- d-------- C:\Program Files\Common Files\Real
2006-09-21 22:50 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-09-21 22:48 -------- d-------- C:\Program Files\MSN Encarta Plus
2006-09-21 22:48 -------- d-------- C:\Program Files\Microsoft Money
2006-09-21 22:47 -------- d-------- C:\Program Files\Common Files\Java
2006-09-21 22:42 -------- d-------- C:\Program Files\Intel
2006-09-21 22:40 -------- d-------- C:\Program Files\Common Files\New Boundary
2006-09-21 22:35 -------- d-------- C:\Program Files\CONEXANT
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"CHotkey"="zHotkey.exe"
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
@=""
"Earthlink Protection Control Center"="C:\\Program Files\\EarthLink TotalAccess\\ProtectionControlCenter\\elnk_pcc.exe /minimize"
"AlcFDMonitor"="C:\\WINDOWS\\ALCFDRTM.EXE"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\\hphupd05.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"ShowWnd"="ShowWnd.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,77,01,00,00,00,00,00,00,29,04,00,00,66,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,55,05,00,00,66,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,55,05,00,00,66,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP Usg Daily.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job

Completion time: Thu 09/28/2006 1:01:26.98
ComboFix.txt
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
It looks like Combofix deleted a few things for us, but otherwise your log is clean.

Do you still get that small window showing up?
  • 0

#10
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Yeah, it's still coming up. I was hoping Combofix got it too.
  • 0

Advertisements


#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I think it may be from a program you have called BigFix. It's not a bad program, but it does hog a lot of resources unnecessarily when you have it running automatically at startup. You can try shutting it down or disabling it from running automatically and see if that solves it.

Do you still have the R3 line in your log that won't get fixed?
  • 0

#12
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Unfortunately, that window still comes up after I exit BigFix. And yes, I still have that R3 line.

Sorry my PC is being so difficult, haha.
  • 0

#13
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
If it wasn't difficult you wouldn't be here. :whistling:


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"~CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


Reboot and post a new hijackthis log.


Tell me more about this small window that pops up. How large is it? When does it pop up? How long does it last? What does it look like? Does it say anything?
Please give me as much detail as you can.

I'm still thinking that it's not malware, but I certainly haven't ruled it out completely.
  • 0

#14
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
As far as that window goes, the only thing I ever see is it opening in the taskbar. Since I usually have a Firefox window or another program open, I'm not sure what the actual window looks like. I assume it opens behind whatever other windows I have open.

As far as what it looks like in the taskbar, say I have a Firefox window open for instance. In the taskbar, the Firefox window has the Firefox logo as well as the title of the webpage in it. This mysterious window has just a white square where the Firefox logo would be, and no title at all. And it stays open for something like two seconds, then disappears.

I've tried running every Anti-Spyware program I have and they're all coming up clean. However, I ran the trial of XoftSpy and it found something called IEPlugin. It listed it as Malware. XoftSpy wouldn't clean it, however, without me buying the program. Maybe that's the issue?

Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 1:42:50 PM, on 9/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1159598912\ee\AOLSoftware.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\program files\common files\aol\1159598912\ee\aim6.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe" /minimize
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1159598912\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSService - Aluria Software, LLC - C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE
O23 - Service: EarthLink Protection Control Center Service (ELNKService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\\PROTEC~1\ELNKServ.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
  • 0

#15
Wolfson

Wolfson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK, I ran BitDefender's online scanner and it found 9 files. It couldn't disenfect them but it deleted them. They were:

Trojan.Downloader.Adload.DW
Dropped.Trojan.Clicker.VB.BX
Trojan.Clicker.VB.FN
Trojan.Clicker.VB.FN
Trojan.Clicker.VB.FN
Trojan.Downloader.Dyfuca.EY
Trojan.Downloader.Dyfuca.EY
Trojan.Downloader.Dyfuca.EY
Trojan.Downloader.Adload.DX

It said there was a total of 6 viruses. I got the window a minute or so after the scan, but maybe I have to reboot for it to take fully.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP