[Don Stewart]

Good morning Phil,

Sorry about my lack of effort over the weekend when I had both my work laptop and home PC + you all at one time to resolve this issue.

Anyway, will run another HJT this evening and post it for you.

So Earthlink gives you a pop-up, with sound when you are connected to the internet and even tells you speed & IP address. When I mention server page, I'm refering to my Earthlink home page and all I get (except one time) is a page without normal http:// address or no page at all. Even that one time that I actually had a home page with the normal address http://start-earthlink.net ? it would no let me do anything.....like hit my google favorite or even when I changed the address to google it let me do it, but did nothing when I hit enter.

[Advertisements]

Hello Don

This is what I see when I click on the link for start-earthlink.net



Some of the graphics haven't appeared. This might be because they are advertisements and blocked by my MVPS HOSTs file, or it may be because they are having problems at Earthlink, anyway a view of a HJT log may help find what ails you.

[Crustyoldbloke]

Hello Don

This is what I see when I click on the link for start-earthlink.net



Some of the graphics haven't appeared. This might be because they are advertisements and blocked by my MVPS HOSTs file, or it may be because they are having problems at Earthlink, anyway a view of a HJT log may help find what ails you.

[Don Stewart]

Phil,

Earthlink (different person) thinks the problem is with my Explorer and suggests the following: (they wanted to know which version I had and since I'm at work I couldn't tell them)

Please click on the link given below and follow the steps on how to repair Internet Explorer browser on your system:

[email protected]: I bought the PC about 2 years ago, so what version of Explorer would come with Windows XP at that time....if this helps.
Rocky S: If you haven't updated the browser recently. I am sure that you have Internet Explorer 6 on your system.

Rocky S: http://kb.iu.edu/dat...735370.94711.30

Your thoughts? Going to try this, but will also send you my HJT log.

Edited by Don Stewart, 12 February 2007 - 02:46 PM.

[Crustyoldbloke]

It's worth a try. I don't use MSIE at all. I only use Mozilla FireFox. It is safer and I prefer its versatility.

Try it: http://www.mozilla.com/en-US/firefox/

Not feeling too good today, Meniere's playing up. I'll have a look at the HJT log later or tomorrow morning.

[Don Stewart]

Hope you are feeling better or when you are please respond.....
I can't do what they Earthlink are asking because it calls for me to insert a Windows CD, which I don't have as it came loaded on my PC.

About this Mozilla FireFox, can I go to that web site and just download it and up load it to my PC, instead of doing the Explorer repair?

PS- will send you HJT a little later......no rush looking at it...thx

[Crustyoldbloke]

Absolutely, yes you can.

When it installs itself it will ask if you wish to copy across passwords and favourites, bookmarks, form filling info etc, just say yes and make it default too.

You can repair MSIE without the windows CD.

Try Firefox first, be fair and give it a good trial, don't be put off by different names for things.

make sure that you click View > Toolbars > Customise and drag what you want onto your toolbar.

Off to bed now. I feel unwell and very wobbly.

[Don Stewart]

Happy dreams and may you feel better when you arise and I should have some results for you.......nite nite!

[Don Stewart]

Phil,
Good morning & hope you are feeling better,
I have one mtg. to go to and then I will be home all day with both computers, so if you are feeling up to it we should be able to get a few things done today........

[Crustyoldbloke]

I am operational, although without much balance and I look like a corpse.

[Don Stewart]

Back from my meeting and wanted you to see a response to my other topic:

Is it still saying media state media disconnected when you do an ipconfig?

[Crustyoldbloke]

Well, I would guess that any PC on dial up would have to be connected not to say that. The PC gets the IP address from your ISP, so you have to dial up to get it.

ISP's used to give to an IP address on a monthly basis, so it was reserved for you for a period of say 30 days after your last use.

These days that doesn't seem to be the case. With Broadband, you often get a fresh IP address daily.

After doing the IPconfig fix, you would need to dial up immediately so as not to get that message.

[Don Stewart]

Phil,

We can do this tomorrow it you are not feeling up to it. Were you able to look at the files I sent you and did they tell you anything that would help?

[Crustyoldbloke]

What files? I thought I was waiting for a fresh HJT log.

[Don Stewart]

Phil,

Sorry my fault, something must have gone wrong last night (was trying to use attachments) here they are:

Logfile of HijackThis v1.99.1
Scan saved at 18:58, on 07-02-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120883553468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156023856312
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe" EarthLinkSafeConnectAgent (file missing)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe

"Compaq_Owner" - 07-02-11 19:55:19 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 13:43 <DIR> d-------- C:\WINDOWS\_is24
2007-02-10 20:27 74,908 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-02-10 20:27 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-02-10 20:27 7,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-02-10 20:27 133,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-02-10 20:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-02-10 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Kaspersky Lab
2007-02-10 20:18 <DIR> d-------- C:\kav
2007-02-10 15:11 <DIR> d-------- C:\Program Files\Panda Software
2007-02-10 11:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-10 11:43 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\SUPERAntiSpyware.com
2007-02-10 11:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-10 11:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-10 11:13 811,008 --ah----- C:\AFCache.dat
2007-02-07 22:36 <DIR> d-------- C:\Program Files\Hijackthis
2007-02-05 18:48 <DIR> d-------- C:\Program Files\Grisoft
2007-02-05 18:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-31 21:47 <DIR> d-------- C:\Program Files\Microsoft WSE
2007-01-31 21:46 <DIR> d-------- C:\Program Files\Common Files\EarthLink Protection Control Center
2007-01-31 21:46 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-01-31 21:46 <DIR> d-------- C:\Program Files\Common Files\ADS
2007-01-31 21:45 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\InstallShield
2007-01-29 23:09 23,196 --a------ C:\WINDOWS\system32\drivers\klop.dat
2007-01-29 23:04 200,768 --a------ C:\WINDOWS\system32\klogon.dll
2007-01-25 21:16 12,781,187 --------- C:\AVG7QT.DAT
2007-01-25 20:53 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-25 20:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-25 20:40 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\AVG7
2007-01-25 20:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-01-25 20:29 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\Lavasoft
2007-01-25 19:27 109,848 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-01-24 20:20 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-24 20:20 <DIR> d-------- C:\Program Files\Trend Micro


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 14:12 -------- d-------- C:\Program Files\earthlink totalaccess
2007-02-10 20:23 -------- d--h----- C:\Program Files\installshield installation information
2007-02-10 15:31 -------- d-------- C:\Program Files\quicktime
2007-02-10 15:31 -------- d-------- C:\Program Files\printkey2000
2007-02-10 15:28 -------- d-------- C:\Program Files\itunes
2007-02-10 15:28 -------- d-------- C:\Program Files\google
2007-02-05 19:42 -------- d-------- C:\Program Files\clean folder
2007-01-31 23:03 -------- d-------- C:\Program Files\trojanhunter 4.5
2007-01-31 22:46 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-31 21:47 -------- d---s---- C:\DOCUME~1\COMPAQ~1\Application Data\microsoft
2007-01-31 21:45 -------- d-------- C:\Program Files\earthlink
2007-01-27 10:18 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-12-16 15:21 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\adobeum
2006-12-13 17:26 -------- d-------- C:\Program Files\easy internet signup
2006-11-20 08:44 14616 --a------ C:\WINDOWS\system32\sanitize.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ccleaner"="\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /AUTO"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"LXSUPMON"="C:\\WINDOWS\\system32\\LXSUPMON.EXE RUN"
"Earthlink Protection Control Center"="\"C:\\Program Files\\EarthLink\\EarthLink Protection Control Center\\BIN\\elnk_pcc2.exe\" /tray"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 19:57:19
C:\ComboFix2.txt ... 07-02-09 20:20
C:\ComboFix3.txt ... 06-08-21 22:10

Panda Antivirus 2007 incident report

EVENT DATE RESULTS ADDITIONAL INFORMATION
------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 02/10/07 15:43:41 Scan: All My Computer
Tracking program detected: Application/Processor 02/10/07 15:27:09 Eliminated Location: C:\Program F...\smitRem.exe[Process.exe]
Tracking program detected: Application/KillApp.B 02/10/07 15:25:14 Eliminated Location: C:\hp\bin\KillIt.exe
Scan started 02/10/07 15:22:59 Scan: All My Computer

SUPERAntiSpyware Scan Log
Generated 02/10/2007 at 12:40 PM

Application Version : 3.5.1016

Core Rules Database Version : 3165
Trace Rules Database Version: 1176

Scan type : Complete Scan
Total Scan Time : 00:38:30

Memory items scanned : 494
Memory threats detected : 0
Registry items scanned : 5885
Registry threats detected : 22
File items scanned : 36916
File threats detected : 1

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\SYSTEM\CurrentControlSet\Services\vspf
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnService
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnGroup
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security#Security
C:\WINDOWS\system32\drivers\FOPN.sys

[Crustyoldbloke]

Hello again Don

Can I suggest we do two things here.

First an adjustment to HJT which will take out some settings that may have a bearing on what we are trying to achieve and also stop certain programmes from start-up, secondly a registry edit.

Please uninstall Kaspersky AV 6.0 from the add or remove programmes in the control panel.

------------------------------------------------------------

Go to Start > Run and type or copy & paste this into the Run box:

sc delete avp

Hit ENTER

Go to Start > Run and type or copy & paste this into the Run box:

sc delete EarthLinkSafeConnectAgent

Hit ENTER

---------------------------------------------------------------------------

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe" EarthLinkSafeConnectAgent (file missing)

Click on Fix Checked when finished and exit HijackThis.

----------------------------------------------------------------

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:
regedit /e c:\registrybackup.reg
Click OK.

It won't appear to be doing anything, that's normal. Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Please follow these instructions carefully.

Open Notepad, and copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixit.reg on your Desktop. Make sure there is NO blank line above REGEDIT4

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vspf]

Locate fixit.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After merged successfully prompt reboot.

Did that fix the problem?