Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Aluria A Threat?


  • Please log in to reply
1 reply to this topic

#1 paulboc

paulboc

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 10 January 2006 - 12:09 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:07:05 AM, on 1/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
F:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
F:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\qttask.exe
F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
F:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
F:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
F:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
F:\PROGRAM FILES\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
F:\PROGRAM FILES\Express Technologies\Download Manager\DLMClient.exe
F:\PROGRAM FILES\Express Technologies\World Watch\W32ALARM.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\system32\AuthFw.exe
F:\PROGRAM FILES\EarthLink TotalAccess\MailClnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRAM FILES\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - F:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - F:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - F:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - f:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - F:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - F:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - F:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] f:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [IPInSightMonitor 01] "F:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "F:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [Earthlink Protection Control Center] F:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "F:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "F:\PROGRAM FILES\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
O4 - Global Startup: Download Manager.lnk = F:\PROGRAM FILES\Express Technologies\Download Manager\DLMClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: World Watch.lnk = F:\PROGRAM FILES\Express Technologies\World Watch\W32ALARM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24da6a2db4a7de...ip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133990172703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134756358265
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O23 - Service: ADSService - Copyrightę Aluria Software, LLC - F:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - F:\PROGRA~1\EARTHL~2\PROTEC~1\EFWPPS~1.EXE
O23 - Service: EarthLink Protection Control Center Service (ELNKService) - Aluria Software, LLC. - F:\PROGRA~1\EARTHL~2\PROTEC~1\ELNKServ.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - F:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 10 January 2006 - 05:45 PM

Hi paulboc,

Your log is clean except for one minor item. Aluria is a somewhat reputable security firm that is partnered with Earthlink. Both have just come out with a firewall, so that is what those files are related to. If you have your Earthlink software set to update automatically, that's how it got installed and is nothing to worry about.

Scan again with HijackThis and put a check by the following:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24da6a2db4a7de...ip/RdxIE601.cab

Close any other windows you may have open and click Fix Checked.

If you are experienceing any other problems that make you think you may be infected with malware, reboot and post a new log and describe what's happening. Otherwise I'll post to your other thread about this issue as I have some comments and recommendations for you that would be more approppriately posted there. :thumbsup:

http://www.bleepingcomputer.com/forums/ind...topic=40655&hl=

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users