Google Answers Logo
View Question
 
Q: Help with clearing out Spyware/unneeded programs ( Answered 5 out of 5 stars,   1 Comment )
Question  
Subject: Help with clearing out Spyware/unneeded programs
Category: Computers > Security
Asked by: colan-ga
List Price: $31.00
Posted: 07 Jun 2004 07:51 PDT
Expires: 07 Jul 2004 07:51 PDT
Question ID: 357575
I need step-by-step assistance in removing all unneeded programs from
my home-based computer.  A complete answer will (please) address all
of the SPECIFIC programs that I have running on my machine (which will
be posted on request), as well as specific suggestions to improve
performace of my machine (it is currently crashing when I try to run
memory-intensive programs).

--One program I KNOW I need to get rid of (but don't know how) is MSN
messenger, which keeps on popping up asking me to sign in but which I
do not use.

Details:

--I am running WIN XP on a machine with 512MB RAM.  Recently the
machine is crashing in windows, mostly when I am trying to run AOL.

--On a clean re-boot, my task manager shows about 50 processes running
and it is using up roughly half of the RAM.  The AOL and Gateway tech
reps both indicated that there were clearly spyware present in these
processes.

--I ran AdAware and removed a number of files and programs, but the
processes still seem very high and the lockups are continuing;

--I am in the process of dramatically increasing RAM (adding 2000MB)
and installing a Norton software program that I have been told will
block further adware/spyware infestation;  Still, I am enough of a
computer neophyte that I am not sure exactly WHICH current programs
are unneeded and how to get rid of them;

Please let me know what other specific information is needed to clean this up.

Thanks in advance.
Answer  
Subject: Re: Help with clearing out Spyware/unneeded programs
Answered By: aceresearcher-ga on 07 Jun 2004 10:38 PDT
Rated:5 out of 5 stars
 
Greetings, colan!

I'd like to take this step-by-step.

Please do not Rate the Answer until we have completed the process.

First, make sure that you have all of your important documents backed
up to CD or diskette.

Before you ran AdAware, did you make sure that you have the latest
edition? It should be Version 6.0. If so, did you click on "Check for
updates now" before you began your AdAware scan? I believe that the
latest set of definitions should show as "AdAware 6.0 Personal, Build
162" in the lower right-hand corner of the AdAware window. If you
download 6.0 now, be sure you also click "Check for updates now"
BEFORE you run the scan anew.
http://www.lavasoft.de/support/download

Then shut down your computer and restart.

Then, if you haven't already, download Spybot Search & Destroy Version
1.3. Again, you'l want to make sure that you have 1.3, and that you
click "Check for updates" before running the program.
http://www.safer-networking.org/index.php?page=mirrors

Then shut down your computer and restart.

Once you've done those, download and run HijackThis!, and post your
scan log here. We'll go from there.
http://www.spychecker.com/program/hijackthis.html


If you have any Questions about the above information, please post a
Request for Clarification, and I will be glad to see what I can do for
you.

Regards,

aceresearcher

Request for Answer Clarification by colan-ga on 07 Jun 2004 10:53 PDT
Ace:

Thanks.  I will go through these steps this evening when I can get
back on the computer and then post the next information at that time.

Request for Answer Clarification by colan-ga on 07 Jun 2004 17:00 PDT
Quick Question:  

I am going through the steps and wanted to backup my files (as you
suggested) before starting.

Does XP have a backup wizard I can use to do this without manually
having to pick every file I want to back up?  If so, how do I access
it? (I could not find it in the control panel).

Clarification of Answer by aceresearcher-ga on 07 Jun 2004 17:04 PDT
colan,

What CD-burning software is installed on your system?

Examples:
  Nero Express
  Direct CD
  Easy CD Creator

etc

Request for Answer Clarification by colan-ga on 07 Jun 2004 17:11 PDT
CD burning software is "ROXIO Easy CD Creator 5"

Request for Answer Clarification by colan-ga on 07 Jun 2004 17:29 PDT
I could have sworn XP had a backup wizard to help simplify backups,
but I just went ahead and picked files one-by-one and copied them over
to my DVD drive.

Request for Answer Clarification by colan-ga on 07 Jun 2004 17:45 PDT
FYI, the AdAware version I used was 6.0, Build 6.181

I assume this is the latest version as it is higher than the Build 162
you suggested.  Please let me know if this is incorrect.  I am running
Spybot now (8:45 Eastern Time).

Request for Answer Clarification by colan-ga on 07 Jun 2004 17:56 PDT
While running Spybot, I got the following message:

"This application has failed to start because wtKernel0100.dll was not
found.  Re-installing the application may fix this problem."

I am going to reinstall and try again.

Request for Answer Clarification by colan-ga on 07 Jun 2004 18:43 PDT
HijackThis Log Below:

Logfile of HijackThis v1.97.7
Scan saved at 9:42:18 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Quicken 2004\Downloaded Data\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase
C:\WINNT\System32\oobe\msoobe.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event
Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program
Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken 2004\bagent.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do
More\DoMoreRunExe.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - file://C:\Program
Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl
Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent
Control) - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab

Request for Answer Clarification by colan-ga on 07 Jun 2004 18:52 PDT
Also...

After running Spybot, I am now getting the following runDLL error
messag every time I reboot:

"Error loading C:\program Files\Wildtangent\Apps\CDA\cdaengine0400.dll
The specified module could not be found"

I assume I nuked part of this program when I ran Spybot, but I do not
know how to get rid of the rest of the program/keep the error message
from coming up.  I tried add/delete programs, but windows said that it
could not remove WildTangent.

Perhaps we can fix this when we are going through the other programs?

Request for Answer Clarification by colan-ga on 08 Jun 2004 14:57 PDT
Ace:

Please let me know what I need to do next.

Request for Answer Clarification by colan-ga on 08 Jun 2004 19:29 PDT
Ace?

Hello?

Please respond as to my next step.

Clarification of Answer by aceresearcher-ga on 08 Jun 2004 23:03 PDT
Hi, colan, I haven't forgotten you.

As you may have guessed, Researchers don't stay at their computers
24/7 (we're human and we need an occasional break just like you!), but
I haven't forgotten about you.

Go to Control Panel->Add/Remove Programs and uninstall:
- Viewpoint Media Player
- Download Accelerator Plus (DAP)

Download CoolWebShredder and run it:
http://www.spychecker.com/program/coolwebshredder.html


Then run HijackThis! and have it remove the following objects:

  Removing these may solve your boot-up error:
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent
Control) - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab

  Remove these if they still exist after the uninstalls:
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

  These are spyware from RealPlayer and QuickTime player; neither is
needed to run the actual players, but they like to reactivate
themselves whenever you use the player:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program
Files\CommonFiles\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime

  Loads MS Office stuff that's not necessary:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE

  TurboTax spyware:
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program
Files\ItsDeductible7\ItsD7.exe

  Unnecessary Quicken process:
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken 2004\bagent.exe

  MS Registration startup (no longer needed)
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase
C:\WINNT\System32\oobe\msoobe.exe

  Adware and possibly spyware:
O4 - Startup: PowerReg Scheduler V3.exe

  Resource hog installed with Creative Sound Card driver:
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

  Remove this if CoolWebShredder didn't take care of it:
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl
Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab


Post your newly-revised HJT log here, and tomorrow we'll discuss
several items for which you're going to have to make decisions on
whether to keep them or remove them.

It's pretty humorous that the AOL and Gateway reps told you you have
spyware running, since there is a bunch of AOL and Gateway crap using
your system resources which doesn't need to be running!

Hang in there, and we'll get it all worked through...

ace

Request for Answer Clarification by colan-ga on 09 Jun 2004 03:30 PDT
Thanks Ace!

I will run these and post back the results.

Request for Answer Clarification by colan-ga on 09 Jun 2004 04:04 PDT
Ace:

Below is a revised log from Hijack This.  I went through all of the
steps you suggested EXEPT deleting Download Accelerator.  This was a
program that I bought and paid for.  If it is possible to keep it, I
would like to.  If you think the resources used are not worth it,
please let me know and I will go ahead and delete it.

BTW, the reboot error dll message has now gone away.  Thanks so much
for all of your help.

Revised Log:

Logfile of HijackThis v1.97.7
Scan saved at 7:00:01 AM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event
Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do
More\DoMoreRunExe.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - file://C:\Program
Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Clarification of Answer by aceresearcher-ga on 09 Jun 2004 07:22 PDT
Colan,

I'll let you read about Download "Accelerator" Plus, then we can talk
about it if you have questions:

PestPatrol is a good site for finding the lowdown on many programs:
http://www.pestpatrol.com/PestInfo/d/download_accelerator_plus.asp

ace

Request for Answer Clarification by colan-ga on 09 Jun 2004 07:56 PDT
Ace:

After reading the pestpatrol excerpt, I am leaning towards just going
ahead and getting rid of the product after all, although I am very
open to any opinion/advice you may have.

Thanks...

Colan

Clarification of Answer by aceresearcher-ga on 09 Jun 2004 08:56 PDT
One of the beauties of Google when you're looking for something is
that you can for the most part depend on the search engine to deliver
the most relevant pages -- as determined by their algorithm, not by
who's paid the most money to be seen.  Download "Accelerator" Plus
replaces search engine results with the most relevant pages ***from
their database of companies which are paying to be advertised***.

Does that mean that the search results you get are going to be what
you really **want** to see? In some cases, maybe, but in most cases, I
would imagine not.

Furthermore, despite the fact that DAP advertises that their product
makes it faster to download files, in fact (and the reason I put
"Accelerator" in quotes) it makes your downloads slower, because
you've got extra processes taking up your system resources.

According to PestPatrol:
"Displays banner advertisements through the program interface. Also
adds a toolbar to your browser with an animated ad. Ads are display
during install, during downloads, during updates, and non-stop on your
browser toolbar. In addition, may redirect you to a different download
site, resulting in more ads."

Now, if your browser is loading all those extra ads, is that going to
make a download running simultaneously run faster? Of course not. And
it's also going to mean that, just surfing the web, pages are going to
load a lot more slowly, because the browser is also accessing the DAP
site and loading ads from it in addition to the content of the page
you want to see.

The really sad part is that people who download DAP do so because
their system response has already deteriorated noticeably due to
spyware and adware that has snuck into their computer. DAP takes
advantage of those people's situation and makes it worse. In my
opinion, that makes the company as evil as they come.

They've made you pay to have a slower system -- AND deal with all the
extra crap they're serving up. My personal philosophy, when I find
that I've paid for something that is more hindrance than help, if I
can't return it to where I bought it, I just cut it loose. No sense
giving it any more of my precious time and money.

But that's just my take on it -- and everyone's entitled to my own
opinion! Your mileage may vary.  ;-)

Request for Answer Clarification by colan-ga on 09 Jun 2004 09:56 PDT
Ace:

Thanks for the insight on DAP.  I find your comments to be EXTREMELY helpful.  

I will delete the correct files on DAP and then re-upload a revised
Hijack this log this evening.

Thanks again..I really appreciate the iterative feedback, as I suspect
that is the only way I can get to where I need to be.

Colan

Request for Answer Clarification by colan-ga on 09 Jun 2004 15:37 PDT
Ace:

DAP items have been deleted via Hijack This...

Here is a revised Log screen:

Logfile of HijackThis v1.97.7
Scan saved at 6:36:25 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event
Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do
More\DoMoreRunExe.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - file://C:\Program
Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Clarification of Answer by aceresearcher-ga on 10 Jun 2004 13:46 PDT
Colan,

I've been doing some research, and I need to ask you some more questions.

I'm more than a little concerned that several of the things previously
listed to be removed by HijackThis still appear to be running,
according to the log. Is it possible that you didn't get checkmarks
placed in front of some of them (you have to be sure to check the box;
just highlighting the item with the mouse will not remove it). You
might try comparing the list I provided of items to a fresh HJT scan,
fixing any of them that still remain, then shutting down and
restarting your computer before running a new scan and posting that
new log for me here.


I presume that AOL is your Internet Service Provider, and that you
can't remove their browsing software.

You stated that you want to get rid of MSN Messenger. Do you also want
to get rid of AOL Messenger, or do you actually use that feature
frequently?

I also need to know whether you frequently use and need to keep any of
the following:

ITunes / IPod
Verizon Online Support Center
AOL Scheduler
Gateway Printer Ink Monitor
Gateway Desktop Support
Creating Keepsakes Scrapbook Designer Event Reminder
MyPutnam Online Support Website (I'm very concerned as to why 
    they've got you set up to be running Java all the time)



(I hope that with all the things that we've removed so far, your
system is at least performing better than it was when you posted your
Question!)

Thanks,

ace

Request for Answer Clarification by colan-ga on 10 Jun 2004 15:24 PDT
Ace:

1.  I am reasonably certain that I actually checked the boxes in
Hijackthis, but it is possible I did it incorrectly.  I will try to
fix the remaining ones once again and I will make certian this time;

2.  
--AOL Messenger--delete
--itunes/ipod--keep
--Verizon support center--keep
--aol scheduler--delete
--Gateway printer ink monitor--delete
--Gateway desktop support--delete
--Creating keepsakes scrapbook designer event reminder--delete
--Myputnam online support website--probably keep (it's for my work),
but please let me know how much capacity it is using



As for the performance, unfortunately it is still locking up when I am using AOL.

I will report back and post a fresh log as soon as I run Hijackthis
again (could be late tonight)

Thanks again for all of your help.

Colan

Clarification of Answer by aceresearcher-ga on 10 Jun 2004 16:09 PDT
Colan,

When you say "still locking up when I am using AOL", can you give me
some more detail about what is happening?

ace

Request for Answer Clarification by colan-ga on 10 Jun 2004 19:56 PDT
Ace:

re:  "locking up in aol":

In general, I can proceed fine through most functions.  However, from
time to time, the machine completely freezes, meaning the cursor still
moves but I cannot invoke task manager or do a reboot.  When this
happens, I am forced to literally shut off all power to the machine
and then reboot.  Often, this is happening when I am using AOL.  I
will be doing fine, then I will invoke a certain page (for example, my
current weather).  As the page tries to open, the machine locks up and
I get the symptoms above.

This is what prompted me to first contact Gateway and AOL customer
service.  When, after numerous tries, they were relatively unhelpful,
I came to you.

Colan

Request for Answer Clarification by colan-ga on 11 Jun 2004 04:43 PDT
Ace:

After considering, I want to get rid of the myputnam java thing you mentioned.

Request for Answer Clarification by colan-ga on 11 Jun 2004 04:51 PDT
Ace:

I looked carefully at the revised logfile and could find none of the
files that you had previously said to delete.  Here is a copy of the
current logfile:

Logfile of HijackThis v1.97.7
Scan saved at 7:50:35 AM, on 6/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\America Online 9.0a\aoltray.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event
Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do
More\DoMoreRunExe.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - file://C:\Program
Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab







Please advise

Clarification of Answer by aceresearcher-ga on 11 Jun 2004 07:35 PDT
Colan,

I'm glad to see that you're right, the logfile looks much better now,
with none of the things that were still in the previous one -- it was
probably just that the computer had not been restarted before you
saved that log.

Did you install AOL's interface from a CD, or was it downloaded from the Internet?

ace

Request for Answer Clarification by colan-ga on 11 Jun 2004 09:33 PDT
Not sure what you mean by "aol's interface" but I probably downloaded
it from the internet.

Also FYI my new memory (2000MB) and Norton Internet security has now
come.  I am going to wait to install these until we can get everything
else in line so that I do not complicate the procedure and potentially
introduce new variables.

Do you have any opinions on Norton IS?  Gateway recommended it as a
good way to help stop further Spyware but I would value your opinion.

Clarification of Answer by aceresearcher-ga on 11 Jun 2004 21:53 PDT
Colan,

It looks like you're already running a firewall (ZoneAlarm). Do you
use the free version, or ZoneAlarm Pro (the paid version?)

If you've already paid for ZoneAlarm Pro, you probably don't need to
buy Norton IS (in fact, I doubt that you'll be able to run the two
together). If that's the case, and you haven't opened IS yet, you may
be able to return it for a full refund.

Request for Answer Clarification by colan-ga on 12 Jun 2004 04:35 PDT
Thanks for the clarification on Norton.  I have the paid ZoneAlarm and
if Norton is simply a firewall, then I will return it.

Clarification of Answer by aceresearcher-ga on 13 Jun 2004 09:33 PDT
Colan,

Before we delete anything new, I'd like you to perform several tests
on your system.

Please complete the tests listed at the following locations, and alter
your security settings as they suggest:

Jason's Browser Security Tests
http://www.jasons-toolbox.com/BrowserSecurity

For the tests on Javascript, even though he suggests you set your
"Active Scripting" to "Prompt" or "Disable", I recommend that you set
it at "Enable". Otherwise, you will either have to respond to prompts
at almost every website you attempt to access, or you will be unable
to access them at all. Yes, this does leave your system a little more
vulnerable, but the alternative is pretty bad (if you wish, try it by
setting to "Prompt" and visiting several sites that you trust).

PC Flank's Firewall Tests
http://www.pcflank.com/art41b.htm

Thanks,

ace

Request for Answer Clarification by colan-ga on 13 Jun 2004 10:30 PDT
Ace:

Ran the Jason Browser tests and made all the changes EXCEPT the one
you suggested (re active scripting).  I also did not change the
cookies setting to require actively acknowledging cookies--that seems
also like a lot of overkill but I would like your further opinion.

RE PC FLank:

1.  Leaktest was successful (firewall worked);
2.  Too leaky was a failure (firewall did not work), but I did not see a fix;
3.  Firehole was a failure (firewall did not work), but I did not see a fix;
4.  Yalta started to get out of my aptitude--it asks for IP addresses
and I am not sure how to run it;
5.  PC Audit was a failure (firewall did not work), but I did not see a fix;
6.  Atelier (AWFT)Scored 0 out of 4.  Tests 5 and 6 gave me the error
message:  "Access violation at address <hex address deleted> in module
'awft.exe'.  Read of address is 00______4.
7.  Thermite was a failure (firewall did not work), but I did not see a fix;
8.  Copycat:  I am not sure that I did it correctly, but I did not see
the 'exploited.txt' file on my c drive;



Please advise next steps or if I did something incorrectly.

Thanks as alwyays...

Colan

Clarification of Answer by aceresearcher-ga on 13 Jun 2004 12:39 PDT
Colan,

If you double-click on the ZoneAlarm tray icon and click "Privacy" and
then the "Main" tab, what are your Cookie and Ad settings?

ace

Request for Answer Clarification by colan-ga on 13 Jun 2004 13:21 PDT
Ace:

Cookies Medium
Ad High

Clarification of Answer by aceresearcher-ga on 13 Jun 2004 13:53 PDT
Colan,

Check the ZoneAlarm Program Control section, Programs Tab, to see if
any program has "Server" access. Change the access of any such
programs to "X" (blocked), both for Trusted and Internet Zones.
Typically, no program should need to have access with server
privileges. If you start to have problems because of this, let me know
which one is acting up. (Any time a ZoneAlarm Prompt pops up, make
sure that you only say "Yes" to requests for "Access" privileges for
programs you want to have access, and never say "Yes" to requests for
"Server" privileges.)

Under the Firewall section, Main Tab, make sure that your Internet
Zone Security is set to "High" and your Trusted Zone Security is set
to Medium.

Then, in your Internet Explorer Options Settings for Security, make
sure that no program has snuck something into your Trusted Zone
(typically, this should be empty). If there is something there, let me
know what it is.

Then, download free utility IE Spyad:
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

This program is not like ZoneAlarm, which runs all the time, or like
AdAware & Spybot, which run when you want them to. This utility simply
installs a huge list of sites into your "Restricted Zone", which will
help block spyware and adware. **Be aware that you may occasionally
need to tweak this; if a site that you know you want to see doesn't
display and there is a "Restricted Site" with red circle displayed in
the lower left-hand corner of Internet Explorer, you will need to go
to the Internet Explorer Options Settings for Security and remove that
site from the Restricted Zone's list of sites (for instance, I
periodically access ArtPrice.com, so I removed it from the list).

I wouldn't worry *too* much about the security tests which you failed.
In order to pass them, you would have to block some of the
functionality which I think you really will want to keep.

ace

Request for Answer Clarification by colan-ga on 13 Jun 2004 16:25 PDT
Ace:

1. ZA changes:  Check

2.  The only site under the IE Trusted Sites Zone was https://www.bestbuy.com

I removed it.

3.  IE Spyad Installed

Clarification of Answer by aceresearcher-ga on 13 Jun 2004 18:49 PDT
Now, do you pay Verizon, or AOL, for your Internet dial-up access?


Also, go into your Control Panel settings "Add and Remove Programs",
and tell me which of the following programs are actually shown on that
list:

--AOL Messenger
--aol scheduler
--Gateway printer ink monitor
--Gateway desktop support
--Creating keepsakes scrapbook designer event reminder

Request for Answer Clarification by colan-ga on 13 Jun 2004 19:40 PDT
Ace:

I pay AOL for access...I pay Verizon for my DSL service



--AOL Messenger -- No
--aol scheduler -- No
--Gateway printer ink monitor -- Yes
--Gateway desktop support -- No (there is something called 'Gateway
Rhapsody'...I don't know what that is)
--Creating keepsakes scrapbook designer event reminder -- No



Colan

Clarification of Answer by aceresearcher-ga on 13 Jun 2004 21:46 PDT
Colan,

If you have DSL -- and not dial-up -- from Verizon, then you probably
got some software from Verizon when you signed up for DSL. Is the the
case?

If so, then you don't need to pay AOL for anything -- unless you
really want to. Bear in mind that everything that you see through the
AOL interface is filtered based on what they want you to see. Now, if
you really enjoy using their little functions like AOL Buddies,
E-mail, Instant Messenger, My AOL etc., you certainly have the option
to pay for that service.

However, you also have the ability to bypass them entirely, use
non-filtered Search Results from Google, use a free e-mail provider
such as Hotmail or Yahoo!, or a reasonably-priced pay e-mail service
without
***having to look at the ads that they want you to see***
and without
***getting Search Results which they have sold to the highest bidder***.

You can get the same "My Page" services -- with news headlines,
weather, TV and Theatre listings, Stock Quotes, etc. -- from MSN or
Yahoo!, and you don't have to pay a thing for them.
http://my.msn.com
http://my.yahoo.com

I encourage you to consider your alternatives.


Now, make sure that you have System Restore enabled, and we'll take
these one by one.

"Gateway Rhapsody is a music subscription service ($9.95 a month)
powered by streaming music service Listen.com. Selected tracks can be
burned on custom CDs for 99 cents per track."
http://www.internetnews.com/ec-news/article.php/10793_1545541

I encourage you to double-check your statements and make sure that you
are not paying a monthly fee for this. Also, what are you paying AOL
monthly?

Then you can go ahead and click "Remove Program" for Gateway Rhapsody
in the "Add / Remove Programs" Control Panel.

Then shut down your computer, restart it, run HijackThis! again, and
post the HJT log here for me.

ace

Request for Answer Clarification by colan-ga on 14 Jun 2004 04:15 PDT
Ace:

First of all, I want to say thanks for taking so much time on this and
I really appreciate your advice.  I had no idea when we started that
this would be so involved and I REALLY appreciate everything you are
suggesting.

1.  I deleted Rhapsody.  I am virtually certain I am not paying for this;

2.  As for 'overpaying' for AOL, it is something I am aware of and
have considered before.  I pay something like $29 per month for access
to their broadband services.  I know I could probably replicate these
things elsewhere, but we DO like some of the AOL-only stuff, and
inertia + simplicity is probably going to keep me there.

However, it is important to note that I have almost exclusively
isolated this 'PC freeze thing' (which brought me to you in the first
place :-)  ) to AOL.  If--after we have optimized this computer--I
cannot completely eliminate the windows freezing, I may reconsider the
'benefits' of paying such a high monthly fee for something I could
have for free elsewhere.


3.  Updated Hijack This Log:

Logfile of HijackThis v1.97.7
Scan saved at 7:07:45 AM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event
Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do
More\DoMoreRunExe.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - file://C:\Program
Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Thanks...

Colan

Request for Answer Clarification by colan-ga on 14 Jun 2004 04:32 PDT
One more quick question:

How do I make sure that I have System Restore enabled?

Clarification of Answer by aceresearcher-ga on 14 Jun 2004 10:13 PDT
Symantec has a great instruction page on Disabling and Enabling System Restore:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Once you've done that, if the system does not force you to shut down
and restart, do so anyway.

Then use your Control Panel "Add / Remove Programs" to uninstall MSN Messenger.

Then shut down, restart, run HJT again, and post your log here.

Request for Answer Clarification by colan-ga on 14 Jun 2004 15:15 PDT
Ace:

MSN Messenger is not listed on the add/delete screen--that is why I
was unable to delete it before asking the question.

Clarification of Answer by aceresearcher-ga on 14 Jun 2004 15:52 PDT
Well, it looks like there are TWO different programs, both called
Messenger, and I think you want to get rid of both of them.

So try following the directions for your Version of Windows XP (Home
vs Pro) on these two pages:

Remove MSN IP Messenger
http://www.pchell.com/support/ipmessaging.shtml

Shut down and restart; do some browsing to make sure everything is working okay.

Then, make a copy of your Registry:
Start ==> Run ==> regedit <enter>

Pull down "Registry" and select "Export Registry file" -- make sure
that you choose "Export Range. Write down the filename where you save
it. I recommend that you also save a copy to CD or to 3.5" floppy.

Then follow these directions (I'd print them off and follow them VERY carefully):
Remove MSN Messenger
http://www.pchell.com/support/removemessenger.shtml

Then shut down, restart, run HJT, and post the log here.

Request for Answer Clarification by colan-ga on 14 Jun 2004 16:08 PDT
RE:"So try following the directions for your Version of Windows XP (Home
vs Pro) on these two pages:

Remove MSN IP Messenger
http://www.pchell.com/support/ipmessaging.shtml

Shut down and restart; do some browsing to make sure everything is working okay.

--I looked at the files suggested and the messenger software was already disabled.

======================
RE:

Pull down "Registry" and select "Export Registry file" -- make sure
that you choose "Export Range. Write down the filename where you save
it. I recommend that you also save a copy to CD or to 3.5" floppy.

--I am not sure what you mean by this...there is no pull down for
"registry."  Under file, ther is an option to export, and the types
include "registration files (*.reg)" or "registry Hive files (*.*)" 
as well as other file types.  Is this what you mean?  If so, please be
more specific.

Thanks...

Colan

Clarification of Answer by aceresearcher-ga on 14 Jun 2004 19:09 PDT
I have refused as of yet to install XP, so my Windows is slightly
different than yours. Here's a good tutorial from PCWorld on how to
back up your registry in XP:
http://www.pcworld.com/howto/article/0,aid,86903,pg,2,00.asp

Request for Answer Clarification by colan-ga on 15 Jun 2004 03:48 PDT
RE:

"Then follow these directions (I'd print them off and follow them VERY carefully):
Remove MSN Messenger
http://www.pchell.com/support/removemessenger.shtml"

I took a look at this page and the only thing it said about MSN
messenger was to go to the add/delete files screen and delete the
program.  Of course, the program is not there (Or I would have already
deleted it).

It is interesting to me that the HJT line says "O4 - HKCU\..\Run:
[msnmsgr] "C:\Program Files\MSNMessenger\msnmsgr.exe" /background"

I looked under C:\program files and there IS NO MSNMessenger subdirectory.

At any rate, perhaps we should skip this and try to address the other
programs.  The previous version of HJT should still be accurate, as I
have made no changes.

Clarification of Answer by aceresearcher-ga on 15 Jun 2004 08:08 PDT
<< << Then follow these directions (I'd print them off and follow them
VERY carefully):
Remove MSN Messenger
http://www.pchell.com/support/removemessenger.shtml" >>

I took a look at this page and the only thing it said about MSN
messenger was to go to the add/delete files screen and delete the
program.>>

If you scroll down on this page, it talks about running gpedit and/or regedit.


Also, go into your Control Panel settings "Add and Remove Programs",
click on "Gateway printer ink monitor", then "Remove". This is a
little spyware program that monitors your printer ink level, and when
it becomes low, the program sends you to the website of an ink
cartridge company which is no doubt giving kickbacks to Gateway for
this little service.

Then Shut Down, Restart, run HJT, and post new log here.

Request for Answer Clarification by colan-ga on 15 Jun 2004 09:52 PDT
Will do this evening and repost.

Thanks...

Colan

Request for Answer Clarification by colan-ga on 16 Jun 2004 18:52 PDT
Ace:


Sorry for the delay...

1.  I followed the directions given for removing messenger.  All I
have to say is, "Geez...how is ANYONE supposed to know how to do
something like that???!!!"  At any rate, I did exactly as it said.

2.  I removed Gateway Ink Monitor from the add/delete programs list.

3.  Here is an updated HJT scan:


Logfile of HijackThis v1.97.7
Scan saved at 9:48:25 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Pam BV\Pam Driver\Pam.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event
Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Pam Driver.lnk = C:\Program Files\Pam BV\Pam Driver\Pam.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do
More\DoMoreRunExe.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - file://C:\Program
Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Please note that I installed a new program, called PAM, over the last
couple of days and I see it is now showing up on the HJT printout.  I
want to keep this program installed.

Thanks again for all of your help.

Colan

Clarification of Answer by aceresearcher-ga on 21 Jun 2004 10:41 PDT
Okay, run HJT, remove these items, lather, rinse, reboot, run HJT, and
post the log here:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = 
  C:\Program Files\Scrapbook Designer\scrapremind.exe
O8 - Extra context menu item: Download &all with DAP -
  C:\PROGRA~1\DAP\dapextie2.htm
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do
More\DoMoreRunExe.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - file://C:\Program
Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB

Request for Answer Clarification by colan-ga on 22 Jun 2004 03:32 PDT
New HJT Below:

Logfile of HijackThis v1.97.7
Scan saved at 6:31:48 AM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Pam BV\Pam Driver\Pam.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Pam Driver.lnk = C:\Program Files\Pam BV\Pam Driver\Pam.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Clarification of Answer by aceresearcher-ga on 24 Jun 2004 15:54 PDT
We're starting to get down to the nitty-gritty now, where removing
things becomes a little more tricky and involves some decision-making
on your part.

Since you don't want Messenger, you can have HijackThis! remove these items:

O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

This is a program for specially-programmed keyboard keys. My Gateway
system has this too, but since I don't use the programmed keys, I've
taken this out of my startup routine. If you don't use the special
programmed keys (Internet...Mail...etc), you can remove this, too:
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

If you don't burn CDs frequently, you can remove this item (you'll
need to start it directly from your "Programs" menu when you do need
to use it):
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"

Try once again to get rid of this guy:
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB


Now, we get into decision time.

Do you currently access online gaming networks, or access your home PC
from a remote source (you've already said that you don't use
Messenger)?

If not, then you probably don't need 

O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run


AOL is tying up a fair bit of your system resources with these running processes:

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe


If you wish, you can try removing these items. Be aware that they may
cause AOL to stop working properly. However, if that happens and you
still need AOL, it can be reinstalled (AOL is quite generous with
copies of their program).

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)


Once you're done, shut down and restart your computer, run HJT, and
post the log again.

Request for Answer Clarification by colan-ga on 26 Jun 2004 15:01 PDT
Ace:  New HJT below (it is getting shorter!  :-)

I got rid of all of AOL stuff but left port magic for now.  Also, FYI
I went ahead and installed the 2MB or extra ram because I am so sick
of the machine locking up.  Hopefully that plus what you are doing for
me will put me in good shape.  Thanks so much.




Logfile of HijackThis v1.97.7
Scan saved at 5:59:38 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Pam BV\Pam Driver\Pam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard
/RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON
Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Pam Driver.lnk = C:\Program Files\Pam BV\Pam Driver\Pam.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.3.0_02) -
https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46E27E-A971-4727-84C4-11C11C687A06}:
NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46E27E-A971-4727-84C4-11C11C687A06}:
NameServer = 205.188.146.146

Clarification of Answer by aceresearcher-ga on 27 Jun 2004 06:39 PDT
Colan,

Let's take a look at the svchost processes you've got running.

To view the list of services that are running in Svchost: 
  Click Start on the Windows taskbar, and then click Run.
  In the Open box, type CMD, and then press ENTER.
  Type Tasklist /SVC, and then press ENTER.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314056

Please post here a copy of the report produced by following these instructions.

Request for Answer Clarification by colan-ga on 27 Jun 2004 08:28 PDT
Ace:

Not sure what is going wrong here, but I cannot run the report.

"To view the list of services that are running in Svchost: 
  Click Start on the Windows taskbar, and then click Run.
  In the Open box, type CMD, and then press ENTER."

I did this and it opened a DOS command window.  However, when I try to
type 'Tasklist /svc', I get the following error message:

" 'tasklist' is not recognized as in internal or external command,
operable program or batch file. "

The DOS window shows me at the C:\> root prompt.  Is there some
particular subdirectory I need to be in to find the tasklist command?

I looked at the wondows link you pointed me to and the only thing I
could find different is that it referred to XP professional and I am
running XP home.

As an aside, I am still concerned that the machine is locking up
despite now having 2.5MB of RAM installed.  It is now doing this in
AOL only, so I suspect strongly that it is an AOL problem.

I am sure I am probably doing simply something wrong in the CMD prompt
instructions, but I cannot figure out what it is.

Thanks.

Colan

Clarification of Answer by aceresearcher-ga on 29 Jun 2004 09:18 PDT
XP Pro comes with tasklist.exe; XP Home does not. However, you can
download a copy from the MVPS XP Tweaks site (click on the hyperlinked
"here" in the following sentence):

"Windows XP Home does not have tasklist.exe. Download Tasklist.exe from <<here>>:"
http://www.mvps.org/sramesh2k/svchost.htm

Request for Answer Clarification by colan-ga on 29 Jun 2004 09:57 PDT
Ace:

Thanks.  Will download and repost ASAP.

Request for Answer Clarification by colan-ga on 29 Jun 2004 14:51 PDT
O.K. Ace...I got the report, but it is listed on the DOS screen, and I
do not know how to cut and paste.  I tried doing a screen capture, but
I cannot copy that to the answer clarification box.  Is there an email
address I can send it to?  I guess I could copy it word for word, but
I'd rather not :-)

I am open to suggestions.

Clarification of Answer by aceresearcher-ga on 30 Jun 2004 07:24 PDT
Process Explorer, by Mark Russinovich, will provide you with the
ability to see which processes are currently running, along with
real-time monitoring of CPU usage. You can pull down "File ==> Save"
to save a textfile log (.txt). Try running it and see if you can post
the saved logfile here.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Request for Answer Clarification by colan-ga on 30 Jun 2004 08:10 PDT
Ace:

Thanks.  Will do and post this evening.

Request for Answer Clarification by colan-ga on 30 Jun 2004 15:05 PDT
Aaarrrrrggghhhh!     :-)

Downloaded the file and tried to execute both in DOS (using CMD
command) and directly in windows.  Got the following error:

"C:\...procexp.exe is not a valid Win32 application."

Any further suggestions?

Request for Answer Clarification by colan-ga on 30 Jun 2004 15:06 PDT
BTW...Are you sorry yet that you decided to answer this question??!?

:-)

Clarification of Answer by aceresearcher-ga on 30 Jun 2004 15:22 PDT
Are you sure that you downloaded the correct version?

Note that at the bottom of the page
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

There are several different download links:

"Download Process Explorer (x86 - 230 KB) - you plan on using Process
Explorer on Win9x/Me"

"Download Process Explorer (x86 - 230 KB) - you plan on using Process
Explorer on WinNT/2K/XP"  <== this should be the one that you want

"The files below are for 64-bit versions of Windows: 
Download Process Explorer (XP/Server 2003 64-bit Edition/x64 - 230 KB)"


<<..Are you sorry yet that you decided to answer this question??!? >>
Nah. I'm actually learning a few new things.

I wouldn't do this for everyone, especially since many Questions of
this type are posted for $10.00 or less. However, I felt like doing a
little experimentation, and you won the "AceResearcher Lotto".

;-)

Request for Answer Clarification by colan-ga on 30 Jun 2004 17:25 PDT
Ace:

1.  I double checked which one I downloaded and it was the correct
one.  Then--just to make sure--I tried downloading all of the rest of
them as well.  I then re-downloaded the file again just to make sure
and I tried it again--same message every time.  I tried loading the
program by both double clicking and by invoking it from DOS--same
message.  Not sure what to do from here.

As for the Ace Lotto, it is very much appreciated.  However, given the
amount of work you have already done on this...if you keep with me and
help me to the end I assure you I will not stiff you on the tip!

I REALLY do appreciate all the time and effort you have put in on this.

Colan

Clarification of Answer by aceresearcher-ga on 30 Jun 2004 17:52 PDT
colan,

What you are downloading is a .zip (compressed) file.

*Right*-click on the following hyperlink:
"Download Process Explorer (x86 - 230 KB) - you plan on using Process
Explorer on WinNT/2K/XP"

and choose "Save Target As". You'll then need to Browse to an
appropriate folder. I Browsed to "C:\Program Files", then clicked the
little icon of the folder with the fizzly/sparkly star on its upper
right-hand corner
( http://www.autorun-autoplay-tools.com/images/eas-new-saveas.gif )
and named the New Folder "Process Explorer". Then I clicked off to the
side of (in the white space) the new "Process Explorer" folder, then
double-clicked on the new folder to open it up.

The "Save As" dialog box should show something like
  File Name:     procexpnt.zip
  Save as Type:  Compressed Folder <== (pull down if something else)

then click "Save".

Then in *Windows* Explorer, browse to the location where you saved the
zip file, and *Right*-click on the procexpnt.zip file/folder. Choose
"Extract All", and when prompted for an "extract to folder", Browse to
"C:\Program Files\Process Explorer\", click "Next", and click "Show
Extracted Files".

The following files should be extracted into
C:\Program Files\Process Explorer\:
procexp.exe
procexp.chm
README.TXT

Double-click on "procexp.exe", and that should start up Process Explorer.

Please let me know if you are still having trouble after following these directions.

Request for Answer Clarification by colan-ga on 30 Jun 2004 18:02 PDT
Ace:

I got the zip files and had uncompressed them correctly.  It was the
exe file that I tried repeatedly to load.

Still no luck.

Clarification of Answer by aceresearcher-ga on 30 Jun 2004 18:58 PDT
I'm mystified.

I can't imagine why this won't work for you.

Try each of the other versions (be sure to save in their own file
folder as suggested by the extract utility).

If that still doesn't work, try shutting down and restarting your
computer, then double-clicking one-by-one on each of the 3 different
executables to see if one of them will work.

Request for Answer Clarification by colan-ga on 01 Jul 2004 03:44 PDT
YEAHHH!

I finally got it to work!  I won't bore you with all the details, but
I had to download repeatedly (and reboot) before a version worked.  I
never could get the version for XP to work, but by saving the others
into separate folders (instead of just copying over), it finally ran. 
Output below:

Process	PID	CPU	Description	Company Name
System Idle Process	0	98		
 Interrupts	n/a	1	Hardware Interrupts	
 DPCs	n/a		Deferred Procedure Calls	
 System	4			
  smss.exe	692		Windows NT Session Manager	Microsoft Corporation
   csrss.exe	740		Client Server Runtime Process	Microsoft Corporation
   winlogon.exe	768		Windows NT Logon Application	Microsoft Corporation
    services.exe	812	1	Services and Controller app	Microsoft Corporation
     svchost.exe	1016		Generic Host Process for Win32
Services	Microsoft Corporation
      hpoevm08.exe	608		HP OfficeJet COM Event Manager	Hewlett-Packard Co.
       hposts08.exe	2956		HP OfficeJet Status	Hewlett-Packard Co.
     svchost.exe	1100		Generic Host Process for Win32
Services	Microsoft Corporation
     svchost.exe	1296		Generic Host Process for Win32
Services	Microsoft Corporation
     svchost.exe	1328		Generic Host Process for Win32
Services	Microsoft Corporation
     spoolsv.exe	1516		Spooler SubSystem App	Microsoft Corporation
     alg.exe	788		Application Layer Gateway Service	Microsoft Corporation
     AOLacsd.exe	948		AOL Connectivity Service	America Online, Inc.
     CCEVTMGR.EXE	1044		Event Manager Service	Symantec Corporation
     gearsec.exe	1076		gearsec	GEAR Software
     NAVAPSVC.EXE	1152		Norton AntiVirus Auto-Protect Service	Symantec Corporation
     nvsvc32.exe	1184		NVIDIA Driver Helper Service, Version
52.16	NVIDIA Corporation
     svchost.exe	1576		Generic Host Process for Win32
Services	Microsoft Corporation
     vsmon.exe	1868		TrueVector Service	Zone Labs Inc.
     wanmpsvc.exe	2064		Wan Miniport (ATW) Service	America Online, Inc.
     iPodService.exe	2648		iPodService Module	Apple Computer, Inc.
    lsass.exe	824		LSA Shell (Export Version)	Microsoft Corporation
explorer.exe	1780		Windows Explorer	Microsoft Corporation
 ccApp.exe	1956		Common Client CC App	Symantec Corporation
 iTunesHelper.exe	1980		iTunesHelper Module	Apple Computer, Inc.
 point32.exe	1988		Point32.exe	Microsoft Corporation
 SK9910DM.EXE	2012		Daemon	Silitek Corporation
 E_S0HIC1.EXE	2040		EPSON Status Monitor 3	SEIKO EPSON CORPORATION
 zlclient.exe	192		Zone Labs Client	Zone Labs Inc.
 rundll32.exe	228		Run a DLL as an App	Microsoft Corporation
 hpohmr08.exe	328		HP OfficeJet COM Device Objects	Hewlett-Packard Co.
 hpotdd01.exe	332		hpotdd01	Hewlett-Packard
 Pam.exe	360		Pam Driver	Pam B.V.
 IEXPLORE.EXE	3604		Internet Explorer	Microsoft Corporation
 procexp.exe	888	1	Sysinternals Process Explorer	Sysinternals
PortAOL.exe	268		Port Magic Application	Pure Networks, Inc.
mpbtn.exe	500		Motive Chorus System Tray Button	Motive Communications, Inc.

Process: Procexp Pid: -2

Type	Name

Clarification of Answer by aceresearcher-ga on 01 Jul 2004 04:21 PDT
Yea!

After all that, the PE log isn't showing the details of the svchost processes.

So, for EACH occurrence of that:
(make sure that "View ==> Show Lower Pane" is checked)
  1) click on "SVCHOST.EXE" to highlight the item
  2) down below, check the listed attributes to see if you can
identify what system / process / program is running svchost
  3) paste that name here (you can usually "Copy" by right-clicking on
the attribute in the lower pane and selecting "Properties"; if that
doesn't work, you'll have to type the information)

Request for Answer Clarification by colan-ga on 01 Jul 2004 04:58 PDT
Will do this evening and post.  Thanks.

Request for Answer Clarification by colan-ga on 04 Jul 2004 06:10 PDT
Ace:  I re-ran it with additional column headings...please see below
if this has the information you need.  As for the manual listing,
"down below, check the listed attributes to see if you can identify
what system / process / program is running svchost"  , I tried to
look, but am not sure how to tell what system/process/program is
running.  It just lists lots of stuff and I am not sure how to figure
out what the program is.  Also, I tried the "properties, copy"
command, and it does not seem to work.  I don't mind copying manually,
but I'm really not sure which thing to copy (and there are dozens and
dozens).  Please look at the new screenshot below, and if it does not
have enough info, perhaps you can give me an example of what to look
for?

Thanks and happy independence day...

Colam



=================================


Process	PID	CPU	Description	Company Name	Session ID	Path	Command Line
System Idle Process	0	98			0		
 Interrupts	n/a		Hardware Interrupts		0		
 DPCs	n/a		Deferred Procedure Calls		0		
 System	4				0		
  smss.exe	692		Windows NT Session Manager	Microsoft
Corporation	0	C:\WINNT\system32\smss.exe	\SystemRoot\System32\smss.exe
   csrss.exe	740		Client Server Runtime Process	Microsoft
Corporation	0	C:\WINNT\system32\csrss.exe	C:\WINNT\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestU
   winlogon.exe	764		Windows NT Logon Application	Microsoft
Corporation	0	C:\WINNT\system32\winlogon.exe	winlogon.exe
    services.exe	808	1	Services and Controller app	Microsoft
Corporation	0	C:\WINNT\system32\services.exe	C:\WINNT\system32\services.exe
     svchost.exe	1008		Generic Host Process for Win32
Services	Microsoft Corporation	0	C:\WINNT\system32\svchost.exe	C:\WINNT\system32\svchost
-k rpcss
      hpoevm08.exe	2440		HP OfficeJet COM Event
Manager	Hewlett-Packard Co.	0	C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpoevm08.exe	"C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpoevm08.exe" -Embedding
       hposts08.exe	2744		HP OfficeJet Status	Hewlett-Packard
Co.	0	C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hposts08.exe	"C:\Program Files\Hewlett-Packard\Digital
Imaging\Bin\hpoSTS08.exe" /CtxID "#Hewlett-Packard#hp psc 1200
series#1085598880" /Startup
     svchost.exe	1092		Generic Host Process for Win32
Services	Microsoft Corporation	0	C:\WINNT\system32\svchost.exe	C:\WINNT\System32\svchost.exe
-k netsvcs
     svchost.exe	1288		Generic Host Process for Win32
Services	Microsoft Corporation	0	C:\WINNT\system32\svchost.exe	C:\WINNT\System32\svchost.exe
-k NetworkService
     svchost.exe	1320		Generic Host Process for Win32
Services	Microsoft Corporation	0	C:\WINNT\system32\svchost.exe	C:\WINNT\System32\svchost.exe
-k LocalService
     spoolsv.exe	1488		Spooler SubSystem App	Microsoft
Corporation	0	C:\WINNT\system32\spoolsv.exe	C:\WINNT\system32\spoolsv.exe
     alg.exe	1700		Application Layer Gateway Service	Microsoft
Corporation	0	C:\WINNT\system32\alg.exe	C:\WINNT\System32\alg.exe
     AOLacsd.exe	1712		AOL Connectivity Service	America Online,
Inc.	0	C:\Program Files\Common
Files\AOL\ACS\AOLacsd.exe	C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
     CCEVTMGR.EXE	1732		Event Manager Service	Symantec
Corporation	0	C:\Program Files\Common Files\Symantec
Shared\CCEVTMGR.EXE	"C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
     gearsec.exe	1760		gearsec	GEAR
Software	0	C:\WINNT\system32\gearsec.exe	C:\WINNT\System32\gearsec.exe
     NAVAPSVC.EXE	1788		Norton AntiVirus Auto-Protect Service	Symantec
Corporation	0	C:\Program Files\Norton
AntiVirus\NAVAPSVC.EXE	"C:\Program Files\Norton
AntiVirus\navapsvc.exe"
     nvsvc32.exe	1820		NVIDIA Driver Helper Service, Version
52.16	NVIDIA Corporation	0	C:\WINNT\system32\nvsvc32.exe	C:\WINNT\System32\nvsvc32.exe
     svchost.exe	212		Generic Host Process for Win32
Services	Microsoft Corporation	0	C:\WINNT\system32\svchost.exe	C:\WINNT\System32\svchost.exe
-k imgsvc
     vsmon.exe	268		TrueVector Service	Zone Labs
Inc.	0	C:\WINNT\system32\ZoneLabs\vsmon.exe	C:\WINNT\system32\ZoneLabs\vsmon.exe
-service
     wanmpsvc.exe	592		Wan Miniport (ATW) Service	America Online,
Inc.	0	C:\WINNT\wanmpsvc.exe	"C:\WINNT\wanmpsvc.exe"
     iPodService.exe	2120		iPodService Module	Apple Computer,
Inc.	0	C:\Program Files\iPod\bin\iPodService.exe	"C:\Program
Files\iPod\bin\iPodService.exe"
    lsass.exe	820		LSA Shell (Export Version)	Microsoft
Corporation	0	C:\WINNT\system32\lsass.exe	C:\WINNT\system32\lsass.exe
explorer.exe	1864		Windows Explorer	Microsoft
Corporation	0	C:\WINNT\explorer.exe	C:\WINNT\Explorer.EXE
 ccApp.exe	1084		Common Client CC App	Symantec
Corporation	0	C:\Program Files\Common Files\Symantec
Shared\ccApp.exe	"C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
 iTunesHelper.exe	1176		iTunesHelper Module	Apple Computer,
Inc.	0	C:\Program Files\iTunes\iTunesHelper.exe	"C:\Program
Files\iTunes\iTunesHelper.exe"
 point32.exe	1300		Point32.exe	Microsoft Corporation	0	C:\Program
Files\Microsoft IntelliPoint\point32.exe	"C:\Program Files\Microsoft
IntelliPoint\point32.exe"
 SK9910DM.EXE	1524		Daemon	Silitek
Corporation	0	C:\WINNT\system32\SK9910DM.EXE	"C:\WINNT\System32\SK9910DM.EXE"
 E_S0HIC1.EXE	1568		EPSON Status Monitor 3	SEIKO EPSON
CORPORATION	0	C:\WINNT\system32\spool\drivers\w32x86\3\E_S0HIC1.EXE	"C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE"
/P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
 zlclient.exe	1136		Zone Labs Client	Zone Labs Inc.	0	C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe	"C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
 rundll32.exe	1956		Run a DLL as an App	Microsoft
Corporation	0	C:\WINNT\system32\rundll32.exe	"C:\WINNT\System32\RUNDLL32.EXE"
C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
 hpohmr08.exe	2188		HP OfficeJet COM Device Objects	Hewlett-Packard
Co.	0	C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpohmr08.exe	"C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpohmr08.exe"
 hpotdd01.exe	2220		hpotdd01	Hewlett-Packard	0	C:\Program
Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe	"C:\Program
Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
 Pam.exe	2236		Pam Driver	Pam B.V.	0	C:\Program Files\Pam BV\Pam
Driver\Pam.exe	"C:\Program Files\Pam BV\Pam Driver\Pam.exe"
 IEXPLORE.EXE	3288		Internet Explorer	Microsoft
Corporation	0	C:\Program Files\Internet
Explorer\IEXPLORE.EXE	"C:\Program Files\Internet
Explorer\IEXPLORE.EXE"
 IEXPLORE.EXE	3160		Internet Explorer	Microsoft
Corporation	0	C:\Program Files\Internet
Explorer\IEXPLORE.EXE	"C:\Program Files\Internet
Explorer\IEXPLORE.EXE"
 IEXPLORE.EXE	2948		Internet Explorer	Microsoft
Corporation	0	C:\Program Files\Internet
Explorer\IEXPLORE.EXE	"C:\Program Files\Internet
Explorer\IEXPLORE.EXE"
 procexp.exe	3704	1	Sysinternals Process
Explorer	Sysinternals	0	C:\Program Files\Quicken 2004\Downloaded
Data\temp programs\temp 2\procexp.exe	"C:\Program Files\Quicken
2004\Downloaded Data\temp programs\temp 2\procexp.exe"
PortAOL.exe	2056		Port Magic Application	Pure Networks,
Inc.	0	C:\Program Files\Pure Networks\Port
Magic\PortAOL.exe	"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -ShowUI
-Run
mpbtn.exe	2408		Motive Chorus System Tray Button	Motive
Communications, Inc.	0	C:\Program Files\Verizon
Online\SupportCenter\bin\mpbtn.exe	"C:\Program Files\Verizon
Online\SupportCenter\bin\mpbtn.exe"

Process: svchost.exe Pid: 1008

Type	Name
Desktop	\Default
Directory	\Windows
Directory	\BaseNamedObjects
Directory	\KnownDlls
Event	\BaseNamedObjects\ScmCreatedEvent
Event	\BaseNamedObjects\userenv:  User Profile setup event
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\Tcp
File	\Device\Ip
File	\Device\Tcp
File	\Device\Ip
File	\Device\Ip
File	\Device\Tcp
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\NwlnkSpx\Stream
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\NwlnkIpx
File	\Device\NamedPipe\epmapper
File	\Device\NamedPipe\epmapper
File	\Device\NamedPipe\net\NtControlPipe2
File	\Device\NamedPipe\svcctl
File	\Device\KsecDD
File	\Dfs
File	C:\WINNT\system32
File	\Device\Afd\Endpoint
File	\Device\Tcp
File	\Device\Afd\Endpoint
File	\Device\NamedPipe\Winsock2\CatalogChangeListener-3f0-0
Key	HKLM
Key	HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key	HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key	HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key	HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key	HKCR
Key	HKCR
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKU
Key	HKCR
Key	HKU
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKCR\CLSID
Key	HKCR
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKU
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKCR\CLSID
Key	HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key	HKU\.DEFAULT
Key	HKU
Key	HKCR\CLSID
Key	HKCR\AppID
Key	HKLM\SOFTWARE\Microsoft\Ole
Key	HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key	HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key	HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
KeyedEvent	\KernelObjects\CritSecOutOfMemoryEvent
Mutant	\BaseNamedObjects\ShimCacheMutex
Port	\RPC Control\epmapper
Process	hpoevm08.exe(2440)
Section	\BaseNamedObjects\RotHintTable
Section	\BaseNamedObjects\__R_000000000029_SMem__
Section	\BaseNamedObjects\ShimSharedMemory
Thread	svchost.exe(1008): 1028
Thread	svchost.exe(1008): 3112
Thread	svchost.exe(1008): 1476
Thread	svchost.exe(1008): 1028
Thread	svchost.exe(1008): 1600
Thread	svchost.exe(1008): 1028
Thread	svchost.exe(1008): 1012
Thread	svchost.exe(1008): 3548
Thread	svchost.exe(1008): 1476
Thread	svchost.exe(1008): 2580
Thread	svchost.exe(1008): 3936
Thread	svchost.exe(1008): 1016
Thread	svchost.exe(1008): 1016
Thread	svchost.exe(1008): 1024
Thread	svchost.exe(1008): 1024
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\LOCAL SERVICE
Token	NT AUTHORITY\LOCAL SERVICE
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
WindowStation	\Windows\WindowStations\Service-0x0-3e7$
WindowStation	\Windows\WindowStations\Service-0x0-3e7$

Request for Answer Clarification by colan-ga on 05 Jul 2004 11:15 PDT
Ace:

one question....I am getting random sound problems when I load some
programs (like I-tunes).  I am concerned that I may have deleted
something that is affecting the sound.  It seems to correct itself if
I reboot, and it only happens occasionally, but do you have any
thoughts?

Clarification of Answer by aceresearcher-ga on 07 Jul 2004 08:40 PDT
colan,

I'm doing a little research on your Question, and will post another
Clarification soon.

Thanks,
ace

Request for Answer Clarification by colan-ga on 07 Jul 2004 09:57 PDT
Ace:

No problem and no hurry.  I really do appreciate all of your help on this.

Colan

Clarification of Answer by aceresearcher-ga on 09 Jul 2004 11:12 PDT
Colan,

Since the Process Explorer log that you posted shows only generic
information for the svchost processes that are running, can you

1) start Process Explorer 
2) make sure that View ==> Show Lower Pane is checkmarked (if not, click on it)
3) click on the first "svchost.exe"
4) type into Notepad any names or information in the lower pane that
looks like it might be helpful in identifying the process
5) repeat this for each occurrence of svchost

I know that this is a pain, but I've been looking and have not yet
been able to find a good way to easily show details on your system.

Thanks,

ace

Request for Answer Clarification by colan-ga on 09 Jul 2004 12:15 PDT
Ace:

Will do.  Please note that I am going out of town for several days and
will not be able to do this until after next week.  Hope that is o.k.
with you.

Clarification of Answer by aceresearcher-ga on 09 Jul 2004 12:46 PDT
No problem. Have a safe trip!

Request for Answer Clarification by colan-ga on 31 Jul 2004 05:49 PDT
Hi there:

Remember me?  :-)

Hope things are well with you.  Well, I'm back and I am trying to pick
up where we left off...

Question...when you say "type into Notepad any names or information in
the lower pane that looks like it might be helpful in identifying the
process"...can you be more specific?  There is a LOT of stuff there to
type.

The Types include:

Desktop
Directory
Event
File
Key
Keyed Event
Mutant
Port
Process
Section
Thread
Token
Windowstation

Of course, many of these types have multipe listings, and this is just
for the FIRST occurance of SVCHOST.  If I tried to recreate the whole
thing, I would be typing for days.  Any hints to try to narrow it
down?  If need be, I will (reluctantly) try typing the entire first
one if that will be helpful, but it is going to take a long time so I
want to be sure before I go there.

Thanks for any direction you can give me.

Colan

Request for Answer Clarification by colan-ga on 31 Jul 2004 05:57 PDT
On the first SVCHOST, this is what was in the lower pane...is this
what you need to see?:


Process: svchost.exe Pid: 1020

Type	Name
Desktop	\Default
Directory	\Windows
Directory	\BaseNamedObjects
Directory	\KnownDlls
Event	\BaseNamedObjects\ScmCreatedEvent
Event	\BaseNamedObjects\userenv:  User Profile setup event
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\Tcp
File	\Device\Ip
File	\Device\Tcp
File	\Device\Ip
File	\Device\Ip
File	\Device\Tcp
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\NwlnkSpx\Stream
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\Afd\Endpoint
File	\Device\NwlnkIpx
File	\Device\NamedPipe\epmapper
File	\Device\NamedPipe\epmapper
File	\Device\NamedPipe\net\NtControlPipe2
File	\Device\NamedPipe\svcctl
File	\Device\KsecDD
File	\Dfs
File	C:\WINNT\system32
File	\Device\Afd\Endpoint
File	\Device\Tcp
File	\Device\Afd\Endpoint
File	\Device\NamedPipe\Winsock2\CatalogChangeListener-3fc-0
Key	HKLM
Key	HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key	HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key	HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key	HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key	HKCR
Key	HKCR
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKU
Key	HKCR
Key	HKU
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKCR\CLSID
Key	HKCR
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKU
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKLM\SOFTWARE\Microsoft\COM3
Key	HKCR\CLSID
Key	HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key	HKU\.DEFAULT
Key	HKU
Key	HKCR
Key	HKCR
Key	HKCR
Key	HKCR
Key	HKCU\Software\Classes
Key	HKCR
Key	HKCU\Software\Classes
Key	HKCR\CLSID
Key	HKCR\AppID
Key	HKLM\SOFTWARE\Microsoft\Ole
Key	HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key	HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key	HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
KeyedEvent	\KernelObjects\CritSecOutOfMemoryEvent
Mutant	\BaseNamedObjects\ShimCacheMutex
Port	\RPC Control\epmapper
Process	hpoevm08.exe(1432)
Process	wisptis.exe(1588)
Section	\BaseNamedObjects\RotHintTable
Section	\BaseNamedObjects\__R_000000000029_SMem__
Section	\BaseNamedObjects\ShimSharedMemory
Thread	svchost.exe(1020): 1040
Thread	svchost.exe(1020): 1492
Thread	svchost.exe(1020): 1040
Thread	svchost.exe(1020): 1616
Thread	svchost.exe(1020): 1040
Thread	svchost.exe(1020): 1024
Thread	svchost.exe(1020): 1492
Thread	svchost.exe(1020): 3788
Thread	svchost.exe(1020): 3396
Thread	svchost.exe(1020): 2080
Thread	svchost.exe(1020): 1028
Thread	svchost.exe(1020): 1028
Thread	svchost.exe(1020): 1036
Thread	svchost.exe(1020): 1036
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\LOCAL SERVICE
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	NT AUTHORITY\LOCAL SERVICE
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\SYSTEM
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	S0032030900\Owner
Token	NT AUTHORITY\SYSTEM
Token	S0032030900\Owner
WindowStation	\Windows\WindowStations\Service-0x0-3e7$
WindowStation	\Windows\WindowStations\Service-0x0-3e7$
colan-ga rated this answer:5 out of 5 stars
Went way above and beyond the original question...

Comments  
Subject: Re: Help with clearing out Spyware/unneeded programs
From: lri41-ga on 07 Jun 2004 16:02 PDT
 
To many processes in XP

two truly comprehensive web sites:
 which covers the topic of xp efficiency in an extremely thorough and
comprehensive manner; which handles virtually any question regarding
startup programs.

http://www.blackviper.com/WinXP/servicecfg.htm

This will help you out.

http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

Windows XP Services:

http://www.scotsnewsletter.com/forums/index.php?act=ST&f=4&t=1271&s=


TASK LIST PROGRAMS

Smart Computing Q&A Board
Mossberg's Mailbag, WSJ 3-18-2004

One of the processes listed is "System" for example; when I check this
on a web site that I came across, it states concerning "System" -
"Leave it alone". The link for Task List Programs for your interest
is:

there is a better way to see what's what. Go to 

 www.answersthatwork.com

 and click on the button called "Task List." It's a reference library
that explains most of these processes, and advises on what to do about
them.

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Through our support service we often come across problems caused
primarily by programs running in the background, programs which in
most cases start at the same time as Windows.  Sometimes these
programs are useful and need to be there;  quite often, however, they
are not needed, and in too many cases they cause severe problems.The
pages below are from our in-house database and provide guidance on the
usefulness or not of these programs, and removal procedures when
recommended.In Windows 95/98/ME you can bring up the Task List by
pressing Ctrl+Alt+Del.  In Windows NT4/2000/XP you bring up the Task
List by right-clicking on the Task Bar and choosing "Task Manager"
              


Mossberg's Mailbag, WSJ 3-18-2004

At the same Web site

  www.answersthatwork.com

you can buy a $20 program called "The Ultimate Troubleshooter," which
places the same list and advice on your own PC, and can also disable
processes you don't want.
             

The WinTasks Process Library

The WinTasks Process Library contains information about all common
Windows processes as is continously updated with new information. On
this page you can find a subset of the most popular processes listed
in WinTasks Process Library. The categories available online are:
Security Risks, System Processes, and Applications.

http://www.liutilities.com/products/wintaskspro/processlibrary/

Processes
A process is an executable program on both Linux and Windows. By
convention, a filename with a .exe extension (suffix) is an executable
on Windows. Processes are made by compiling source files and producing
executables. Compilation is quite similar on both Windows and Linux:

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy