[Don Stewart]

Earthlink Security Center scan has identifed WinMoviePlugIn, among a few other threats, and although I delete them, they remain.
All indicators show that I'm connected to the internet, yet keep getting error page (Earthlink home page) not available or can't locate server.
Is WinMoviePlugIn causing this and how can I fix it so that I can get on line with my "HOME" computer and get to HiJackThis etc? Thx

[Advertisements]

Hello Don

Please post a fresh HJT log and I'll take a look.

[Crustyoldbloke]

Hello Don

Please post a fresh HJT log and I'll take a look.

[Don Stewart]

Is it possible to get a HJT log without being on the internet? Remember this is my home PC with the problem, not my work laptop that I'm using to communicate with you right now.
So since I can get onto the internet, but can't locate a server, is it possible to do a HJT on my home PC without the internet and maybe copy it to a CD...bring it to work and send it to you via my work laptop?

[Crustyoldbloke]

Yes, it is possible Don, provided that you have HJT on your home PC.

It is merely a snap shot of certain areas of your registry often used by malware.

Please also try this on your home PC since it may not be malware at all and just a DNS problem.

How to flush out old DNS entries on your computer:

1. Open the start menu and click on the Run icon.

2. In the "Run" dialog box type in command then click OK.

3. This should open up a black box with a command line, if not make sure you spelled "command" correctly.

4. At the command line type in ipconfig /flushdns and press enter.

5. You should get a confirmation that says "Windows IP Configuration Successfully flushed the DNS Resolver Cache"

6. If you don't get this confirmation double check your spelling of "ipconfig /flushdns".


Renewing your IP address in WinXP, Win2000, or WinNT

Go to START > RUN > type in CMD > hit ENTER

At the prompt, type in cd\ > hit ENTER

At the prompt, type in ipconfig /release > hit ENTER

At the prompt, type in ipconfig /renew > hit ENTER

Wait for about 10 to15 seconds, after which you can close the window. Then, open your internet browser

NB. If you still do not have internet access, try restarting your computer and opening your internet browser again.

[Don Stewart]

How can I get HJT on my home PC? Is there a site that I can download to a CD here at work and then load to my home PC?

[Don Stewart]

Note: I have Earthlink Total Access dial-up only, if that makes a difference regarding DNS.

[Crustyoldbloke]

Yes you can get HJT from here in a set up file that will install itself correctly. Print off this page and take it home woth you.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\HijackThis.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch HijackThis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

As far as I know, Earthlink is no different to any other ISP

[Don Stewart]

Thx....downloading virus scan software is painfull, at best, when using dial-up. What possible future required software would you like me to download to a CD here at work, along with HJT?

Edited by Don Stewart, 07 February 2007 - 04:16 PM.

[Crustyoldbloke]

I don't know until I have seen a HJT log. It may not be malware.

[Don Stewart]

OK, I will do the DSN check and if that doesn't fix it I'll run HJT for you.

[Don Stewart]

Forgot to mention, since I thought WinMoviePlugIn was a dialer virus, that here are the other virus's? that Earthlink Protection Center found and keep coming back after I deleted them:

CoolWebSearch
TransPonder.Bolger
EliteMediaPopUp
SearchSquire
SpywareQuake

Edited by Don Stewart, 07 February 2007 - 05:21 PM.

[Crustyoldbloke]

Nice stuff! Some old friends in that list.

[Don Stewart]

1st lets start with the DNS issue: Got through the 6 steps to "Flush", but had the following error when "Renewing" : after steps CMD & cd\ when I input ipconfig /release and ipconfig /renew got the following error message:

Windows IP config. (followed by)
No operation can be preformed on local area connection while it has its media disconnected

Then proceded with HJT, but please note that I printed a lot of material on this subject and when I got home, I could not find your HJT instructions that you told me to follow.........sorry, but hopefully this is a start.

This is what the file contains, as it would not let me add the hijackthis.log so I copied and pasted:


Logfile of HijackThis v1.99.1
Scan saved at 22:39, on 07-02-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120883553468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156023856312
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://casinoclassi...sic/FlashAX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe" EarthLinkSafeConnectAgent (file missing)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe

Edited by Don Stewart, 08 February 2007 - 09:25 AM.

[Crustyoldbloke]

Hello again Don

The HJT log looks quite good, just a couple of minor adjustments necessary.

I am going to say that I don't think your problem is malware. I fully realise that just because malware is not visible doesn't mean its not there, but I can normally see some malware activity.

The error message your are getting from renewing your IP address is because it is not connected. It is asking to be connected in order to find a new IP address from your ISP.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://casinoclassi...sic/FlashAX.cab

Click on Fix Checked when finished and exit HijackThis.

My advice, now, would be to post a topic in the Browser and email forum: http://www.geekstogo..._Email-f26.html

However, if you wish to continue with malware aforethought, then I am quite willing to analyse logs. I think I would next ask for a good malware scan and a rootkit scan. Here are the instructions for both and I'll leave it up to you to decide what you want to do at this stage.

Please download to your desktop:AVG AntiSpyware
AVG Anti-Rootkit Beta

Double click the Anti-Rootkit Beta file to install it. Accept the licence and follow the prompts to install and reboot. After rebooting, you should see the icon for AVG Anti-Rootkit Beta on your desktop. Double click it to open the programme. You will see a window with 3 buttons at the bottom of it. Click Search For Rootkits and the programme will start a scan, you will see the progress bar moving from left to right, but it may appear that the programme is frozen and not doing anything, this is normal, please be patient. When the scan is complete, a small window will open alerting you to the result. If anything was found, click Save Result To File and post that in your reply.

If nothing was found, please click the Perform in-depth Search saving anything found to file as before.

--------------------------------------

Please install, and update AVG Anti Spyware

• Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
  
• Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  
• Under "Reports"
• Select "Automatically generate report after every scan"
• Deselect "Only if threats were found"
• Close AVGas. Do not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

• In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  
• AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
  
• Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  
• Please ensure you post that log in your reply.

[Don Stewart]

So if I understand this:

My advice, now, would be to post a topic in the Browser and email forum: http://www.geekstogo..._Email-f26.html

You would like me to add a new topic in the "Brower forum" to reslove my Internet connection problem? They are the experts to help resolve: "It is asking to be connected in order to find a new IP address from your ISP."

Think I need to resolve my internet connection problem and then continue with your virus scan....appreciate your help.

Edited by Don Stewart, 08 February 2007 - 10:19 AM.