Google Answers: Help with clearing out Spyware/unneeded programs

View Question

Q: Help with clearing out Spyware/unneeded programs ( Answered 5 out of 5 stars

Question

Subject: Help with clearing out Spyware/unneeded programs
Category: Computers > Security
Asked by: colan-ga
List Price: $31.00

Posted: 07 Jun 2004 07:51 PDT
Expires: 07 Jul 2004 07:51 PDT
Question ID: 357575

I need step-by-step assistance in removing all unneeded programs from
my home-based computer.  A complete answer will (please) address all
of the SPECIFIC programs that I have running on my machine (which will
be posted on request), as well as specific suggestions to improve
performace of my machine (it is currently crashing when I try to run
memory-intensive programs).

--One program I KNOW I need to get rid of (but don't know how) is MSN
messenger, which keeps on popping up asking me to sign in but which I
do not use.

Details:

--I am running WIN XP on a machine with 512MB RAM.  Recently the
machine is crashing in windows, mostly when I am trying to run AOL.

--On a clean re-boot, my task manager shows about 50 processes running
and it is using up roughly half of the RAM.  The AOL and Gateway tech
reps both indicated that there were clearly spyware present in these
processes.

--I ran AdAware and removed a number of files and programs, but the
processes still seem very high and the lockups are continuing;

--I am in the process of dramatically increasing RAM (adding 2000MB)
and installing a Norton software program that I have been told will
block further adware/spyware infestation;  Still, I am enough of a
computer neophyte that I am not sure exactly WHICH current programs
are unneeded and how to get rid of them;

Please let me know what other specific information is needed to clean this up.

Thanks in advance.

Answer

Subject: Re: Help with clearing out Spyware/unneeded programs
Answered By: aceresearcher-ga on 07 Jun 2004 10:38 PDT
Rated: 5 out of 5 stars

Greetings, colan! I'd like to take this step-by-step. Please do not Rate the Answer until we have completed the process. First, make sure that you have all of your important documents backed up to CD or diskette. Before you ran AdAware, did you make sure that you have the latest edition? It should be Version 6.0. If so, did you click on "Check for updates now" before you began your AdAware scan? I believe that the latest set of definitions should show as "AdAware 6.0 Personal, Build 162" in the lower right-hand corner of the AdAware window. If you download 6.0 now, be sure you also click "Check for updates now" BEFORE you run the scan anew. http://www.lavasoft.de/support/download Then shut down your computer and restart. Then, if you haven't already, download Spybot Search & Destroy Version 1.3. Again, you'l want to make sure that you have 1.3, and that you click "Check for updates" before running the program. http://www.safer-networking.org/index.php?page=mirrors Then shut down your computer and restart. Once you've done those, download and run HijackThis!, and post your scan log here. We'll go from there. http://www.spychecker.com/program/hijackthis.html If you have any Questions about the above information, please post a Request for Clarification, and I will be glad to see what I can do for you. Regards, aceresearcher
Request for Answer Clarification by colan-ga on 07 Jun 2004 10:53 PDT Ace: Thanks. I will go through these steps this evening when I can get back on the computer and then post the next information at that time.
Request for Answer Clarification by colan-ga on 07 Jun 2004 17:00 PDT Quick Question: I am going through the steps and wanted to backup my files (as you suggested) before starting. Does XP have a backup wizard I can use to do this without manually having to pick every file I want to back up? If so, how do I access it? (I could not find it in the control panel).
Clarification of Answer by aceresearcher-ga on 07 Jun 2004 17:04 PDT colan, What CD-burning software is installed on your system? Examples: Nero Express Direct CD Easy CD Creator etc
Request for Answer Clarification by colan-ga on 07 Jun 2004 17:11 PDT CD burning software is "ROXIO Easy CD Creator 5"
Request for Answer Clarification by colan-ga on 07 Jun 2004 17:29 PDT I could have sworn XP had a backup wizard to help simplify backups, but I just went ahead and picked files one-by-one and copied them over to my DVD drive.
Request for Answer Clarification by colan-ga on 07 Jun 2004 17:45 PDT FYI, the AdAware version I used was 6.0, Build 6.181 I assume this is the latest version as it is higher than the Build 162 you suggested. Please let me know if this is incorrect. I am running Spybot now (8:45 Eastern Time).
Request for Answer Clarification by colan-ga on 07 Jun 2004 17:56 PDT While running Spybot, I got the following message: "This application has failed to start because wtKernel0100.dll was not found. Re-installing the application may fix this problem." I am going to reinstall and try again.
Request for Answer Clarification by colan-ga on 07 Jun 2004 18:43 PDT HijackThis Log Below: Logfile of HijackThis v1.97.7 Scan saved at 9:42:18 PM, on 6/7/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\PROGRA~1\DAP\DAP.EXE C:\WINNT\System32\CTHELPER.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\WINNT\System32\RUNDLL32.EXE C:\Program Files\America Online 9.0a\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Quicken 2004\Downloaded Data\Programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken 2004\bagent.exe O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab
Request for Answer Clarification by colan-ga on 07 Jun 2004 18:52 PDT Also... After running Spybot, I am now getting the following runDLL error messag every time I reboot: "Error loading C:\program Files\Wildtangent\Apps\CDA\cdaengine0400.dll The specified module could not be found" I assume I nuked part of this program when I ran Spybot, but I do not know how to get rid of the rest of the program/keep the error message from coming up. I tried add/delete programs, but windows said that it could not remove WildTangent. Perhaps we can fix this when we are going through the other programs?
Request for Answer Clarification by colan-ga on 08 Jun 2004 14:57 PDT Ace: Please let me know what I need to do next.
Request for Answer Clarification by colan-ga on 08 Jun 2004 19:29 PDT Ace? Hello? Please respond as to my next step.
Clarification of Answer by aceresearcher-ga on 08 Jun 2004 23:03 PDT Hi, colan, I haven't forgotten you. As you may have guessed, Researchers don't stay at their computers 24/7 (we're human and we need an occasional break just like you!), but I haven't forgotten about you. Go to Control Panel->Add/Remove Programs and uninstall: - Viewpoint Media Player - Download Accelerator Plus (DAP) Download CoolWebShredder and run it: http://www.spychecker.com/program/coolwebshredder.html Then run HijackThis! and have it remove the following objects: Removing these may solve your boot-up error: O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab Remove these if they still exist after the uninstalls: O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm These are spyware from RealPlayer and QuickTime player; neither is needed to run the actual players, but they like to reactivate themselves whenever you use the player: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\CommonFiles\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Loads MS Office stuff that's not necessary: O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE TurboTax spyware: O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe Unnecessary Quicken process: O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken 2004\bagent.exe MS Registration startup (no longer needed) O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe Adware and possibly spyware: O4 - Startup: PowerReg Scheduler V3.exe Resource hog installed with Creative Sound Card driver: O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE Remove this if CoolWebShredder didn't take care of it: O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab Post your newly-revised HJT log here, and tomorrow we'll discuss several items for which you're going to have to make decisions on whether to keep them or remove them. It's pretty humorous that the AOL and Gateway reps told you you have spyware running, since there is a bunch of AOL and Gateway crap using your system resources which doesn't need to be running! Hang in there, and we'll get it all worked through... ace
Request for Answer Clarification by colan-ga on 09 Jun 2004 03:30 PDT Thanks Ace! I will run these and post back the results.
Request for Answer Clarification by colan-ga on 09 Jun 2004 04:04 PDT Ace: Below is a revised log from Hijack This. I went through all of the steps you suggested EXEPT deleting Download Accelerator. This was a program that I bought and paid for. If it is possible to keep it, I would like to. If you think the resources used are not worth it, please let me know and I will go ahead and delete it. BTW, the reboot error dll message has now gone away. Thanks so much for all of your help. Revised Log: Logfile of HijackThis v1.97.7 Scan saved at 7:00:01 AM, on 6/9/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\PROGRA~1\DAP\DAP.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINNT\System32\RUNDLL32.EXE C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\America Online 9.0a\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Clarification of Answer by aceresearcher-ga on 09 Jun 2004 07:22 PDT Colan, I'll let you read about Download "Accelerator" Plus, then we can talk about it if you have questions: PestPatrol is a good site for finding the lowdown on many programs: http://www.pestpatrol.com/PestInfo/d/download_accelerator_plus.asp ace
Request for Answer Clarification by colan-ga on 09 Jun 2004 07:56 PDT Ace: After reading the pestpatrol excerpt, I am leaning towards just going ahead and getting rid of the product after all, although I am very open to any opinion/advice you may have. Thanks... Colan
Clarification of Answer by aceresearcher-ga on 09 Jun 2004 08:56 PDT One of the beauties of Google when you're looking for something is that you can for the most part depend on the search engine to deliver the most relevant pages -- as determined by their algorithm, not by who's paid the most money to be seen. Download "Accelerator" Plus replaces search engine results with the most relevant pages *from their database of companies which are paying to be advertised. Does that mean that the search results you get are going to be what you really want* to see? In some cases, maybe, but in most cases, I would imagine not. Furthermore, despite the fact that DAP advertises that their product makes it faster to download files, in fact (and the reason I put "Accelerator" in quotes) it makes your downloads slower, because you've got extra processes taking up your system resources. According to PestPatrol: "Displays banner advertisements through the program interface. Also adds a toolbar to your browser with an animated ad. Ads are display during install, during downloads, during updates, and non-stop on your browser toolbar. In addition, may redirect you to a different download site, resulting in more ads." Now, if your browser is loading all those extra ads, is that going to make a download running simultaneously run faster? Of course not. And it's also going to mean that, just surfing the web, pages are going to load a lot more slowly, because the browser is also accessing the DAP site and loading ads from it in addition to the content of the page you want to see. The really sad part is that people who download DAP do so because their system response has already deteriorated noticeably due to spyware and adware that has snuck into their computer. DAP takes advantage of those people's situation and makes it worse. In my opinion, that makes the company as evil as they come. They've made you pay to have a slower system -- AND deal with all the extra crap they're serving up. My personal philosophy, when I find that I've paid for something that is more hindrance than help, if I can't return it to where I bought it, I just cut it loose. No sense giving it any more of my precious time and money. But that's just my take on it -- and everyone's entitled to my own opinion! Your mileage may vary. ;-)
Request for Answer Clarification by colan-ga on 09 Jun 2004 09:56 PDT Ace: Thanks for the insight on DAP. I find your comments to be EXTREMELY helpful. I will delete the correct files on DAP and then re-upload a revised Hijack this log this evening. Thanks again..I really appreciate the iterative feedback, as I suspect that is the only way I can get to where I need to be. Colan
Request for Answer Clarification by colan-ga on 09 Jun 2004 15:37 PDT Ace: DAP items have been deleted via Hijack This... Here is a revised Log screen: Logfile of HijackThis v1.97.7 Scan saved at 6:36:25 PM, on 6/9/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\PROGRA~1\DAP\DAP.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINNT\System32\RUNDLL32.EXE C:\Program Files\America Online 9.0a\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Clarification of Answer by aceresearcher-ga on 10 Jun 2004 13:46 PDT Colan, I've been doing some research, and I need to ask you some more questions. I'm more than a little concerned that several of the things previously listed to be removed by HijackThis still appear to be running, according to the log. Is it possible that you didn't get checkmarks placed in front of some of them (you have to be sure to check the box; just highlighting the item with the mouse will not remove it). You might try comparing the list I provided of items to a fresh HJT scan, fixing any of them that still remain, then shutting down and restarting your computer before running a new scan and posting that new log for me here. I presume that AOL is your Internet Service Provider, and that you can't remove their browsing software. You stated that you want to get rid of MSN Messenger. Do you also want to get rid of AOL Messenger, or do you actually use that feature frequently? I also need to know whether you frequently use and need to keep any of the following: ITunes / IPod Verizon Online Support Center AOL Scheduler Gateway Printer Ink Monitor Gateway Desktop Support Creating Keepsakes Scrapbook Designer Event Reminder MyPutnam Online Support Website (I'm very concerned as to why they've got you set up to be running Java all the time) (I hope that with all the things that we've removed so far, your system is at least performing better than it was when you posted your Question!) Thanks, ace
Request for Answer Clarification by colan-ga on 10 Jun 2004 15:24 PDT Ace: 1. I am reasonably certain that I actually checked the boxes in Hijackthis, but it is possible I did it incorrectly. I will try to fix the remaining ones once again and I will make certian this time; 2. --AOL Messenger--delete --itunes/ipod--keep --Verizon support center--keep --aol scheduler--delete --Gateway printer ink monitor--delete --Gateway desktop support--delete --Creating keepsakes scrapbook designer event reminder--delete --Myputnam online support website--probably keep (it's for my work), but please let me know how much capacity it is using As for the performance, unfortunately it is still locking up when I am using AOL. I will report back and post a fresh log as soon as I run Hijackthis again (could be late tonight) Thanks again for all of your help. Colan
Clarification of Answer by aceresearcher-ga on 10 Jun 2004 16:09 PDT Colan, When you say "still locking up when I am using AOL", can you give me some more detail about what is happening? ace
Request for Answer Clarification by colan-ga on 10 Jun 2004 19:56 PDT Ace: re: "locking up in aol": In general, I can proceed fine through most functions. However, from time to time, the machine completely freezes, meaning the cursor still moves but I cannot invoke task manager or do a reboot. When this happens, I am forced to literally shut off all power to the machine and then reboot. Often, this is happening when I am using AOL. I will be doing fine, then I will invoke a certain page (for example, my current weather). As the page tries to open, the machine locks up and I get the symptoms above. This is what prompted me to first contact Gateway and AOL customer service. When, after numerous tries, they were relatively unhelpful, I came to you. Colan
Request for Answer Clarification by colan-ga on 11 Jun 2004 04:43 PDT Ace: After considering, I want to get rid of the myputnam java thing you mentioned.
Request for Answer Clarification by colan-ga on 11 Jun 2004 04:51 PDT Ace: I looked carefully at the revised logfile and could find none of the files that you had previously said to delete. Here is a copy of the current logfile: Logfile of HijackThis v1.97.7 Scan saved at 7:50:35 AM, on 6/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINNT\System32\RUNDLL32.EXE C:\Program Files\America Online 9.0a\aoltray.exe C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Please advise
Clarification of Answer by aceresearcher-ga on 11 Jun 2004 07:35 PDT Colan, I'm glad to see that you're right, the logfile looks much better now, with none of the things that were still in the previous one -- it was probably just that the computer had not been restarted before you saved that log. Did you install AOL's interface from a CD, or was it downloaded from the Internet? ace
Request for Answer Clarification by colan-ga on 11 Jun 2004 09:33 PDT Not sure what you mean by "aol's interface" but I probably downloaded it from the internet. Also FYI my new memory (2000MB) and Norton Internet security has now come. I am going to wait to install these until we can get everything else in line so that I do not complicate the procedure and potentially introduce new variables. Do you have any opinions on Norton IS? Gateway recommended it as a good way to help stop further Spyware but I would value your opinion.
Clarification of Answer by aceresearcher-ga on 11 Jun 2004 21:53 PDT Colan, It looks like you're already running a firewall (ZoneAlarm). Do you use the free version, or ZoneAlarm Pro (the paid version?) If you've already paid for ZoneAlarm Pro, you probably don't need to buy Norton IS (in fact, I doubt that you'll be able to run the two together). If that's the case, and you haven't opened IS yet, you may be able to return it for a full refund.
Request for Answer Clarification by colan-ga on 12 Jun 2004 04:35 PDT Thanks for the clarification on Norton. I have the paid ZoneAlarm and if Norton is simply a firewall, then I will return it.
Clarification of Answer by aceresearcher-ga on 13 Jun 2004 09:33 PDT Colan, Before we delete anything new, I'd like you to perform several tests on your system. Please complete the tests listed at the following locations, and alter your security settings as they suggest: Jason's Browser Security Tests http://www.jasons-toolbox.com/BrowserSecurity For the tests on Javascript, even though he suggests you set your "Active Scripting" to "Prompt" or "Disable", I recommend that you set it at "Enable". Otherwise, you will either have to respond to prompts at almost every website you attempt to access, or you will be unable to access them at all. Yes, this does leave your system a little more vulnerable, but the alternative is pretty bad (if you wish, try it by setting to "Prompt" and visiting several sites that you trust). PC Flank's Firewall Tests http://www.pcflank.com/art41b.htm Thanks, ace
Request for Answer Clarification by colan-ga on 13 Jun 2004 10:30 PDT Ace: Ran the Jason Browser tests and made all the changes EXCEPT the one you suggested (re active scripting). I also did not change the cookies setting to require actively acknowledging cookies--that seems also like a lot of overkill but I would like your further opinion. RE PC FLank: 1. Leaktest was successful (firewall worked); 2. Too leaky was a failure (firewall did not work), but I did not see a fix; 3. Firehole was a failure (firewall did not work), but I did not see a fix; 4. Yalta started to get out of my aptitude--it asks for IP addresses and I am not sure how to run it; 5. PC Audit was a failure (firewall did not work), but I did not see a fix; 6. Atelier (AWFT)Scored 0 out of 4. Tests 5 and 6 gave me the error message: "Access violation at address <hex address deleted> in module 'awft.exe'. Read of address is 00______4. 7. Thermite was a failure (firewall did not work), but I did not see a fix; 8. Copycat: I am not sure that I did it correctly, but I did not see the 'exploited.txt' file on my c drive; Please advise next steps or if I did something incorrectly. Thanks as alwyays... Colan
Clarification of Answer by aceresearcher-ga on 13 Jun 2004 12:39 PDT Colan, If you double-click on the ZoneAlarm tray icon and click "Privacy" and then the "Main" tab, what are your Cookie and Ad settings? ace
Request for Answer Clarification by colan-ga on 13 Jun 2004 13:21 PDT Ace: Cookies Medium Ad High
Clarification of Answer by aceresearcher-ga on 13 Jun 2004 13:53 PDT Colan, Check the ZoneAlarm Program Control section, Programs Tab, to see if any program has "Server" access. Change the access of any such programs to "X" (blocked), both for Trusted and Internet Zones. Typically, no program should need to have access with server privileges. If you start to have problems because of this, let me know which one is acting up. (Any time a ZoneAlarm Prompt pops up, make sure that you only say "Yes" to requests for "Access" privileges for programs you want to have access, and never say "Yes" to requests for "Server" privileges.) Under the Firewall section, Main Tab, make sure that your Internet Zone Security is set to "High" and your Trusted Zone Security is set to Medium. Then, in your Internet Explorer Options Settings for Security, make sure that no program has snuck something into your Trusted Zone (typically, this should be empty). If there is something there, let me know what it is. Then, download free utility IE Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD This program is not like ZoneAlarm, which runs all the time, or like AdAware & Spybot, which run when you want them to. This utility simply installs a huge list of sites into your "Restricted Zone", which will help block spyware and adware. *Be aware that you may occasionally need to tweak this; if a site that you know you want to see doesn't display and there is a "Restricted Site" with red circle displayed in the lower left-hand corner of Internet Explorer, you will need to go to the Internet Explorer Options Settings for Security and remove that site from the Restricted Zone's list of sites (for instance, I periodically access ArtPrice.com, so I removed it from the list). I wouldn't worry too* much about the security tests which you failed. In order to pass them, you would have to block some of the functionality which I think you really will want to keep. ace
Request for Answer Clarification by colan-ga on 13 Jun 2004 16:25 PDT Ace: 1. ZA changes: Check 2. The only site under the IE Trusted Sites Zone was https://www.bestbuy.com I removed it. 3. IE Spyad Installed
Clarification of Answer by aceresearcher-ga on 13 Jun 2004 18:49 PDT Now, do you pay Verizon, or AOL, for your Internet dial-up access? Also, go into your Control Panel settings "Add and Remove Programs", and tell me which of the following programs are actually shown on that list: --AOL Messenger --aol scheduler --Gateway printer ink monitor --Gateway desktop support --Creating keepsakes scrapbook designer event reminder
Request for Answer Clarification by colan-ga on 13 Jun 2004 19:40 PDT Ace: I pay AOL for access...I pay Verizon for my DSL service --AOL Messenger -- No --aol scheduler -- No --Gateway printer ink monitor -- Yes --Gateway desktop support -- No (there is something called 'Gateway Rhapsody'...I don't know what that is) --Creating keepsakes scrapbook designer event reminder -- No Colan
Clarification of Answer by aceresearcher-ga on 13 Jun 2004 21:46 PDT Colan, If you have DSL -- and not dial-up -- from Verizon, then you probably got some software from Verizon when you signed up for DSL. Is the the case? If so, then you don't need to pay AOL for anything -- unless you really want to. Bear in mind that everything that you see through the AOL interface is filtered based on what they want you to see. Now, if you really enjoy using their little functions like AOL Buddies, E-mail, Instant Messenger, My AOL etc., you certainly have the option to pay for that service. However, you also have the ability to bypass them entirely, use non-filtered Search Results from Google, use a free e-mail provider such as Hotmail or Yahoo!, or a reasonably-priced pay e-mail service without *having to look at the ads that they want you to see* and without *getting Search Results which they have sold to the highest bidder*. You can get the same "My Page" services -- with news headlines, weather, TV and Theatre listings, Stock Quotes, etc. -- from MSN or Yahoo!, and you don't have to pay a thing for them. http://my.msn.com http://my.yahoo.com I encourage you to consider your alternatives. Now, make sure that you have System Restore enabled, and we'll take these one by one. "Gateway Rhapsody is a music subscription service ($9.95 a month) powered by streaming music service Listen.com. Selected tracks can be burned on custom CDs for 99 cents per track." http://www.internetnews.com/ec-news/article.php/10793_1545541 I encourage you to double-check your statements and make sure that you are not paying a monthly fee for this. Also, what are you paying AOL monthly? Then you can go ahead and click "Remove Program" for Gateway Rhapsody in the "Add / Remove Programs" Control Panel. Then shut down your computer, restart it, run HijackThis! again, and post the HJT log here for me. ace
Request for Answer Clarification by colan-ga on 14 Jun 2004 04:15 PDT Ace: First of all, I want to say thanks for taking so much time on this and I really appreciate your advice. I had no idea when we started that this would be so involved and I REALLY appreciate everything you are suggesting. 1. I deleted Rhapsody. I am virtually certain I am not paying for this; 2. As for 'overpaying' for AOL, it is something I am aware of and have considered before. I pay something like $29 per month for access to their broadband services. I know I could probably replicate these things elsewhere, but we DO like some of the AOL-only stuff, and inertia + simplicity is probably going to keep me there. However, it is important to note that I have almost exclusively isolated this 'PC freeze thing' (which brought me to you in the first place :-) ) to AOL. If--after we have optimized this computer--I cannot completely eliminate the windows freezing, I may reconsider the 'benefits' of paying such a high monthly fee for something I could have for free elsewhere. 3. Updated Hijack This Log: Logfile of HijackThis v1.97.7 Scan saved at 7:07:45 AM, on 6/14/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINNT\System32\RUNDLL32.EXE C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\America Online 9.0a\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Thanks... Colan
Request for Answer Clarification by colan-ga on 14 Jun 2004 04:32 PDT One more quick question: How do I make sure that I have System Restore enabled?
Clarification of Answer by aceresearcher-ga on 14 Jun 2004 10:13 PDT Symantec has a great instruction page on Disabling and Enabling System Restore: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam Once you've done that, if the system does not force you to shut down and restart, do so anyway. Then use your Control Panel "Add / Remove Programs" to uninstall MSN Messenger. Then shut down, restart, run HJT again, and post your log here.
Request for Answer Clarification by colan-ga on 14 Jun 2004 15:15 PDT Ace: MSN Messenger is not listed on the add/delete screen--that is why I was unable to delete it before asking the question.
Clarification of Answer by aceresearcher-ga on 14 Jun 2004 15:52 PDT Well, it looks like there are TWO different programs, both called Messenger, and I think you want to get rid of both of them. So try following the directions for your Version of Windows XP (Home vs Pro) on these two pages: Remove MSN IP Messenger http://www.pchell.com/support/ipmessaging.shtml Shut down and restart; do some browsing to make sure everything is working okay. Then, make a copy of your Registry: Start ==> Run ==> regedit <enter> Pull down "Registry" and select "Export Registry file" -- make sure that you choose "Export Range. Write down the filename where you save it. I recommend that you also save a copy to CD or to 3.5" floppy. Then follow these directions (I'd print them off and follow them VERY carefully): Remove MSN Messenger http://www.pchell.com/support/removemessenger.shtml Then shut down, restart, run HJT, and post the log here.
Request for Answer Clarification by colan-ga on 14 Jun 2004 16:08 PDT RE:"So try following the directions for your Version of Windows XP (Home vs Pro) on these two pages: Remove MSN IP Messenger http://www.pchell.com/support/ipmessaging.shtml Shut down and restart; do some browsing to make sure everything is working okay. --I looked at the files suggested and the messenger software was already disabled. ====================== RE: Pull down "Registry" and select "Export Registry file" -- make sure that you choose "Export Range. Write down the filename where you save it. I recommend that you also save a copy to CD or to 3.5" floppy. --I am not sure what you mean by this...there is no pull down for "registry." Under file, ther is an option to export, and the types include "registration files (.reg)" or "registry Hive files (.*)" as well as other file types. Is this what you mean? If so, please be more specific. Thanks... Colan
Clarification of Answer by aceresearcher-ga on 14 Jun 2004 19:09 PDT I have refused as of yet to install XP, so my Windows is slightly different than yours. Here's a good tutorial from PCWorld on how to back up your registry in XP: http://www.pcworld.com/howto/article/0,aid,86903,pg,2,00.asp
Request for Answer Clarification by colan-ga on 15 Jun 2004 03:48 PDT RE: "Then follow these directions (I'd print them off and follow them VERY carefully): Remove MSN Messenger http://www.pchell.com/support/removemessenger.shtml" I took a look at this page and the only thing it said about MSN messenger was to go to the add/delete files screen and delete the program. Of course, the program is not there (Or I would have already deleted it). It is interesting to me that the HJT line says "O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSNMessenger\msnmsgr.exe" /background" I looked under C:\program files and there IS NO MSNMessenger subdirectory. At any rate, perhaps we should skip this and try to address the other programs. The previous version of HJT should still be accurate, as I have made no changes.
Clarification of Answer by aceresearcher-ga on 15 Jun 2004 08:08 PDT << << Then follow these directions (I'd print them off and follow them VERY carefully): Remove MSN Messenger http://www.pchell.com/support/removemessenger.shtml" >> I took a look at this page and the only thing it said about MSN messenger was to go to the add/delete files screen and delete the program.>> If you scroll down on this page, it talks about running gpedit and/or regedit. Also, go into your Control Panel settings "Add and Remove Programs", click on "Gateway printer ink monitor", then "Remove". This is a little spyware program that monitors your printer ink level, and when it becomes low, the program sends you to the website of an ink cartridge company which is no doubt giving kickbacks to Gateway for this little service. Then Shut Down, Restart, run HJT, and post new log here.
Request for Answer Clarification by colan-ga on 15 Jun 2004 09:52 PDT Will do this evening and repost. Thanks... Colan
Request for Answer Clarification by colan-ga on 16 Jun 2004 18:52 PDT Ace: Sorry for the delay... 1. I followed the directions given for removing messenger. All I have to say is, "Geez...how is ANYONE supposed to know how to do something like that???!!!" At any rate, I did exactly as it said. 2. I removed Gateway Ink Monitor from the add/delete programs list. 3. Here is an updated HJT scan: Logfile of HijackThis v1.97.7 Scan saved at 9:48:25 PM, on 6/16/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINNT\System32\RUNDLL32.EXE C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\America Online 9.0a\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Pam BV\Pam Driver\Pam.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Pam Driver.lnk = C:\Program Files\Pam BV\Pam Driver\Pam.exe O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Please note that I installed a new program, called PAM, over the last couple of days and I see it is now showing up on the HJT printout. I want to keep this program installed. Thanks again for all of your help. Colan
Clarification of Answer by aceresearcher-ga on 21 Jun 2004 10:41 PDT Okay, run HJT, remove these items, lather, rinse, reboot, run HJT, and post the log here: O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
Request for Answer Clarification by colan-ga on 22 Jun 2004 03:32 PDT New HJT Below: Logfile of HijackThis v1.97.7 Scan saved at 6:31:48 AM, on 6/22/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINNT\System32\RUNDLL32.EXE C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\America Online 9.0a\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Pam BV\Pam Driver\Pam.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Pam Driver.lnk = C:\Program Files\Pam BV\Pam Driver\Pam.exe O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Clarification of Answer by aceresearcher-ga on 24 Jun 2004 15:54 PDT We're starting to get down to the nitty-gritty now, where removing things becomes a little more tricky and involves some decision-making on your part. Since you don't want Messenger, you can have HijackThis! remove these items: O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) This is a program for specially-programmed keyboard keys. My Gateway system has this too, but since I don't use the programmed keys, I've taken this out of my startup routine. If you don't use the special programmed keys (Internet...Mail...etc), you can remove this, too: O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE If you don't burn CDs frequently, you can remove this item (you'll need to start it directly from your "Programs" menu when you do need to use it): O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" Try once again to get rid of this guy: O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB Now, we get into decision time. Do you currently access online gaming networks, or access your home PC from a remote source (you've already said that you don't use Messenger)? If not, then you probably don't need O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run AOL is tying up a fair bit of your system resources with these running processes: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\America Online 9.0a\aoltray.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe If you wish, you can try removing these items. Be aware that they may cause AOL to stop working properly. However, if that happens and you still need AOL, it can be reinstalled (AOL is quite generous with copies of their program). O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) Once you're done, shut down and restart your computer, run HJT, and post the log again.
Request for Answer Clarification by colan-ga on 26 Jun 2004 15:01 PDT Ace: New HJT below (it is getting shorter! :-) I got rid of all of AOL stuff but left port magic for now. Also, FYI I went ahead and installed the 2MB or extra ram because I am so sick of the machine locking up. Hopefully that plus what you are doing for me will put me in good shape. Thanks so much. Logfile of HijackThis v1.97.7 Scan saved at 5:59:38 PM, on 6/26/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\gearsec.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\wanmpsvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINNT\System32\SK9910DM.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINNT\System32\RUNDLL32.EXE C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Pam BV\Pam Driver\Pam.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\America Online 9.0a\waol.exe C:\Program Files\America Online 9.0a\shellmon.exe C:\Program Files\Common Files\Aol\aoltpspd.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Pam Driver.lnk = C:\Program Files\Pam BV\Pam Driver\Pam.exe O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - https://www.myputnam.com/jre/j2re-1_3_0_02-win.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.533900463 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46E27E-A971-4727-84C4-11C11C687A06}: NameServer = 205.188.146.146 O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46E27E-A971-4727-84C4-11C11C687A06}: NameServer = 205.188.146.146
Clarification of Answer by aceresearcher-ga on 27 Jun 2004 06:39 PDT Colan, Let's take a look at the svchost processes you've got running. To view the list of services that are running in Svchost: Click Start on the Windows taskbar, and then click Run. In the Open box, type CMD, and then press ENTER. Type Tasklist /SVC, and then press ENTER. http://support.microsoft.com/default.aspx?scid=kb;EN-US;314056 Please post here a copy of the report produced by following these instructions.
Request for Answer Clarification by colan-ga on 27 Jun 2004 08:28 PDT Ace: Not sure what is going wrong here, but I cannot run the report. "To view the list of services that are running in Svchost: Click Start on the Windows taskbar, and then click Run. In the Open box, type CMD, and then press ENTER." I did this and it opened a DOS command window. However, when I try to type 'Tasklist /svc', I get the following error message: " 'tasklist' is not recognized as in internal or external command, operable program or batch file. " The DOS window shows me at the C:\> root prompt. Is there some particular subdirectory I need to be in to find the tasklist command? I looked at the wondows link you pointed me to and the only thing I could find different is that it referred to XP professional and I am running XP home. As an aside, I am still concerned that the machine is locking up despite now having 2.5MB of RAM installed. It is now doing this in AOL only, so I suspect strongly that it is an AOL problem. I am sure I am probably doing simply something wrong in the CMD prompt instructions, but I cannot figure out what it is. Thanks. Colan
Clarification of Answer by aceresearcher-ga on 29 Jun 2004 09:18 PDT XP Pro comes with tasklist.exe; XP Home does not. However, you can download a copy from the MVPS XP Tweaks site (click on the hyperlinked "here" in the following sentence): "Windows XP Home does not have tasklist.exe. Download Tasklist.exe from <<here>>:" http://www.mvps.org/sramesh2k/svchost.htm
Request for Answer Clarification by colan-ga on 29 Jun 2004 09:57 PDT Ace: Thanks. Will download and repost ASAP.
Request for Answer Clarification by colan-ga on 29 Jun 2004 14:51 PDT O.K. Ace...I got the report, but it is listed on the DOS screen, and I do not know how to cut and paste. I tried doing a screen capture, but I cannot copy that to the answer clarification box. Is there an email address I can send it to? I guess I could copy it word for word, but I'd rather not :-) I am open to suggestions.
Clarification of Answer by aceresearcher-ga on 30 Jun 2004 07:24 PDT Process Explorer, by Mark Russinovich, will provide you with the ability to see which processes are currently running, along with real-time monitoring of CPU usage. You can pull down "File ==> Save" to save a textfile log (.txt). Try running it and see if you can post the saved logfile here. http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
Request for Answer Clarification by colan-ga on 30 Jun 2004 08:10 PDT Ace: Thanks. Will do and post this evening.
Request for Answer Clarification by colan-ga on 30 Jun 2004 15:05 PDT Aaarrrrrggghhhh! :-) Downloaded the file and tried to execute both in DOS (using CMD command) and directly in windows. Got the following error: "C:\...procexp.exe is not a valid Win32 application." Any further suggestions?
Request for Answer Clarification by colan-ga on 30 Jun 2004 15:06 PDT BTW...Are you sorry yet that you decided to answer this question??!? :-)
Clarification of Answer by aceresearcher-ga on 30 Jun 2004 15:22 PDT Are you sure that you downloaded the correct version? Note that at the bottom of the page http://www.sysinternals.com/ntw2k/freeware/procexp.shtml There are several different download links: "Download Process Explorer (x86 - 230 KB) - you plan on using Process Explorer on Win9x/Me" "Download Process Explorer (x86 - 230 KB) - you plan on using Process Explorer on WinNT/2K/XP" <== this should be the one that you want "The files below are for 64-bit versions of Windows: Download Process Explorer (XP/Server 2003 64-bit Edition/x64 - 230 KB)" <<..Are you sorry yet that you decided to answer this question??!? >> Nah. I'm actually learning a few new things. I wouldn't do this for everyone, especially since many Questions of this type are posted for $10.00 or less. However, I felt like doing a little experimentation, and you won the "AceResearcher Lotto". ;-)
Request for Answer Clarification by colan-ga on 30 Jun 2004 17:25 PDT Ace: 1. I double checked which one I downloaded and it was the correct one. Then--just to make sure--I tried downloading all of the rest of them as well. I then re-downloaded the file again just to make sure and I tried it again--same message every time. I tried loading the program by both double clicking and by invoking it from DOS--same message. Not sure what to do from here. As for the Ace Lotto, it is very much appreciated. However, given the amount of work you have already done on this...if you keep with me and help me to the end I assure you I will not stiff you on the tip! I REALLY do appreciate all the time and effort you have put in on this. Colan
Clarification of Answer by aceresearcher-ga on 30 Jun 2004 17:52 PDT colan, What you are downloading is a .zip (compressed) file. Right-click on the following hyperlink: "Download Process Explorer (x86 - 230 KB) - you plan on using Process Explorer on WinNT/2K/XP" and choose "Save Target As". You'll then need to Browse to an appropriate folder. I Browsed to "C:\Program Files", then clicked the little icon of the folder with the fizzly/sparkly star on its upper right-hand corner ( http://www.autorun-autoplay-tools.com/images/eas-new-saveas.gif ) and named the New Folder "Process Explorer". Then I clicked off to the side of (in the white space) the new "Process Explorer" folder, then double-clicked on the new folder to open it up. The "Save As" dialog box should show something like File Name: procexpnt.zip Save as Type: Compressed Folder <== (pull down if something else) then click "Save". Then in Windows Explorer, browse to the location where you saved the zip file, and Right-click on the procexpnt.zip file/folder. Choose "Extract All", and when prompted for an "extract to folder", Browse to "C:\Program Files\Process Explorer\", click "Next", and click "Show Extracted Files". The following files should be extracted into C:\Program Files\Process Explorer\: procexp.exe procexp.chm README.TXT Double-click on "procexp.exe", and that should start up Process Explorer. Please let me know if you are still having trouble after following these directions.
Request for Answer Clarification by colan-ga on 30 Jun 2004 18:02 PDT Ace: I got the zip files and had uncompressed them correctly. It was the exe file that I tried repeatedly to load. Still no luck.
Clarification of Answer by aceresearcher-ga on 30 Jun 2004 18:58 PDT I'm mystified. I can't imagine why this won't work for you. Try each of the other versions (be sure to save in their own file folder as suggested by the extract utility). If that still doesn't work, try shutting down and restarting your computer, then double-clicking one-by-one on each of the 3 different executables to see if one of them will work.
Request for Answer Clarification by colan-ga on 01 Jul 2004 03:44 PDT YEAHHH! I finally got it to work! I won't bore you with all the details, but I had to download repeatedly (and reboot) before a version worked. I never could get the version for XP to work, but by saving the others into separate folders (instead of just copying over), it finally ran. Output below: Process PID CPU Description Company Name System Idle Process 0 98 Interrupts n/a 1 Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 smss.exe 692 Windows NT Session Manager Microsoft Corporation csrss.exe 740 Client Server Runtime Process Microsoft Corporation winlogon.exe 768 Windows NT Logon Application Microsoft Corporation services.exe 812 1 Services and Controller app Microsoft Corporation svchost.exe 1016 Generic Host Process for Win32 Services Microsoft Corporation hpoevm08.exe 608 HP OfficeJet COM Event Manager Hewlett-Packard Co. hposts08.exe 2956 HP OfficeJet Status Hewlett-Packard Co. svchost.exe 1100 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1296 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1328 Generic Host Process for Win32 Services Microsoft Corporation spoolsv.exe 1516 Spooler SubSystem App Microsoft Corporation alg.exe 788 Application Layer Gateway Service Microsoft Corporation AOLacsd.exe 948 AOL Connectivity Service America Online, Inc. CCEVTMGR.EXE 1044 Event Manager Service Symantec Corporation gearsec.exe 1076 gearsec GEAR Software NAVAPSVC.EXE 1152 Norton AntiVirus Auto-Protect Service Symantec Corporation nvsvc32.exe 1184 NVIDIA Driver Helper Service, Version 52.16 NVIDIA Corporation svchost.exe 1576 Generic Host Process for Win32 Services Microsoft Corporation vsmon.exe 1868 TrueVector Service Zone Labs Inc. wanmpsvc.exe 2064 Wan Miniport (ATW) Service America Online, Inc. iPodService.exe 2648 iPodService Module Apple Computer, Inc. lsass.exe 824 LSA Shell (Export Version) Microsoft Corporation explorer.exe 1780 Windows Explorer Microsoft Corporation ccApp.exe 1956 Common Client CC App Symantec Corporation iTunesHelper.exe 1980 iTunesHelper Module Apple Computer, Inc. point32.exe 1988 Point32.exe Microsoft Corporation SK9910DM.EXE 2012 Daemon Silitek Corporation E_S0HIC1.EXE 2040 EPSON Status Monitor 3 SEIKO EPSON CORPORATION zlclient.exe 192 Zone Labs Client Zone Labs Inc. rundll32.exe 228 Run a DLL as an App Microsoft Corporation hpohmr08.exe 328 HP OfficeJet COM Device Objects Hewlett-Packard Co. hpotdd01.exe 332 hpotdd01 Hewlett-Packard Pam.exe 360 Pam Driver Pam B.V. IEXPLORE.EXE 3604 Internet Explorer Microsoft Corporation procexp.exe 888 1 Sysinternals Process Explorer Sysinternals PortAOL.exe 268 Port Magic Application Pure Networks, Inc. mpbtn.exe 500 Motive Chorus System Tray Button Motive Communications, Inc. Process: Procexp Pid: -2 Type Name
Clarification of Answer by aceresearcher-ga on 01 Jul 2004 04:21 PDT Yea! After all that, the PE log isn't showing the details of the svchost processes. So, for EACH occurrence of that: (make sure that "View ==> Show Lower Pane" is checked) 1) click on "SVCHOST.EXE" to highlight the item 2) down below, check the listed attributes to see if you can identify what system / process / program is running svchost 3) paste that name here (you can usually "Copy" by right-clicking on the attribute in the lower pane and selecting "Properties"; if that doesn't work, you'll have to type the information)
Request for Answer Clarification by colan-ga on 01 Jul 2004 04:58 PDT Will do this evening and post. Thanks.
Request for Answer Clarification by colan-ga on 04 Jul 2004 06:10 PDT Ace: I re-ran it with additional column headings...please see below if this has the information you need. As for the manual listing, "down below, check the listed attributes to see if you can identify what system / process / program is running svchost" , I tried to look, but am not sure how to tell what system/process/program is running. It just lists lots of stuff and I am not sure how to figure out what the program is. Also, I tried the "properties, copy" command, and it does not seem to work. I don't mind copying manually, but I'm really not sure which thing to copy (and there are dozens and dozens). Please look at the new screenshot below, and if it does not have enough info, perhaps you can give me an example of what to look for? Thanks and happy independence day... Colam ================================= Process PID CPU Description Company Name Session ID Path Command Line System Idle Process 0 98 0 Interrupts n/a Hardware Interrupts 0 DPCs n/a Deferred Procedure Calls 0 System 4 0 smss.exe 692 Windows NT Session Manager Microsoft Corporation 0 C:\WINNT\system32\smss.exe \SystemRoot\System32\smss.exe csrss.exe 740 Client Server Runtime Process Microsoft Corporation 0 C:\WINNT\system32\csrss.exe C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestU winlogon.exe 764 Windows NT Logon Application Microsoft Corporation 0 C:\WINNT\system32\winlogon.exe winlogon.exe services.exe 808 1 Services and Controller app Microsoft Corporation 0 C:\WINNT\system32\services.exe C:\WINNT\system32\services.exe svchost.exe 1008 Generic Host Process for Win32 Services Microsoft Corporation 0 C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost -k rpcss hpoevm08.exe 2440 HP OfficeJet COM Event Manager Hewlett-Packard Co. 0 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe" -Embedding hposts08.exe 2744 HP OfficeJet Status Hewlett-Packard Co. 0 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe" /CtxID "#Hewlett-Packard#hp psc 1200 series#1085598880" /Startup svchost.exe 1092 Generic Host Process for Win32 Services Microsoft Corporation 0 C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe -k netsvcs svchost.exe 1288 Generic Host Process for Win32 Services Microsoft Corporation 0 C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe -k NetworkService svchost.exe 1320 Generic Host Process for Win32 Services Microsoft Corporation 0 C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe -k LocalService spoolsv.exe 1488 Spooler SubSystem App Microsoft Corporation 0 C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\spoolsv.exe alg.exe 1700 Application Layer Gateway Service Microsoft Corporation 0 C:\WINNT\system32\alg.exe C:\WINNT\System32\alg.exe AOLacsd.exe 1712 AOL Connectivity Service America Online, Inc. 0 C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe CCEVTMGR.EXE 1732 Event Manager Service Symantec Corporation 0 C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" gearsec.exe 1760 gearsec GEAR Software 0 C:\WINNT\system32\gearsec.exe C:\WINNT\System32\gearsec.exe NAVAPSVC.EXE 1788 Norton AntiVirus Auto-Protect Service Symantec Corporation 0 C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE "C:\Program Files\Norton AntiVirus\navapsvc.exe" nvsvc32.exe 1820 NVIDIA Driver Helper Service, Version 52.16 NVIDIA Corporation 0 C:\WINNT\system32\nvsvc32.exe C:\WINNT\System32\nvsvc32.exe svchost.exe 212 Generic Host Process for Win32 Services Microsoft Corporation 0 C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe -k imgsvc vsmon.exe 268 TrueVector Service Zone Labs Inc. 0 C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\system32\ZoneLabs\vsmon.exe -service wanmpsvc.exe 592 Wan Miniport (ATW) Service America Online, Inc. 0 C:\WINNT\wanmpsvc.exe "C:\WINNT\wanmpsvc.exe" iPodService.exe 2120 iPodService Module Apple Computer, Inc. 0 C:\Program Files\iPod\bin\iPodService.exe "C:\Program Files\iPod\bin\iPodService.exe" lsass.exe 820 LSA Shell (Export Version) Microsoft Corporation 0 C:\WINNT\system32\lsass.exe C:\WINNT\system32\lsass.exe explorer.exe 1864 Windows Explorer Microsoft Corporation 0 C:\WINNT\explorer.exe C:\WINNT\Explorer.EXE ccApp.exe 1084 Common Client CC App Symantec Corporation 0 C:\Program Files\Common Files\Symantec Shared\ccApp.exe "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" iTunesHelper.exe 1176 iTunesHelper Module Apple Computer, Inc. 0 C:\Program Files\iTunes\iTunesHelper.exe "C:\Program Files\iTunes\iTunesHelper.exe" point32.exe 1300 Point32.exe Microsoft Corporation 0 C:\Program Files\Microsoft IntelliPoint\point32.exe "C:\Program Files\Microsoft IntelliPoint\point32.exe" SK9910DM.EXE 1524 Daemon Silitek Corporation 0 C:\WINNT\system32\SK9910DM.EXE "C:\WINNT\System32\SK9910DM.EXE" E_S0HIC1.EXE 1568 EPSON Status Monitor 3 SEIKO EPSON CORPORATION 0 C:\WINNT\system32\spool\drivers\w32x86\3\E_S0HIC1.EXE "C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" zlclient.exe 1136 Zone Labs Client Zone Labs Inc. 0 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" rundll32.exe 1956 Run a DLL as an App Microsoft Corporation 0 C:\WINNT\system32\rundll32.exe "C:\WINNT\System32\RUNDLL32.EXE" C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit hpohmr08.exe 2188 HP OfficeJet COM Device Objects Hewlett-Packard Co. 0 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" hpotdd01.exe 2220 hpotdd01 Hewlett-Packard 0 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" Pam.exe 2236 Pam Driver Pam B.V. 0 C:\Program Files\Pam BV\Pam Driver\Pam.exe "C:\Program Files\Pam BV\Pam Driver\Pam.exe" IEXPLORE.EXE 3288 Internet Explorer Microsoft Corporation 0 C:\Program Files\Internet Explorer\IEXPLORE.EXE "C:\Program Files\Internet Explorer\IEXPLORE.EXE" IEXPLORE.EXE 3160 Internet Explorer Microsoft Corporation 0 C:\Program Files\Internet Explorer\IEXPLORE.EXE "C:\Program Files\Internet Explorer\IEXPLORE.EXE" IEXPLORE.EXE 2948 Internet Explorer Microsoft Corporation 0 C:\Program Files\Internet Explorer\IEXPLORE.EXE "C:\Program Files\Internet Explorer\IEXPLORE.EXE" procexp.exe 3704 1 Sysinternals Process Explorer Sysinternals 0 C:\Program Files\Quicken 2004\Downloaded Data\temp programs\temp 2\procexp.exe "C:\Program Files\Quicken 2004\Downloaded Data\temp programs\temp 2\procexp.exe" PortAOL.exe 2056 Port Magic Application Pure Networks, Inc. 0 C:\Program Files\Pure Networks\Port Magic\PortAOL.exe "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -ShowUI -Run mpbtn.exe 2408 Motive Chorus System Tray Button Motive Communications, Inc. 0 C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe "C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe" Process: svchost.exe Pid: 1008 Type Name Desktop \Default Directory \Windows Directory \BaseNamedObjects Directory \KnownDlls Event \BaseNamedObjects\ScmCreatedEvent Event \BaseNamedObjects\userenv: User Profile setup event File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\Tcp File \Device\Ip File \Device\Tcp File \Device\Ip File \Device\Ip File \Device\Tcp File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\NwlnkSpx\Stream File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\NwlnkIpx File \Device\NamedPipe\epmapper File \Device\NamedPipe\epmapper File \Device\NamedPipe\net\NtControlPipe2 File \Device\NamedPipe\svcctl File \Device\KsecDD File \Dfs File C:\WINNT\system32 File \Device\Afd\Endpoint File \Device\Tcp File \Device\Afd\Endpoint File \Device\NamedPipe\Winsock2\CatalogChangeListener-3f0-0 Key HKLM Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters Key HKCR Key HKCR Key HKLM\SOFTWARE\Microsoft\COM3 Key HKU Key HKCR Key HKU Key HKLM\SOFTWARE\Microsoft\COM3 Key HKLM\SOFTWARE\Microsoft\COM3 Key HKCR\CLSID Key HKCR Key HKLM\SOFTWARE\Microsoft\COM3 Key HKU Key HKLM\SOFTWARE\Microsoft\COM3 Key HKLM\SOFTWARE\Microsoft\COM3 Key HKCR\CLSID Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder Key HKU\.DEFAULT Key HKU Key HKCR\CLSID Key HKCR\AppID Key HKLM\SOFTWARE\Microsoft\Ole Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent Mutant \BaseNamedObjects\ShimCacheMutex Port \RPC Control\epmapper Process hpoevm08.exe(2440) Section \BaseNamedObjects\RotHintTable Section \BaseNamedObjects\__R_000000000029_SMem__ Section \BaseNamedObjects\ShimSharedMemory Thread svchost.exe(1008): 1028 Thread svchost.exe(1008): 3112 Thread svchost.exe(1008): 1476 Thread svchost.exe(1008): 1028 Thread svchost.exe(1008): 1600 Thread svchost.exe(1008): 1028 Thread svchost.exe(1008): 1012 Thread svchost.exe(1008): 3548 Thread svchost.exe(1008): 1476 Thread svchost.exe(1008): 2580 Thread svchost.exe(1008): 3936 Thread svchost.exe(1008): 1016 Thread svchost.exe(1008): 1016 Thread svchost.exe(1008): 1024 Thread svchost.exe(1008): 1024 Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\LOCAL SERVICE Token NT AUTHORITY\LOCAL SERVICE Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\SYSTEM Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner WindowStation \Windows\WindowStations\Service-0x0-3e7$ WindowStation \Windows\WindowStations\Service-0x0-3e7$
Request for Answer Clarification by colan-ga on 05 Jul 2004 11:15 PDT Ace: one question....I am getting random sound problems when I load some programs (like I-tunes). I am concerned that I may have deleted something that is affecting the sound. It seems to correct itself if I reboot, and it only happens occasionally, but do you have any thoughts?
Clarification of Answer by aceresearcher-ga on 07 Jul 2004 08:40 PDT colan, I'm doing a little research on your Question, and will post another Clarification soon. Thanks, ace
Request for Answer Clarification by colan-ga on 07 Jul 2004 09:57 PDT Ace: No problem and no hurry. I really do appreciate all of your help on this. Colan
Clarification of Answer by aceresearcher-ga on 09 Jul 2004 11:12 PDT Colan, Since the Process Explorer log that you posted shows only generic information for the svchost processes that are running, can you 1) start Process Explorer 2) make sure that View ==> Show Lower Pane is checkmarked (if not, click on it) 3) click on the first "svchost.exe" 4) type into Notepad any names or information in the lower pane that looks like it might be helpful in identifying the process 5) repeat this for each occurrence of svchost I know that this is a pain, but I've been looking and have not yet been able to find a good way to easily show details on your system. Thanks, ace
Request for Answer Clarification by colan-ga on 09 Jul 2004 12:15 PDT Ace: Will do. Please note that I am going out of town for several days and will not be able to do this until after next week. Hope that is o.k. with you.
Clarification of Answer by aceresearcher-ga on 09 Jul 2004 12:46 PDT No problem. Have a safe trip!
Request for Answer Clarification by colan-ga on 31 Jul 2004 05:49 PDT Hi there: Remember me? :-) Hope things are well with you. Well, I'm back and I am trying to pick up where we left off... Question...when you say "type into Notepad any names or information in the lower pane that looks like it might be helpful in identifying the process"...can you be more specific? There is a LOT of stuff there to type. The Types include: Desktop Directory Event File Key Keyed Event Mutant Port Process Section Thread Token Windowstation Of course, many of these types have multipe listings, and this is just for the FIRST occurance of SVCHOST. If I tried to recreate the whole thing, I would be typing for days. Any hints to try to narrow it down? If need be, I will (reluctantly) try typing the entire first one if that will be helpful, but it is going to take a long time so I want to be sure before I go there. Thanks for any direction you can give me. Colan
Request for Answer Clarification by colan-ga on 31 Jul 2004 05:57 PDT On the first SVCHOST, this is what was in the lower pane...is this what you need to see?: Process: svchost.exe Pid: 1020 Type Name Desktop \Default Directory \Windows Directory \BaseNamedObjects Directory \KnownDlls Event \BaseNamedObjects\ScmCreatedEvent Event \BaseNamedObjects\userenv: User Profile setup event File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\Tcp File \Device\Ip File \Device\Tcp File \Device\Ip File \Device\Ip File \Device\Tcp File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\NwlnkSpx\Stream File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\Afd\Endpoint File \Device\NwlnkIpx File \Device\NamedPipe\epmapper File \Device\NamedPipe\epmapper File \Device\NamedPipe\net\NtControlPipe2 File \Device\NamedPipe\svcctl File \Device\KsecDD File \Dfs File C:\WINNT\system32 File \Device\Afd\Endpoint File \Device\Tcp File \Device\Afd\Endpoint File \Device\NamedPipe\Winsock2\CatalogChangeListener-3fc-0 Key HKLM Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters Key HKCR Key HKCR Key HKLM\SOFTWARE\Microsoft\COM3 Key HKU Key HKCR Key HKU Key HKLM\SOFTWARE\Microsoft\COM3 Key HKLM\SOFTWARE\Microsoft\COM3 Key HKCR\CLSID Key HKCR Key HKLM\SOFTWARE\Microsoft\COM3 Key HKU Key HKLM\SOFTWARE\Microsoft\COM3 Key HKLM\SOFTWARE\Microsoft\COM3 Key HKCR\CLSID Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder Key HKU\.DEFAULT Key HKU Key HKCR Key HKCR Key HKCR Key HKCR Key HKCU\Software\Classes Key HKCR Key HKCU\Software\Classes Key HKCR\CLSID Key HKCR\AppID Key HKLM\SOFTWARE\Microsoft\Ole Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent Mutant \BaseNamedObjects\ShimCacheMutex Port \RPC Control\epmapper Process hpoevm08.exe(1432) Process wisptis.exe(1588) Section \BaseNamedObjects\RotHintTable Section \BaseNamedObjects\__R_000000000029_SMem__ Section \BaseNamedObjects\ShimSharedMemory Thread svchost.exe(1020): 1040 Thread svchost.exe(1020): 1492 Thread svchost.exe(1020): 1040 Thread svchost.exe(1020): 1616 Thread svchost.exe(1020): 1040 Thread svchost.exe(1020): 1024 Thread svchost.exe(1020): 1492 Thread svchost.exe(1020): 3788 Thread svchost.exe(1020): 3396 Thread svchost.exe(1020): 2080 Thread svchost.exe(1020): 1028 Thread svchost.exe(1020): 1028 Thread svchost.exe(1020): 1036 Thread svchost.exe(1020): 1036 Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\LOCAL SERVICE Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token NT AUTHORITY\LOCAL SERVICE Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token S0032030900\Owner Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\SYSTEM Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\SYSTEM Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\SYSTEM Token NT AUTHORITY\SYSTEM Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token S0032030900\Owner Token NT AUTHORITY\SYSTEM Token S0032030900\Owner WindowStation \Windows\WindowStations\Service-0x0-3e7$ WindowStation \Windows\WindowStations\Service-0x0-3e7$

colan-ga rated this answer: 5 out of 5 stars

Went way above and beyond the original question...

Comments

Subject: Re: Help with clearing out Spyware/unneeded programs
From: lri41-ga on 07 Jun 2004 16:02 PDT

To many processes in XP

two truly comprehensive web sites:
 which covers the topic of xp efficiency in an extremely thorough and
comprehensive manner; which handles virtually any question regarding
startup programs.

http://www.blackviper.com/WinXP/servicecfg.htm

This will help you out.

http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

Windows XP Services:

http://www.scotsnewsletter.com/forums/index.php?act=ST&f=4&t=1271&s=


TASK LIST PROGRAMS

Smart Computing Q&A Board
Mossberg's Mailbag, WSJ 3-18-2004

One of the processes listed is "System" for example; when I check this
on a web site that I came across, it states concerning "System" -
"Leave it alone". The link for Task List Programs for your interest
is:

there is a better way to see what's what. Go to 

 www.answersthatwork.com

 and click on the button called "Task List." It's a reference library
that explains most of these processes, and advises on what to do about
them.

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Through our support service we often come across problems caused
primarily by programs running in the background, programs which in
most cases start at the same time as Windows.  Sometimes these
programs are useful and need to be there;  quite often, however, they
are not needed, and in too many cases they cause severe problems.The
pages below are from our in-house database and provide guidance on the
usefulness or not of these programs, and removal procedures when
recommended.In Windows 95/98/ME you can bring up the Task List by
pressing Ctrl+Alt+Del.  In Windows NT4/2000/XP you bring up the Task
List by right-clicking on the Task Bar and choosing "Task Manager"
              


Mossberg's Mailbag, WSJ 3-18-2004

At the same Web site

  www.answersthatwork.com

you can buy a $20 program called "The Ultimate Troubleshooter," which
places the same list and advice on your own PC, and can also disable
processes you don't want.
             

The WinTasks Process Library

The WinTasks Process Library contains information about all common
Windows processes as is continously updated with new information. On
this page you can find a subset of the most popular processes listed
in WinTasks Process Library. The categories available online are:
Security Risks, System Processes, and Applications.

http://www.liutilities.com/products/wintaskspro/processlibrary/

Processes
A process is an executable program on both Linux and Windows. By
convention, a filename with a .exe extension (suffix) is an executable
on Windows. Processes are made by compiling source files and producing
executables. Compilation is quite similar on both Windows and Linux:

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy