Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SHAI.DL

[nicholas2]

All day I keep getting this and Have no idea how to stop it, it appears to keep coming up over and over, when I check the system nothing else shows up, and also have checked for spy ware with nothing else appears except in AVAST nad it keeps poping up and I send it to the chest.

Any ideas?

After the listing of the sign I have also attached the hijack I just did.  Can anyone tell me what I have or what to do to stop it?


4/9/2008   7:54:32 AM   1207742072   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SHAI.DLL" file. 
4/9/2008   10:09:48 AM   1207750188   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:13:39 AM   1207750419   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:13:57 AM   1207750437   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:14:01 AM   1207750441   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:14:24 AM   1207750464   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:14:48 AM   1207750488   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:15:13 AM   1207750513   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:15:30 AM   1207750530   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:18:55 AM   1207750735   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:19:17 AM   1207750757   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   10:19:18 AM   1207750758   SYSTEM   212   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\shai.dll" file. 
4/9/2008   11:12:44 AM   1207753964   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os6.tmp\AppInit.dll" file. 
4/9/2008   11:23:24 AM   1207754604   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os13.tmp\AppInit.dll" file. 
4/9/2008   11:33:55 AM   1207755235   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os16.tmp\AppInit.dll" file. 
4/9/2008   11:44:26 AM   1207755866   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os18.tmp\AppInit.dll" file. 
4/9/2008   11:54:58 AM   1207756498   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os1C.tmp\AppInit.dll" file. 
4/9/2008   12:05:27 PM   1207757127   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os20.tmp\AppInit.dll" file. 
4/9/2008   12:15:57 PM   1207757757   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os41.tmp\AppInit.dll" file. 
4/9/2008   12:26:57 PM   1207758417   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os4E.tmp\AppInit.dll" file. 
4/9/2008   12:37:27 PM   1207759047   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os5B.tmp\AppInit.dll" file. 
4/9/2008   12:47:58 PM   1207759678   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os60.tmp\AppInit.dll" file. 
4/9/2008   12:58:32 PM   1207760312   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os6C.tmp\AppInit.dll" file. 
4/9/2008   1:09:04 PM   1207760944   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os78.tmp\AppInit.dll" file. 
4/9/2008   1:19:41 PM   1207761581   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os7A.tmp\AppInit.dll" file. 
4/9/2008   1:30:20 PM   1207762220   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os7C.tmp\AppInit.dll" file. 
4/9/2008   1:41:06 PM   1207762866   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os218.tmp\AppInit.dll" file. 
4/9/2008   1:56:54 PM   1207763814   Nicholas   1984   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os523.tmp\AppInit.dll" file. 
4/9/2008   9:39:39 PM   1207791579   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os15.tmp\AppInit.dll" file. 
4/9/2008   9:51:13 PM   1207792273   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os19.tmp\AppInit.dll" file. 
4/9/2008   10:01:58 PM   1207792918   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os1C.tmp\AppInit.dll" file. 
4/9/2008   10:12:40 PM   1207793560   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os1E.tmp\AppInit.dll" file. 
4/9/2008   10:23:43 PM   1207794223   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os20.tmp\AppInit.dll" file. 
4/9/2008   10:35:05 PM   1207794905   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os36.tmp\AppInit.dll" file. 
4/9/2008   10:46:38 PM   1207795598   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os38.tmp\AppInit.dll" file. 
4/9/2008   10:57:22 PM   1207796242   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os3B.tmp\AppInit.dll" file. 
4/9/2008   11:07:59 PM   1207796879   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os3D.tmp\AppInit.dll" file. 
4/9/2008   11:18:31 PM   1207797511   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os45.tmp\AppInit.dll" file. 
4/9/2008   11:31:20 PM   1207798280   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os5B.tmp\AppInit.dll" file. 
4/9/2008   11:41:56 PM   1207798916   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os5D.tmp\AppInit.dll" file. 
4/9/2008   11:52:26 PM   1207799546   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os5F.tmp\AppInit.dll" file. 
4/10/2008   12:03:00 AM   1207800180   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os61.tmp\AppInit.dll" file. 
4/10/2008   12:14:14 AM   1207800854   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os63.tmp\AppInit.dll" file. 
4/10/2008   12:24:48 AM   1207801488   SYSTEM   1944   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os65.tmp\AppInit.dll" file. 
4/10/2008   1:35:35 AM   1207805735   Nicholas   1908   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os4.tmp\AppInit.dll" file. 
4/10/2008   1:46:30 AM   1207806390   Nicholas   1908   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os8.tmp\AppInit.dll" file. 
4/10/2008   1:56:58 AM   1207807018   Nicholas   1908   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os11.tmp\AppInit.dll" file. 
4/10/2008   2:07:26 AM   1207807646   Nicholas   1908   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os1F.tmp\AppInit.dll" file. 
4/10/2008   2:17:54 AM   1207808274   Nicholas   1908   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os22.tmp\AppInit.dll" file. 
4/10/2008   2:31:08 AM   1207809068   Nicholas   1980   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~osB.tmp\AppInit.dll" file. 
4/10/2008   2:35:04 AM   1207809304   Nicholas   1980   Sign of "Win32:Trat-D [Drp]" has been found in "C:\Documents and Settings\Nicholas\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN" file. 
4/10/2008   2:41:48 AM   1207809708   Nicholas   1980   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\~os1C.tmp\AppInit.dll" file. 

[nicholas2]

Here is the HIJACK

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:43 AM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\shwired.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2c\Disk_Monitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Ocucom\PreCast\tmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R3_4.26_windows_intelx86.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avanquest\PowerDesk\PDExplo.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[nicholas2]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2c\Disk_Monitor.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink TotalAccess\ProtectionControlCenter\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SHWired Helper] C:\WINDOWS\system32\spw.exe
O4 - HKLM\..\Run: [ShoppersHotlineWired] c:\windows\system32\shwired.exe -boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[nicholas2]

O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
O4 - Startup: MySurvey Messenger.lnk = C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: PreCast Monitor.lnk = C:\Program Files\Ocucom\PreCast\tmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206785107250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ShoppersHotlineWired - C:\WINDOWS\system32\shls.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ADSService - Aluria Software, LLC - C:\PROGRA~1\EARTHL~1\PROTEC~1\ADSSER~1.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Nicholas\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 14161 bytes

[CharleyO]

***

While I am not an expert on reading HJT logs, I have done some research for those who may be able to help you with this infection. Please wait for someone else to give you instructions on what steps to take next.

Your warning messages are about the information contained in the following link ...
http://www.prevx.com/filenames/170467188590500646-0/RLAI.DLL.html
... as shai.dll is also known as rlai.dll and is associated with malware.

These are not needed as there is no file association:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

This is known to add spyware & other malware:

O4 - HKLM\..\Run: [SHWired Helper] C:\WINDOWS\system32\spw.exe

O4 - HKLM\..\Run: [ShoppersHotlineWired] c:\windows\system32\shwired.exe -boot

read information about these here ... http://spywarefiles.prevx.com/RRDCHD036314111/SHWIRED.EXE.html

O20 - Winlogon Notify: ShoppersHotlineWired - C:\WINDOWS\system32\shls.dll

read information about it here ... http://www.prevx.com/filenames/X1387222194110511682-0/RLLS.DLL.html

Hopefully, someone will be along shortly to help you farther.


***

[nicholas2]

Thanks, since I know I am a member of shoppershotlinewired and this program is on my computer, I have no problems with it being there now or in the past should I just accept the allerts, and is there a way to turn off the alert.  This has just started with the latest update of Avast, and have not seen it before.

[CharleyO]

***

Did you read the links I provided? 

From the links I supplied:
(bold inserted by me to highlight the major dangers)

ACTIVITY ANALYSIS OF: SHWIRED.EXE
The following behaviors have been observed for this object:
Installs programs.
Deletes programs.
Invokes dll components.
Creates Run Keys.
Modifies the hostsfile.
Runs temporary programs.
Runs other programs.
Communicates with web sites using httpout protocols.
Communicates with other computers across the web.
Hijacks running processes.
Has outbound communications.
Creates registry entries.
Creates run keys for known malware.
Creates known malware.
Creates copies of itself.

PRLS.DLL has been the subject of the following behavior(s):
Registered as a Dynamic Link Library File
The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Created as a process on disk
Deleted as a process from disk

The choice is your, of course, but you can not be surprised if you get rootkits, spyware, keygens, or other malware if you continue to use such programs.

Quote from nicholas2:

This has just started with the latest update of Avast, and have not seen it before.

This is because the new version of avast 4.8 includes a rootkit detector where as previous versions of avast did not have this capability. 


***

[nicholas2]

Thanks for the information, and I did read the various comments, however I have had the program on the computer for over a year and have not had any problems of the possibilites described, as it came from a reputable source to my knowledge, and to be sure contacted the technical people at the site for information. 

Is there a way to allow the program to run, without the alerts for this program, but will alert me it something else arrives?

[CharleyO]

***

Would someone else like to comment here? I have done what I can to help nicholas2 understand what is wrong but I seem to have failed ... or maybe I am missing something.


***