I've tried HSA removal several times, but no luck

Unknown

I've printed and read the Home Search Asst removal process several times. I've gone through the steps several times. Most evetything seems to be working but the Buster. It does not scan. Even when I remove entries in safe mode, hard boot, the entries are back. Here's my HJT:

Logfile of HijackThis v1.97.7
Scan saved at 3:22:26 PM, on 8/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\Program Files\Norton CleanSweep\QDCSFS.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
C:\WINDOWS\sdkdj32.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Pocket Real Estate\App\HndSync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\sdkut.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tooos.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tooos.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A7380E2D-065F-36BF-ACBE-56A6484317E0} - C:\WINDOWS\system32\sysok32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeUpdateHelper.exe" -destfullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx" -sourcefullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx.new00" -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.EXE /startup
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lightning 2000 Call Scheduler.lnk = C:\Iris\L2000\CallSch.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Sync Data.lnk = C:\Pocket Real Estate\App\HndSync.exe
O4 - Global Startup: Sync Data for Palm OS.lnk = C:\Pocket Real Estate\App\HNDsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.printatwolf.com/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E030D387-269C-483D-8FB9-C5BE0767CD51}: NameServer = 64.81.159.2,216.231.41.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2

I think I've gotten close. But maybe haven't removed all.

Dexter

Welcome to Short-Media. If you are not sure how to do some of the things I tell you, check the links I provide for instructions.

For starters, you posted your log in the wrong forum, so I moved it here


Some people seem to be having problems with about:buster....I'm not sure why that is (although starting to wonder if the HSA infection is not blocking it somehow......)

No worries, we can do this without About:buster. Just skip that step entirely.

Did you locate and disable one of the fake services as described in Step 4? Which one was it?

To be certain, please see post #2 of the guide to generate an active services log, and post that here for us to review.

Assuming you have not soft-rebooted and the names have not changed, the items you want to fix in HJT and quarantine manually are:


R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tooos.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tooos.dll/sp.html#96676

O2 - BHO: (no name) - {A7380E2D-065F-36BF-ACBE-56A6484317E0} - C:\WINDOWS\system32\sysok32.dll

O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe

O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

Re-do the guide with those file names in mind, skip about:buster, and let me know about the fakse service on your computer.

Dexter...

confusedpaul

Dexter,
Thanks,
Step 4 of the removal guide that I have is simple"hard boot your computer". Do I have an old removal guide? Step 6 refers to services, and I have not had those when searched for. Also, when I regedit, I never have the keys you list. I assumed that meant they've been deleted already. Please send a link to new removal guide if there is one.

Thanks again.

Dexter

Yes, the guide was updated a little bit and the steps moved around. Step 6 became Step 4 because I found that several users had trouble finding their fake service in safe mode, so I changed it for them to look at the services in normal mode.

Dexter...

confusedpaul

Well, I've gone through the steps so many times, I'm losing a little faith. I appreciate your help. Other than my log, here's how the steps have gone.

I run Adware and S&D
#1 fine
#2 fine
#3 fine
#4(used to be #6) Net Sec Ser in stopped, I don't have something called Workstation Netlogon(only one called "Workstation"), Rem Proc Call (no 'helper' on the end). What I do have ,seems to be stopped
#5 Hard boot and Safe mode works
>HJT step works, fixed check items
#8-10 skipped because Buster doesn't run
#11 I do not find those Reg keys...should I?
#12 Hard boot brings back the problem

What am I doing wrong?




Logfile of HijackThis v1.97.7
Scan saved at 12:13:36 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton CleanSweep\QDCSFS.EXE
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
C:\WINDOWS\sdkdj32.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\llbaix.dat
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Pocket Real Estate\App\HndSync.exe
C:\Pocket Real Estate\App\HNDsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcrda.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcrda.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02C0DCC5-3CE6-0398-0598-65E2B62B528F} - C:\WINDOWS\system32\msid32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeUpdateHelper.exe" -destfullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx" -sourcefullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx.new00" -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.EXE /startup
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lightning 2000 Call Scheduler.lnk = C:\Iris\L2000\CallSch.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Sync Data.lnk = C:\Pocket Real Estate\App\HndSync.exe
O4 - Global Startup: Sync Data for Palm OS.lnk = C:\Pocket Real Estate\App\HNDsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.printatwolf.com/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E030D387-269C-483D-8FB9-C5BE0767CD51}: NameServer = 64.81.159.2,216.231.41.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{57F7D5DD-F7BD-47

primesuspect

Paul, can you please download the latest version of HJT? You can get it from our security downloads section. Post a log with the newest version. Thanks!

Dexter

confusedpaul wrote:

#4(used to be #6) Net Sec Ser in stopped, I don't have something called Workstation Netlogon(only one called "Workstation"), Rem Proc Call (no 'helper' on the end). What I do have ,seems to be stopped
#5 Hard boot and Safe mode works
>HJT step works, fixed check items
#8-10 skipped because Buster doesn't run
#11 I do not find those Reg keys...should I?
#12 Hard boot brings back the problem

What am I doing wrong?

#4 - Please see Post # 2 in the removal guide, and post a log of your active services, or an HJT startuplist log, and we will double-check that you have stopped the service.

#11 - The guide says pretty clearly that you may not see these entries, they may be named differently, and we may not know all the names, but not to worry about it if you don't find it.

Do as Prime recommended to update your Hijack This version, and post a services list as per post #2 of the guide.

Dexter...

confusedpaul

Here ya' go:
Logfile of HijackThis v1.98.2
Scan saved at 1:30:17 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton CleanSweep\QDCSFS.EXE
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
C:\WINDOWS\sdkdj32.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\llbaix.dat
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Pocket Real Estate\App\HndSync.exe
C:\Pocket Real Estate\App\HNDsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\ols\OLAgnt32.exe
C:\Program Files\Microsoft Office\Office\MSPUB.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\PROGRA~1\MICROS~1\OFFICE\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xsvpe.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xsvpe.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xsvpe.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xsvpe.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xsvpe.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xsvpe.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xsvpe.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02C0DCC5-3CE6-0398-0598-65E2B62B528F} - C:\WINDOWS\system32\msid32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D32FD27A-ECDB-EE56-1C5D-D4FA210397CB} - C:\WINDOWS\ntfi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeUpdateHelper.exe" -destfullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx" -sourcefullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx.new00" -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.EXE /startup
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lightning 2000 Call Scheduler.lnk = C:\Iris\L2000\CallSch.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Sync Data.lnk = C:\Pocket Real Estate\App\HndSync.exe
O4 - Global Startup: Sync Data for Palm OS.lnk = C:\Pocket Real Estate\App\HNDsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.printatwolf.com/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E030D387-269C-483D-8FB9-C5BE0767CD51}: NameServer = 64.81.159.2,216.231.41.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

primesuspect wrote:

Paul, can you please download the latest version of HJT? You can get it from our security downloads section. Post a log with the newest version. Thanks!

confusedpaul

Dexter & Prime,
I did download a current version of HJT. I appreciate your patience. I'm sorry to ask, but what is "Post #2"? Can you leave a link to Guide #2?

Here's the latest:
Logfile of HijackThis v1.98.2
Scan saved at 3:26:49 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton CleanSweep\QDCSFS.EXE
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
C:\WINDOWS\sdkdj32.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\llbaix.dat
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Pocket Real Estate\App\HndSync.exe
C:\Pocket Real Estate\App\HNDsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\ols\OLAgnt32.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\PROGRA~1\MICROS~1\OFFICE\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddqjd.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddqjd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ddqjd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddqjd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddqjd.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddqjd.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddqjd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D32FD27A-ECDB-EE56-1C5D-D4FA210397CB} - C:\WINDOWS\ntfi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeUpdateHelper.exe" -destfullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx" -sourcefullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx.new00" -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.EXE /startup
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lightning 2000 Call Scheduler.lnk = C:\Iris\L2000\CallSch.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Sync Data.lnk = C:\Pocket Real Estate\App\HndSync.exe
O4 - Global Startup: Sync Data for Palm OS.lnk = C:\Pocket Real Estate\App\HNDsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.printatwolf.com/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E030D387-269C-483D-8FB9-C5BE0767CD51}: NameServer = 64.81.159.2,216.231.41.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll


Thanks to both.

Dexter

Post # 2 = the second "post" or mesage on that page. So if you go the guide:

http://www.short-media.com/forum/showthread.php?t=18846

And scroll down to the second message by me, it's titled:

"If you do not see one of the bogus services listed in Step 4 of this removal guide, please do the following:"

Or, you can just click here to see the single message on it's own.

Dexter...

confusedpaul

Dexter,
I think I'm getting closer. I did find WORKSTATION NETLOGON SERV and stopped it. I also found a folder, when searching for the reg keys, labeled with garbage, like... O.#z!!.... There was another key when searching for the LEGACY that also had a strange sequence as a name. Could that be the key to delete? None say NS_Service-3, but have the strange, garbage characters. Will I find all 3 services or only one may be the case? If I deleted everything, and it was still present on reboot. What could I be missing?

My current active services:
These are the Current Active Services:

Workstation NetLogon Service: O?’ŽrtñåȲ$Ó
C:\WINDOWS\llbaix.dat /s

Alerter: Alerter
C:\WINDOWS\System32\svchost.exe -k LocalService

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Application Layer Gateway Service: ALG
C:\WINDOWS\System32\alg.exe

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

Dcfssvc: Dcfssvc
C:\WINDOWS\system32\drivers\dcfssvc.exe

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

EPrint III Service: EPrint III Service
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

Norton AntiVirus Auto Protect Service: navapsvc
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

Norton Unerase Protection: NProtectService
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

Pml Driver HPZ12: Pml Driver HPZ12
C:\WINDOWS\System32\HPZipm12.exe

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Speed Disk service: Speed Disk service
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

Dexter

Yep, that's the problem:

Workstation NetLogon Service: O?’ŽrtñåȲ$Ó
C:\WINDOWS\llbaix.dat /s

Please give me the names of the reg key folders you found. I have seen some other reg key names posted at other sites, bit would like to confirm them before adding to the guide.


Dexter...

confusedpaul

Dexter,
These are the 2 that I thought looked strange in the directories your guide sends us to. I deleted the first one in my last attempt, but the problem still existed. I've included my last HJT. Any other strange entries other the the "usual suspects" that I may be missing?


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?’ŽrtñåȲ$Ó

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3



My latest HJT:
Logfile of HijackThis v1.98.2
Scan saved at 6:21:02 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\llbaix.dat
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton CleanSweep\QDCSFS.EXE
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
C:\WINDOWS\sdkdj32.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Pocket Real Estate\App\HNDsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\MICROS~1\OFFICE\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1ADA5D6C-9F25-A75C-150C-5FF6696C8035} - C:\WINDOWS\system32\msyk32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeUpdateHelper.exe" -destfullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx" -sourcefullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx.new00" -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.EXE /startup
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lightning 2000 Call Scheduler.lnk = C:\Iris\L2000\CallSch.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Sync Data.lnk = C:\Pocket Real Estate\App\HndSync.exe
O4 - Global Startup: Sync Data for Palm OS.lnk = C:\Pocket Real Estate\App\HNDsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.printatwolf.com/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E030D387-269C-483D-8FB9-C5BE0767CD51}: NameServer = 64.81.159.2,216.231.41.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

Dexter

confusedpaul wrote:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?’ŽrtñåȲ$Ó

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3

Yep, those are definitely part of the problem. Go ahead and delete those, stop the Workstation Net Logon service again and disable it again, and then in HJT fix:

O2 - BHO: (no name) - {1ADA5D6C-9F25-A75C-150C-5FF6696C8035} - C:\WINDOWS\system32\msyk32.dll

O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe

Quarantine those files, and hard reboot. See how it looks and let us know.

Dexter...

confusedpaul

Well, I'm at a loss. I've deleted both those keys and every suspiciois file and everything comes back after a hard boot. Could it be something different other than HSA? This is the offender now....C:\WINDOWS\llbaix.dat. I can't get rid of it.


ogfile of HijackThis v1.98.2
Scan saved at 9:17:06 AM, on 9/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\apimf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton CleanSweep\QDCSFS.EXE
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
C:\WINDOWS\sdkdj32.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Pocket Real Estate\App\HndSync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ngssu.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ngssu.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ngssu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ngssu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ngssu.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ngssu.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ngssu.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D4BBFCAF-3F30-7E69-4762-58A3BA736796} - C:\WINDOWS\ieni32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeUpdateHelper.exe" -destfullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx" -sourcefullpath "C:\WINDOWS\SYSTEM32\QuickTime\QuickTimeEssentials.qtx.new00" -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.EXE /startup
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkdj32.exe] C:\WINDOWS\sdkdj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lightning 2000 Call Scheduler.lnk = C:\Iris\L2000\CallSch.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Sync Data.lnk = C:\Pocket Real Estate\App\HndSync.exe
O4 - Global Startup: Sync Data for Palm OS.lnk = C:\Pocket Real Estate\App\HNDsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.printatwolf.com/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E030D387-269C-483D-8FB9-C5BE0767CD51}: NameServer = 64.81.159.2,216.231.41.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{57F7D5DD-F7BD-472F-BB8D-CB84F405EE40}: NameServer = 64.81.159.2,216.231.41.2
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

Dexter

Run HJT. Click on Config -> Misc Tools. Check off the 2 options under the button that says "Generate StartupList Log", then click the button itself. Generate that log, save it as a text file. Post that text file here, preferably as an attachment (attachment manager is only available if you click the New Reply button, it is not available on the Quick Reply.)

Dexter...

confusedpaul

Thanks. File is attached.

Dexter

Okay Paul,

sorry to make you jump through another hoop here, but I am not seeing a service in there that fits the known variants, so I just want to make sure you don't have a new variety.

Download the attachment here, GetService.zip. Unzip both files to a folder on your hard drive. Run one Getservice.bat file. It will generate a more detailed listing of you services. Attach that text file for me to check over.

After you have done that, let's try and clean those entries out one more time, in a slightly different way.

Download Killbox from our Security Downloads Page, the link is in my signature.

Run the program. In the bottom right hand corner you will see a drop-down box labelled (System Process.) Drop that down, and select the active process that is likely to be your main infection reloader. That will be these exe files:

apimf.exe
sdkdj32.exe


Once you have selected any file name, click the yellow triangle with the ! inside it to end that process.

Next, at the top of the window, use the folder icon to browse to each of those exe files, and press the red X button to delete that file. If it will not delete, repeat, but select Delete on Reboot. When it asks if you want reboot now, choose "No." Just keep tagging them all for reboot, then do a reboot later.


Then browse to each of these dll files:

C:\WINDOWS\ieni32.dll
C:\WINDOWS\system32\ngssu.dll

and select them one at a time. Turn on the option "unregister dll before deleting." Then delete each dll.

Now reboot, let those files that were tagged for delete on reboot get deleted, then go back to HJT, and check things out.

Do this in regular mode first. If it does not work, try it in Safe Mode, except that the exe will probably not be running as a system process in safe mode, so all you will need to do is delete them.

Then, check your HJT log to see how it looks. Post that in your next post, and attach the GetServices log as an attachment.

Dexter...

confusedpaul

Dexter,
I'll try anything at this point. Here's the "Get Services" txt file.

Dexter

Ok, there is a remnant there...but it is eitehr not functioning, or they have done something different with it:

Error querying status of O?’ŽrtñåȲ$Ó on \\4RHYH01:



Go into Regedit, and make a back up of your Reg. Click File, Export, and choose to export ALL. Save the backup in a safe place with a descriptive name, ie, Reg Backup 04 Sep 04.

Then, go to Edit, click find, and search for anything named: O?’

If you find anything, delete the entire key as outlined in Step 11 of the guide, execpt delete the whole folder from the left hand side of the window. Go to Find Next or press F3 to search again. Keep doing this until no entries like that exist.

Try that along with the Killbox method above, and see what happens.

Dexter...

confusedpaul

Dexter,
I appreciate you help. But, I'm tired of wasting everyone's time with this. I was thining of getting new PC for the Holiday, so I may do it sooner. I'll keep working on it myself. If you think I have something "new" that you can learn from, I'd be happy to help. Otherwise, I'll keep casually working on it and let you know.

Thanks again,
Paul

Dexter wrote:

Ok, there is a remnant there...but it is eitehr not functioning, or they have done something different with it:

Error querying status of O?’ŽrtñåȲ$Ó on \\4RHYH01:



Go into Regedit, and make a back up of your Reg. Click File, Export, and choose to export ALL. Save the backup in a safe place with a descriptive name, ie, Reg Backup 04 Sep 04.

Then, go to Edit, click find, and search for anything named: O?’

If you find anything, delete the entire key as outlined in Step 11 of the guide, execpt delete the whole folder from the left hand side of the window. Go to Find Next or press F3 to search again. Keep doing this until no entries like that exist.

Try that along with the Killbox method above, and see what happens.

Dexter...

confusedpaul

Dexter,
I'm not sure what happened. But, HSA seems to be gone. Maybe we killed enough of it that the Adware, etc. finally cleaned up the rest. The programs are removed from the "Add/Remove" list and nothing shows up on a HJT. However, I have not restarted my PC for awhile. I can't say for sure that it won't come back. I'll keep you posted.

Thanks again,
Paul

primesuspect

Well if it comes back, start a new log and we'll go from there