Collected.5.L trojan, elitebar, spymonkey,etc.

Please follow the steps below:

Download and run the following:

EliteToolbar Remover


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You are running multiple antivirus applications (AVG7 and Symantec) but you must only run one. Choose the one you prefer and uninstall the other. Do that now before continuing and while I look at your HJT log.

 

By the way SurfMonkey is considered adware by most people and you are right it came with EarthLink. It is probably something you do not want anyway unless you are forcing it on your kids. What you wish to do with it is upto you. It can be uninstalled using Add/Remove programs. See:

http://www.cexx.org/surfmonk.htm
http://www.earthlink.net/about/press/pr_surfmonkey/

Also you have the below running from Sony Vaio:
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

Check out what the below states and decide if you want or need this:
http://castlecops.com/startuplist-4638.html


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\Run: [Media-XP-Service-Pack3] msnzx.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\RunServices: [Media-XP-Service-Pack3] msnzx.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [Media-XP-Service-Pack3] msnzx.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [Media-XP-Service-Pack3] msnzx.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\mxpsp.exe
c:\windows\system32\msnzx.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

What did you decide about:

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs


Do you use or do you want Surfmonkey?

 

Okay we will stop them from loading but we will not delete the files. Just incase later you decide you need them. You can always restore the registry entries we delete using HJT's backup/restore capability. (one reason we insist on it being installed properly)

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\surfmonkey\smproxy.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You're welcome.


Hmmm? I still see this running: C:\WINDOWS\surfmonkey\SMProxy.exe
But I do not see anything loading it.
Reboot your PC and let me know if this process still shows up in your HJT log.

 

You're welcome.

I still see the below. Did you forget to fix it or did you run HSremove again? You do not need to use HSremove for the problems you were having.


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Fix it again using HJT.

Weather here is great yesterday & today?

How is the pottery factory down there (I don't remember the name)? Is that place still in business?

 

Now you are all clean! It's time to work thru the steps in the below link to help keep you clean. You must get a real firewall installed and then disable the one in WinXP SP2 which does not provide adequate protection. A list of firewalls is in the below link too.

How to Protect yourself from malware!

 

You're welcome. Surf safely!