Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

MyWay, MyWeb and other infections

  • This topic is locked This topic is locked
3 replies to this topic

#1 Guest_fuzzywuzzy6_*


  • Guests

Posted 03 March 2009 - 03:01 PM

(NOTE TO WHOEVER TAKES ON THIS MESS: It is not necessary to post all the info on the problems; please feel free to edit).

E-machines T3508 desktop PC; Intel Celeron D Processor 356. Windows XP SP3; preferred browser Firefox 3.05.

Avira PE Classic not functioning at all, even after re-install and re-name; Malwarebytes shows no infection after re-install and re-name. Task manager was severely infected, but still does not show all pop-ups. Connectivity was lost, but repaired by ISP. Constantly changing program files; install lists and folders do not agree. Programs I do not recognize. Not able to function as administrator for many functions.

Some problems may be due to adding Windows Live functions and needing more memory.

Re-installed Spybot S&D: had to ignore chai.dll, fennel.dll, mate.dll and atipi (?).dll to install. 2 other PUPSC infections were found and removed (My Way, My Web). Trend Micro Housecall 6.5 (run Sunday) showed only 2 infections, which were removed: ADWARE_180 SOLUTIONS and ADWARE_MEMWATCHER. This seemed to improve Spybot's performance. Tried to access log files for Housecall, could not because:

All browsers now highjacked--trend micro housecall google bookmark in firefox also takes me to bogus sites, even with address pasted into different browsers.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Stinkiebits3 at 9:57:21.85 on Tue 03/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.367.78 [GMT -8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: EarthLink Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://start.earthlink.net
BHO: ElnkBhoGuard Class: {00000000-0000-0000-0000-000000000002} - c:\program files\earthlink totalaccess\toolbar\EScamBlk.dll
BHO: ElnkScamBHO Class: {15f4d456-5baa-4076-8486-eecb38cd3e57} - c:\program files\earthlink totalaccess\toolbar\EScamBlk.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink totalaccess\toolbar\ElnkPuB.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink totalaccess\toolbar\ProtctIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink totalaccess\toolbar\uninsttb.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpySweeper]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [HostManager] c:\program files\common files\aol\1147794822\ee\AOLHostManager.exe
mRun: [IPInSightMonitor 01] "c:\program files\earthlink totalaccess\fastlane2\IPMon32.exe"
mRun: [IPInSightLAN 01] "c:\program files\earthlink totalaccess\fastlane2\IPClient.exe" -l
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Cobian Backup 8 interface] "c:\program files\cobian backup 8\cbInterface.exe" -service
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\Secunia PSI.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\earthlink totalaccess\toolbar\SearchUI.dll/search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\earthlink totalaccess\accelerator\prplsf.dll
DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} - hxxp://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219105661203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219446964812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {20EAB693-E624-4F43-9B40-D01CE5B848F2} =,
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kn0cjkdh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kn0cjkdh.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL

user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('...ri.enabled', 'allAccess');
============= SERVICES / DRIVERS ===============

R0 GRFILTER;CS NDIS Driver;c:\windows\system32\drivers\GRFilter.sys [2007-4-11 22528]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-11-3 11840]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 GRTdiMon;GR TDI Mon;c:\windows\system32\drivers\GRTdiMon.sys [2007-4-11 42496]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-26 14336]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
S2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-11-3 68865]
S2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-11-3 151297]
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver);c:\windows\system32\drivers\ADSFilter.sys [2007-8-3 57456]
S3 AuthFw;AuthFw;c:\program files\authentium\firewall sdk\AuthFw.exe [2007-4-5 495616]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-11-3 52032]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\cdavfs.sys --> c:\windows\system32\drivers\CDAVFS.sys [?]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;\??\c:\program files\earthlink\earthlink protection control center\sana\driver\platform_xp\safeconnectdriver.sys --> c:\program files\earthlink\earthlink protection control center\sana\driver\platform_xp\SafeConnectDriver.sys [?]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\earthlink\earthlink protection control center\sana\driver\platform_xp\safeconnectfilter.sys --> c:\program files\earthlink\earthlink protection control center\sana\driver\platform_xp\SafeConnectFilter.sys [?]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-26 30192]
S3 MailScan;MailScan;\??\c:\progra~1\avanqu~1\fix-it\mailscan.sys --> c:\progra~1\avanqu~1\fix-it\MailScan.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]

=============== Created Last 30 ================

2009-03-03 09:49 368,961 a------- c:\program files\dds.scr
2009-03-01 16:31 <DIR> --d----- c:\program files\Cobian Backup 8
2009-03-01 16:29 8,499,200 a------- c:\program files\cbSetup8.exe
2009-03-01 14:32 46,592 a------- c:\windows\system32\hpzll43a.dll
2009-03-01 13:00 1,042,908 a------- c:\windows\system32\home HP infrared port
2009-03-01 12:44 50,688 a------- c:\program files\ATF-Cleaner.exe
2009-02-27 20:23 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-27 20:23 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-27 20:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-26 08:14 360,481 a------- C:\updatedatfix.zip
2009-02-25 16:54 <DIR> --d----- c:\documents and settings\owner\Tracing
2009-02-25 16:10 <DIR> --d----- c:\program files\Microsoft
2009-02-25 16:08 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-25 15:56 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-25 10:53 <DIR> --d----- c:\program files\Avira
2009-02-25 10:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-14 18:13 <DIR> --d----- c:\program files\Windows Live Toolbar
2009-02-14 18:05 <DIR> --d----- c:\documents and settings\owner\Contacts
2009-02-14 12:16 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

==================== Find3M ====================

2009-03-01 14:21 108,720 a------- c:\windows\hpoins08.dat
2009-01-20 19:10 882 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 9:58:54.95 ===============

Attached Files

BC AdBot (Login to Remove)


#2 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA

Posted 16 March 2009 - 08:21 PM

Post your problems, or we don't know?

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Guest_fuzzywuzzy6_*


  • Guests

Posted 18 March 2009 - 01:15 PM

I had so many problems, I ended up just reformatting. I could not access the internet at all for a few days.

#4 Pandy



  • Members
  • 9,559 posts
  • Gender:Female
  • Local time:09:28 PM

Posted 23 March 2009 - 12:32 PM

fuzzywuzzy6 if you have reformatted then I shall close this topic here. If you ever find you would like to post another logfile please begin a new topic. Thanks, and I hope things worked out.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?


Follow us on Twitter

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users