[Don Stewart]

Good morning, I think? How many hours difference is there between you (England?) and me Seattle, Wa. (PST) anyhow?
Hope you are feeling better and I'm at work, so this will have to wait until I get home this evening. Sorry again about the late HJT posts. Do attachments work or is it better to copy and paste to your reply?
Glad to hear that you are going after possible registry errors, as that is where Earthlink Protection Center says WinMoviePlugIn and the others reside. Plus it is a bonus to also address all my start-up programs as I think many are conflicting with my main Earthlink Protection Center program..........thx again for all your help and hope you're feeling better.

[Advertisements]

Good morning Don.

Yes, I am a little more human today. BTW, I don't think that the SUPERantispyware log is complete. If you still have it, please paste it into this thread.

As far as I am aware, attachments still work OK, the only problem we know about is the occasional blank post. If it happens to you, try editing your last post with half of your intended reply, and then post the second half in another, separate, post.

[Crustyoldbloke]

Good morning Don.

Yes, I am a little more human today. BTW, I don't think that the SUPERantispyware log is complete. If you still have it, please paste it into this thread.

As far as I am aware, attachments still work OK, the only problem we know about is the occasional blank post. If it happens to you, try editing your last post with half of your intended reply, and then post the second half in another, separate, post.

[Don Stewart]

Phil,

Will add SUPERantispyware log again tonight, is there an easy way to know that it is complete?

"As far as I am aware, attachments still work OK, the only problem we know about is the occasional blank post." This is possibly what happened to my attempted post Monday evening, that failed.

[Crustyoldbloke]

Hello Don

The log on your PC will be complete, but when you paste it in, use Preview Post to check all of it is there, before clicking Add Reply.

The blank post syndrome we are suffering is noticeable when you do the Preview Post as there is no preview, so you know at that point that there won't be a reply either.

[Don Stewart]

Phil,

Did not fix problem as WinMoviePlugIn is still detected by Earthlink Protaction Center in the registry along with the previoous 5 others and still can't get a server page once on the internet.

Re-ran SUPERantispyware and got no errors to report and also when I went to eliminate the bad files from the prior HJT, only found 5 of them and have included a new HJT.

Logfile of HijackThis v1.99.1
Scan saved at 23:51, on 07-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120883553468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156023856312
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe

Really expected the registry thing would do it.

Edited by Don Stewart, 15 February 2007 - 01:04 AM.

[Crustyoldbloke]

Hello Don

This is my recommended fix for HJT:

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

Click on Fix Checked when finished and exit HijackThis.

Let's follow our noses a little here and take note of the Earthlink Protaction Center, which is Authentium based as I see it.

Can you post, in anyway possible, the report that tells you that you have bad stuff. It's all very well saying that there's a problem in the registry, but without the correct path, it really is a needle in a haystack situation. If the programme gives me precise detail, then I can act on it and rule it out or fix the problem.

[Don Stewart]

Morning,

Well at least we got rid of the SuperAntiVirus pop-up when start-up. I have to assume that what ever is cahnging the DNS from auto to a specific number is our problem. How long does it take normally for a staff to comment, as no staff has comment on my "access internet" thread, yet?
Here is all I get from Earthlink Protection.....and I guess I will ask them today how to find path.

[Crustyoldbloke]

Don

I have a sneaky feeling that no one wants to have a crack at this one, so its just you and me.

The report from Earthlink Security is about as much use as a chocolate teapot. I am pretty sure that any real threat from those infections would show up on either HJT (especially BHO's and Bolger), AVGas or SUPERAntispyware. It is possible that they are benign registry orphans, so fixing them will do nothing at all.

I'll wait to see if the Earthlink bods can be more precise with their scare tactics.

Meanwhile, there is a very good registry cleaner in TuneUp, and we get a 30-day free trial. Perhaps you can grab this today at work and try it out later on. Here are the instructions although it is pretty easy to follow.

Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm

Click start then all programmes, accessories, system tools to run disc clean up

Reboot

Click start then all programmes, accessories, system tools to run defragmenter

Download, install and run Tune Up 2006 Trial It is a 30-day free trial.

Run Tune Up disc clean up

Run Tune Up registry clean up

Disable your anti virus programme then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

Check the anti virus programme is running after the reboot.

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor

Finally, please delete your copy of ComboFix. We had a note from the author explaining that a certain RootKit infection is conflicting with the tool and causing problems with the PC afterwards, so he has withdrawn it for a while until he can do a workaround.

[Don Stewart]

Phil,

When I click on the link Tune Up 2006 Trial, all I get is this:
TuneUp Utilities 2007 is that what you want me to download?

Besides where we can find these errors, what else should I ask these Earthlink geeks? Should I memtion the concern about DNS?

PS- I loaded Mozilla, is it OK to have both on my PC and do I need to let Earthlink know that also.

PSS- I defrag all the time when I do my weekly virus screen.

[Crustyoldbloke]

On the page you see, click the download of TuneUp 2007, I'll change the year on my canned. Don't bother with a defrag, but do use the TuneUp registry scanner which removes orphans and even defrags it for you.

Yes OK to use Fire Fox as well. You can choose which to make default, and no need to tell anyone of your choice.

I think you should ask the Earthlink bods if they are aware of many false positives from their security suite (it's actually Authentium in a different guise) and if they believe that their security software can find stuff that the world's best antimalware scanner does not. Can they explain how one checks the validity of their security alerts with evidence in the form of a path to the suspicion. Yes, please mention the DNS/IP problem.

[Don Stewart]

Will do all of the above and report back.....thx again.

So how many hours difference is there between you and the US West coast?

[Crustyoldbloke]

West coast is 8 hours, and about 10°C too.

[Don Stewart]

Phil,

Seems that we were both wrong about IP address: 207.69.188.185
Here is what I found and that would make sense why it gets changed!

Can't get attachment to attach, so here is a cut and paste:

207.69.188.185
Record Type: IP Address


OrgName: EarthLink, Inc.
OrgID: ERMS
Address: 1375 PEACHTREE ST, LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US

NetRange: 207.69.0.0 - 207.69.255.255
CIDR: 207.69.0.0/16
NetName: EARTHLINK2000-D
NetHandle: NET-207-69-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: ITCHY.MINDSPRING.NET
NameServer: SCRATCHY.MINDSPRING.NET
Comment:
RegDate: 1998-10-20
Updated: 2005-03-02

RTechHandle: DAE4-ARIN
RTechName: Domain Administrator, Administrator
RTechPhone: +1-404-815-0770
RTechEmail: [email protected]

OrgAbuseHandle: ABUSE60-ARIN
OrgAbuseName: ABUSE TEAM
OrgAbusePhone: +1-404-815-0770
OrgAbuseEmail: [email protected]

OrgTechHandle: ELNK-ORG-ARIN
OrgTechName: EarthLink, Inc.
OrgTechPhone: +1-404-815-0770
OrgTechEmail: [email protected]

So this is good or OK that it changes the Protocol automatically?

Edited by Don Stewart, 15 February 2007 - 11:03 AM.

[Crustyoldbloke]

I have just used DNS look up and asked WHO IS, and got this:

OrgName: Computational Logic, Inc.
OrgID: COMPUT-1

Address: 1717 West 6th Street, Suite 290
City: Austin
StateProv: TX
PostalCode: 78703
Country: US

ASNumber: 207
ASName: CLI-GW-AS
ASHandle: AS207
Comment:
RegDate: 1988-06-22
Updated: 1991-01-10

RTechHandle: WAH11-ARIN
RTechName: Hunt, Warren A.
RTechPhone: +1-512-322-9951
RTechEmail: ****@cli.com

# ARIN WHOIS database, last updated 2007-02-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Then using the same IP address, and asking LOOK UP, I get this:


IP address: 207.69.188.185
Reverse DNS: ns1.mindspring.com.
Reverse DNS authenticity: [Verified]
ASN: 4355
ASN Name: ERMS-EARTHLNK
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 207.64.0.0 to 207.79.255.255
Country fraud profile: Normal
City (per outside source): Pasadena, California
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 207.69.188.185

So presumably one is right and one is wrong.

[Don Stewart]

I'll verify with Earthlink bods if it is theirs and if it is normal to have it automatically update the Protocol.