Home Search Assistant help
I guess this is directed to dexter more than anyone else, since i followed his guide.
First off: Followed your guide to remove this HSA, ingenious work of a hijacking program, my god. ( Hats off to you for the guide, I've been trying to remove it with no help previously.)
Problem: After following the guide, yes the HSA does not appear anymore when i open IE, but i ran HJT to see if it was all gone, it wasn't, so i repeated your guide again, still shows in the HJT log, either this means some of the program is still working, or i missed something.
-My current HJT log and active services ( from the script in post 2 of your guide)-
HJT LOG:
Logfile of HijackThis v1.98.2
Scan saved at 5:13:35 AM, on 8/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTouch\iTouch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACKTHISABOUT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pqzup.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pqzup.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\cu0u7r45.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\cu0u7r45.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {317116EF-853C-9261-FA5B-DC8BBEB4EFE2} - C:\WINNT\javadd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
**************************************
Active Services:
These are the Current Active Services:
Application Layer Gateway Service: ALG
C:\WINNT\System32\alg.exe
Windows Audio: AudioSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINNT\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINNT\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINNT\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINNT\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINNT\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINNT\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINNT\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINNT\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINNT\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINNT\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINNT\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINNT\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINNT\system32\svchost.exe -k netsvcs
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): SharedAccess
C:\WINNT\System32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINNT\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINNT\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINNT\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINNT\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINNT\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINNT\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINNT\system32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINNT\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINNT\System32\svchost.exe -k netsvcs
AVG7 Alert Manager Server: Avg7Alrt
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
AVG7 Update Service: Avg7UpdSvc
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
DNS Client: Dnscache
C:\WINNT\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINNT\system32\services.exe
Plug and Play: PlugPlay
C:\WINNT\system32\services.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINNT\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINNT\System32\svchost.exe -k LocalService
Universal Plug and Play Device Host: upnphost
C:\WINNT\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINNT\System32\svchost.exe -k LocalService
Intel(R) NMS: NMSSvc
C:\WINNT\System32\NMSSvc.exe
NVIDIA Driver Helper Service: NVSvc
C:\WINNT\System32\nvsvc32.exe
IPSEC Services: PolicyAgent
C:\WINNT\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINNT\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINNT\system32\lsass.exe
PrismXL: PrismXL
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
Remote Procedure Call (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINNT\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINNT\System32\svchost.exe -k imgsvc
***************************************************
If you notice anything fishy or have any advice to help kill this for good i guess that is what im asking for ( or if i have another devil of a program in there somewhere, my PC's performance is degrading daily it seems) I hope ive made this easy to read for you since its so big, no serious rush to get back to me, you've already helped me alot so far. Good luck, -Ataxia
First off: Followed your guide to remove this HSA, ingenious work of a hijacking program, my god. ( Hats off to you for the guide, I've been trying to remove it with no help previously.)
Problem: After following the guide, yes the HSA does not appear anymore when i open IE, but i ran HJT to see if it was all gone, it wasn't, so i repeated your guide again, still shows in the HJT log, either this means some of the program is still working, or i missed something.
-My current HJT log and active services ( from the script in post 2 of your guide)-
HJT LOG:
Logfile of HijackThis v1.98.2
Scan saved at 5:13:35 AM, on 8/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTouch\iTouch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACKTHISABOUT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pqzup.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pqzup.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\cu0u7r45.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\cu0u7r45.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {317116EF-853C-9261-FA5B-DC8BBEB4EFE2} - C:\WINNT\javadd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
**************************************
Active Services:
These are the Current Active Services:
Application Layer Gateway Service: ALG
C:\WINNT\System32\alg.exe
Windows Audio: AudioSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINNT\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINNT\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINNT\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINNT\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINNT\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINNT\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINNT\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINNT\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINNT\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINNT\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINNT\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINNT\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINNT\system32\svchost.exe -k netsvcs
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): SharedAccess
C:\WINNT\System32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINNT\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINNT\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINNT\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINNT\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINNT\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINNT\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINNT\system32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINNT\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINNT\System32\svchost.exe -k netsvcs
AVG7 Alert Manager Server: Avg7Alrt
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
AVG7 Update Service: Avg7UpdSvc
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
DNS Client: Dnscache
C:\WINNT\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINNT\system32\services.exe
Plug and Play: PlugPlay
C:\WINNT\system32\services.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINNT\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINNT\System32\svchost.exe -k LocalService
Universal Plug and Play Device Host: upnphost
C:\WINNT\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINNT\System32\svchost.exe -k LocalService
Intel(R) NMS: NMSSvc
C:\WINNT\System32\NMSSvc.exe
NVIDIA Driver Helper Service: NVSvc
C:\WINNT\System32\nvsvc32.exe
IPSEC Services: PolicyAgent
C:\WINNT\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINNT\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINNT\system32\lsass.exe
PrismXL: PrismXL
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
Remote Procedure Call (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINNT\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINNT\System32\svchost.exe -k imgsvc
***************************************************
If you notice anything fishy or have any advice to help kill this for good i guess that is what im asking for ( or if i have another devil of a program in there somewhere, my PC's performance is degrading daily it seems) I hope ive made this easy to read for you since its so big, no serious rush to get back to me, you've already helped me alot so far. Good luck, -Ataxia
0
This discussion has been closed.
Comments
First, click the link in my sig to oour security downloads page, and download LSP Fix. Put it in the same folder as your HJT program.
Refer to this thread: http://www.short-media.com/forum/showthread.php?t=14915 for instructions on how to disable system restore, show hidden files and quarantine items.
Disable System restore, and set your syetem to show hidden files and folders.
Hard boot to Safe Mode. Run HJT. FIX:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pqzup.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pqzup.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {317116EF-853C-9261-FA5B-DC8BBEB4EFE2} - C:\WINNT\javadd.dll (file missing)
(This was probably your HSA BHO, but it has been quarantined, right?.)
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
Stay in safe mode and run LSP Fix to fix the 010 item in your log.
Then, stay in safe mode and quarantine the exe and dll files listed in these entries.
Hard reboot, check things out, and let us know. Post a fresh log for review.
Dexter...
Network Security Service, i disabled this before i found your guide as it looked fishy to me.|
WOrkstation Netlogon Service: I didnt see this exact name, i found a service named Workstation, so i disabled that. |
RPC helper: i didnt see this service, but i saw RPC, and RPC locator, i couldnt disable RPC but i did disable RPC locator. Ill go ahead and follow your instructions now and post my results when im finished, thanks and good luck :P
-Ataxia
Dexter...
HJT LOG:
Logfile of HijackThis v1.98.2
Scan saved at 6:36:43 AM, on 8/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTouch\iTouch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Security\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
************************
Active services:
These are the Current Active Services:
Application Layer Gateway Service: ALG
C:\WINNT\System32\alg.exe
Windows Audio: AudioSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINNT\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINNT\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINNT\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINNT\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINNT\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINNT\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINNT\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINNT\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINNT\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINNT\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINNT\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINNT\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINNT\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINNT\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINNT\system32\svchost.exe -k netsvcs
Windows Firewall/Internet Connection Sharing (ICS): SharedAccess
C:\WINNT\System32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINNT\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINNT\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINNT\system32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINNT\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINNT\system32\svchost.exe -k netsvcs
Security Center: wscsvc
C:\WINNT\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINNT\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINNT\System32\svchost.exe -k netsvcs
Symantec Event Manager: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
Symantec Settings Manager: ccSetMgr
"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
DCOM Server Process Launcher: DcomLaunch
C:\WINNT\system32\svchost -k DcomLaunch
Terminal Services: TermService
C:\WINNT\System32\svchost -k DComLaunch
Symantec AntiVirus Definition Watcher: DefWatch
"C:\Program Files\Symantec AntiVirus\DefWatch.exe"
DNS Client: Dnscache
C:\WINNT\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINNT\system32\services.exe
Plug and Play: PlugPlay
C:\WINNT\system32\services.exe
HTTP SSL: HTTPFilter
C:\WINNT\System32\svchost.exe -k HTTPFilter
TCP/IP NetBIOS Helper: LmHosts
C:\WINNT\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINNT\System32\svchost.exe -k LocalService
Universal Plug and Play Device Host: upnphost
C:\WINNT\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINNT\System32\svchost.exe -k LocalService
NVIDIA Display Driver Service: NVSvc
C:\WINNT\system32\nvsvc32.exe
IPSEC Services: PolicyAgent
C:\WINNT\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINNT\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINNT\system32\lsass.exe
PrismXL: PrismXL
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
Remote Procedure Call (RPC) Locator: RpcLocator
C:\WINNT\System32\locator.exe
Remote Procedure Call (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss
Sygate Personal Firewall: SmcService
C:\Program Files\Sygate\SPF\smc.exe
Print Spooler: Spooler
C:\WINNT\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINNT\System32\svchost.exe -k imgsvc
Symantec AntiVirus: Symantec AntiVirus
"C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
*******************************
OK so there it is ^^, see what you can make of it, noticed the top r1's went away, they werent when i ran HJT in safemode, so i said ahhh hell with it and ran it in Normal mode, to my surprise it worked! they didnt come back anymore so i was really happy hehe, good luck lol, and of course, thank you sooooo much
Please read the articles listed at the end of the guide to learn how to stay spyware free. And please click the links in my signature to find out about our involvement in the very worthwhile Folding For a Cure project!
Dexter...