Please help..HSA problem / Hmmm....

Unknown · September 2004

Feeling pretty sick n tired of this thing now.. So thought I'd grudgingly give in and get an expert's advice.

I've followed your guide to the word, letter, comma and full stop.. But HSA is still here. I hard-boot into safe mode, destroy it completely, but it's still here once I start IE in normal mode :banghead: .

Also, no matter what I do, even after completely wiping it out in safe mode using HJT / manual deletion of files n registry entries, ABuster always finds "2 random key entries" in every single scan. I feel at a complete loss here, which is why I'm so annoyed n very tempted to just reformat..

Anyway, here's my log. I've just restarted IE, hence the many .htm#46365 type things in there, so I apologise in advance for all these. Figured it'd be best to just let it load up fresh n let you help me out..

Logfile of HijackThis v1.98.2
Scan saved at 00:48:34, on 17/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javalr32.exe
C:\WINDOWS\javacu32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\lctesj.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\eDimensional\Drivers\EDController.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Josh\Application Data\wtau.exe
C:\WINDOWS\System32\qnfi.exe
C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E1795DF-344A-4CBB-3715-1F0DA8EF0E2A} - C:\WINDOWS\javacu32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [VDDFR Installer] "C:\Program Files\Identix\Fingerprint Readers\SETDFRSL.EXE" /reg_vddfr
O4 - HKLM\..\Run: [vjxhkvuqcaoml] C:\WINDOWS\System32\lctesj.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [eDimensional] C:\Program Files\eDimensional\Drivers\EDController.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Asmc] C:\Documents and Settings\Josh\Application Data\wtau.exe
O4 - HKCU\..\Run: [Cgw] C:\WINDOWS\System32\qnfi.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50/Java/cfsn31235.cab
O16 - DPF: ConferenceRoom Java Client - http://webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Really hope to hear from you soon. I'm leaving in a day or two, n have to have this PC packed up asap. So, please get back to me as soon as you can..

TIA

(trying to smile in the face of adversity here lol),
J

3lem · September 2004

PC gotta be packed up in a couple of hours..Please? Before I just format it out of pure anger at this thing

lol.
J

Edit - Forgot to mention, I've already run Adaware + Spybot S+D. Didn't mention it as I do this so regularly I'd forgotten :P lol.

Dexter · September 2004

Please refer to Post # 2 of the Home Search Assistant Removal Guide to learn how to generate a log of your active services. Do that, post it here, and we will help you as soon as we can.

Bear in mind that we have dozens of posts per day in here, and only a few of us volunteering our time in here to help.

Dexter...

3lem · September 2004

These are the Current Active Services:

Ati HotKey Poller: Ati HotKey Poller
C:\WINDOWS\System32\Ati2evxx.exe

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

Symantec Event Manager: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Creative Service for CDROM Access: Creative Service for CDROM Access
C:\WINDOWS\System32\CTsvcCDA.exe

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Norton AntiVirus Auto Protect Service: navapsvc
"C:\Program Files\Norton AntiVirus\navapsvc.exe"

Norton Unerase Protection: NProtectService
"C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE"

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Smart Card: SCardSvr
C:\WINDOWS\System32\SCardSvr.exe

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

Windows User Mode Driver Framework: UMWdf
C:\WINDOWS\System32\wdfmgr.exe

WMDM PMSP Service: WMDM PMSP Service
C:\WINDOWS\System32\MsPMSPSv.exe

Network Security Service (NSS): O?’ŽrtñåÈ²$Ó
"C:\WINDOWS\system32\javalr32.exe" /s

Thur ya go

J

(I have noticed the blatant HSA process sitting at the very end there, but as I said, I want to post this as-is and just let you tell me what to fix

lol)

3lem · September 2004

Sorry to pester.. But I'm being pestered myself to pack this thing up n I can't help but notice my thread diving ever-downwards in the board goin unanswered.. Sorry if I seem impatient or rude, I just have very little time left to get this sorted

J

3lem · September 2004

Repost of log + active processes for ease. Here's the latest update, identical to the last probably..

HJT:

Logfile of HijackThis v1.98.2
Scan saved at 17:21:45, on 17/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javalr32.exe
C:\WINDOWS\javacu32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\lctesj.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\eDimensional\Drivers\EDController.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Josh\Application Data\wtau.exe
C:\WINDOWS\System32\qnfi.exe
C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Folding@Home\FahCore_65.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxxgx.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C115F510-9F8B-F5E1-1C70-1979342788EE} - C:\WINDOWS\mszj32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [VDDFR Installer] "C:\Program Files\Identix\Fingerprint Readers\SETDFRSL.EXE" /reg_vddfr
O4 - HKLM\..\Run: [vjxhkvuqcaoml] C:\WINDOWS\System32\lctesj.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [eDimensional] C:\Program Files\eDimensional\Drivers\EDController.exe
O4 - HKLM\..\Run: [javacu32.exe] C:\WINDOWS\javacu32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Asmc] C:\Documents and Settings\Josh\Application Data\wtau.exe
O4 - HKCU\..\Run: [Cgw] C:\WINDOWS\System32\qnfi.exe
O4 - Startup: Folding@Home 5.02.lnk = ?
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50/Java/cfsn31235.cab
O16 - DPF: ConferenceRoom Java Client - http://webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Active processes :

These are the Current Active Services:

Ati HotKey Poller: Ati HotKey Poller
C:\WINDOWS\System32\Ati2evxx.exe

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

Symantec Event Manager: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Creative Service for CDROM Access: Creative Service for CDROM Access
C:\WINDOWS\System32\CTsvcCDA.exe

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Norton AntiVirus Auto Protect Service: navapsvc
"C:\Program Files\Norton AntiVirus\navapsvc.exe"

Norton Unerase Protection: NProtectService
"C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE"

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Smart Card: SCardSvr
C:\WINDOWS\System32\SCardSvr.exe

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

Windows User Mode Driver Framework: UMWdf
C:\WINDOWS\System32\wdfmgr.exe

WMDM PMSP Service: WMDM PMSP Service
C:\WINDOWS\System32\MsPMSPSv.exe

Network Security Service (NSS): O?’ŽrtñåÈ²$Ó
"C:\WINDOWS\system32\javalr32.exe" /s

Please, as I said, help me as soon as you can. I should've been packed up hours ago, but I'm stalling for time here to try n get this fixed

J

3lem · September 2004

Nevermind. Done it myself. Thanks for the help

(btw, guide didn't work.. I managed to find another, which helped though. Thanks anyway, I spose..)

Dexter · September 2004

The guide would have worked if you had the time & patience to follow it through. Your bogus service is pretty clearly listed in your active services log:

Network Security Service (NSS): O?’ŽrtñåÈ²$Ó
"C:\WINDOWS\system32\javalr32.exe" /s

As per Step 4 of the guide, if you disabled that service, your problem would have been solved. Without disabling that service, everthing else in the guide is pointless. This is the most important part, as it keeps you infected as long as it is active. If you would have disabled this service as instructed in the guide, your problem would have been solved. You also had 3 re-infection files, which we would have pointed out to you had you been patient. As I said earlier, we have dozens of people a day coming to us for help, and we have only a few volunteers who help them. Each of us have lives, jobs, families, social lives, whatever as well. We gladly help anyone who needs it, but it happens on our schedule, not theirs.

The fact that you had to pack up the computer and move was your problem, not ours, it does not get you any special treatment. Next time you get infected with something and need help, please bear that in mind.

Dexter...

Please help..HSA problem / Hmmm....

Comments