Phil,
Sorry my fault, something must have gone wrong last night (was trying to use attachments) here they are:
Logfile of HijackThis v1.99.1
Scan saved at 18:58, on 07-02-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.earthlink...ton/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://start.earthlink.net/AL/SearchR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://start.earthlink.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.h...a...&pf=desktopR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://start.earthlink.net/AL/SearchR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://ie.redirect.h...a...&pf=desktopR3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) -
https://support.micr...ActiveX/odc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1120883553468O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1156023856312O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe" EarthLinkSafeConnectAgent (file missing)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
"Compaq_Owner" - 07-02-11 19:55:19 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))
2007-02-11 13:43 <DIR> d-------- C:\WINDOWS\_is24
2007-02-10 20:27 74,908 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-02-10 20:27 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-02-10 20:27 7,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-02-10 20:27 133,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-02-10 20:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-02-10 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Kaspersky Lab
2007-02-10 20:18 <DIR> d-------- C:\kav
2007-02-10 15:11 <DIR> d-------- C:\Program Files\Panda Software
2007-02-10 11:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-10 11:43 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\SUPERAntiSpyware.com
2007-02-10 11:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-10 11:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-10 11:13 811,008 --ah----- C:\AFCache.dat
2007-02-07 22:36 <DIR> d-------- C:\Program Files\Hijackthis
2007-02-05 18:48 <DIR> d-------- C:\Program Files\Grisoft
2007-02-05 18:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-31 21:47 <DIR> d-------- C:\Program Files\Microsoft WSE
2007-01-31 21:46 <DIR> d-------- C:\Program Files\Common Files\EarthLink Protection Control Center
2007-01-31 21:46 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-01-31 21:46 <DIR> d-------- C:\Program Files\Common Files\ADS
2007-01-31 21:45 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\InstallShield
2007-01-29 23:09 23,196 --a------ C:\WINDOWS\system32\drivers\klop.dat
2007-01-29 23:04 200,768 --a------ C:\WINDOWS\system32\klogon.dll
2007-01-25 21:16 12,781,187 --------- C:\AVG7QT.DAT
2007-01-25 20:53 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-25 20:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-25 20:40 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\AVG7
2007-01-25 20:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-01-25 20:29 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\Lavasoft
2007-01-25 19:27 109,848 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-01-24 20:20 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-24 20:20 <DIR> d-------- C:\Program Files\Trend Micro
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-02-11 14:12 -------- d-------- C:\Program Files\earthlink totalaccess
2007-02-10 20:23 -------- d--h----- C:\Program Files\installshield installation information
2007-02-10 15:31 -------- d-------- C:\Program Files\quicktime
2007-02-10 15:31 -------- d-------- C:\Program Files\printkey2000
2007-02-10 15:28 -------- d-------- C:\Program Files\itunes
2007-02-10 15:28 -------- d-------- C:\Program Files\google
2007-02-05 19:42 -------- d-------- C:\Program Files\clean folder
2007-01-31 23:03 -------- d-------- C:\Program Files\trojanhunter 4.5
2007-01-31 22:46 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-31 21:47 -------- d---s---- C:\DOCUME~1\COMPAQ~1\Application Data\microsoft
2007-01-31 21:45 -------- d-------- C:\Program Files\earthlink
2007-01-27 10:18 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-12-16 15:21 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\adobeum
2006-12-13 17:26 -------- d-------- C:\Program Files\easy internet signup
2006-11-20 08:44 14616 --a------ C:\WINDOWS\system32\sanitize.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ccleaner"="\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /AUTO"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"LXSUPMON"="C:\\WINDOWS\\system32\\LXSUPMON.EXE RUN"
"Earthlink Protection Control Center"="\"C:\\Program Files\\EarthLink\\EarthLink Protection Control Center\\BIN\\elnk_pcc2.exe\" /tray"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.netscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-02-11 19:57:19
C:\ComboFix2.txt ... 07-02-09 20:20
C:\ComboFix3.txt ... 06-08-21 22:10
Panda Antivirus 2007 incident report
EVENT DATE RESULTS ADDITIONAL INFORMATION
------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 02/10/07 15:43:41 Scan: All My Computer
Tracking program detected: Application/Processor 02/10/07 15:27:09 Eliminated Location: C:\Program F...\smitRem.exe[Process.exe]
Tracking program detected: Application/KillApp.B 02/10/07 15:25:14 Eliminated Location: C:\hp\bin\KillIt.exe
Scan started 02/10/07 15:22:59 Scan: All My Computer
SUPERAntiSpyware Scan Log
Generated 02/10/2007 at 12:40 PM
Application Version : 3.5.1016
Core Rules Database Version : 3165
Trace Rules Database Version: 1176
Scan type : Complete Scan
Total Scan Time : 00:38:30
Memory items scanned : 494
Memory threats detected : 0
Registry items scanned : 5885
Registry threats detected : 22
File items scanned : 36916
File threats detected : 1
Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\SYSTEM\CurrentControlSet\Services\vspf
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnService
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnGroup
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security#Security
C:\WINDOWS\system32\drivers\FOPN.sys