TheTechGuide Forum

General Category => Tech Clinic => Topic started by: scrappingmama on April 30, 2005, 08:15:54 PM

Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on April 30, 2005, 08:15:54 PM: I have the rl.webtracer.cc hitchhiker on my computer. I have checked the other posts and have run Locate, StartDreck and HijackThis. I will post each in the order listed (please let me know if I should add as attachments instead). I didn't want to just go clicking things and deleting them until I got your advice. Please assist me with my next steps. Thanks.

** Locate.bat: report.txt **
C:\WINDOWS\SYSTEM32\DRIVERS\LTMDMNTC.SYS

** StartDreck.log **
StartDreck (build 2.1.7 public stable) - 2005-04-30 @ 20:02:16 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Owner at BIGMAMA

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\WINDOWS\config.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\WINDOWS\autoexec.bat
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\hosts
*C:\WINDOWS\System32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+568=\SystemRoot\System32\smss.exe
+632=\??\C:\WINDOWS\system32\csrss.exe
+656=\??\C:\WINDOWS\System32\winlogon.exe
+700=C:\WINDOWS\system32\services.exe
+712=C:\WINDOWS\system32\lsass.exe
+868=C:\WINDOWS\system32\svchost.exe
+916=C:\WINDOWS\System32\svchost.exe
+1104=C:\WINDOWS\System32\svchost.exe
+1128=C:\WINDOWS\System32\svchost.exe
+1336=C:\WINDOWS\Explorer.EXE
+1356=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1396=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
+1416=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+1600=C:\WINDOWS\system32\spoolsv.exe
+1900=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
+1936=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
+1988=C:\PROGRA~1\Iomega\System32\AppServices.exe
+2036=C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
+224=C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
+364=C:\WINDOWS\System32\svchost.exe
+376=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
+396=C:\WINDOWS\System32\wdfmgr.exe
+504=C:\Program Files\Iomega\AutoDisk\ADService.exe
+2364=C:\HJT\HijackThis.exe
+2516=C:\WINDOWS\system32\NOTEPAD.EXE
+3400=C:\Program Files\Internet Explorer\iexplore.exe
+2336=C:\PROGRA~1\WINZIP\winzip32.exe
+3288=C:\Documents and Settings\Owner\Desktop\GetRidofHijackers\StartDreck.exe
»NT Services
*Alerter   Alerter   -   on demand
*Application Layer Gateway Service   ALG   -   on demand
*Application Management   AppMgmt   -   on demand
*ASP.NET State Service   aspnet_state   -   on demand
*Windows Audio   AudioSrv   running   auto
*Background Intelligent Transfer Service   BITS   -   on demand
*Computer Browser   Browser   running   auto
*Symantec Event Manager   ccEvtMgr   running   auto
*Symantec Network Proxy   ccProxy   running   auto
*Symantec Password Validation   ccPwdSvc   -   on demand
*Symantec Settings Manager   ccSetMgr   running   auto
*Indexing Service   CiSvc   -   on demand
*ClipBook   ClipSrv   -   on demand
*COM+ System Application   COMSysApp   -   on demand
*Cryptographic Services   CryptSvc   running   auto
*DHCP Client   Dhcp   running   auto
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
*Logical Disk Manager   dmserver   -   on demand
*DNS Client   Dnscache   running   auto
*EPSON Printer Status Agent2   EPSONStatusAgent2   running   auto
*Error Reporting Service   ERSvc   running   auto
*Event Log   Eventlog   running   auto
*COM+ Event System   EventSystem   running   on demand
*Fast User Switching Compatibility   FastUserSwitchingCom   running   on demand
*Fax   Fax   -   on demand
*Help and Support   helpsvc   running   auto
*Human Interface Device Access   HidServ   -   disabled
*IMAPI CD-Burning COM Service   ImapiService   -   on demand
*Iomega Activity Disk2   Iomega Activity Disk   -   disabled
*Iomega App Services   Iomega App Services   running   auto
*Server   lanmanserver   running   auto
*Workstation   lanmanworkstation   running   auto
*TCP/IP NetBIOS Helper   LmHosts   running   auto
*Messenger   Messenger   -   on demand
*NetMeeting Remote Desktop Sharing   mnmsrvc   -   on demand
*Distributed Transaction Coordinator   MSDTC   -   on demand
*Windows Installer   MSIServer   -   on demand
*Norton AntiVirus Auto Protect Service   navapsvc   running   auto
*Network DDE   NetDDE   -   on demand
*Network DDE DSDM   NetDDEdsdm   -   on demand
*Net Logon   Netlogon   -   on demand
*Network Connections   Netman   running   on demand
*Network Location Awareness (NLA)   Nla   running   on demand
*NT LM Security Support Provider   NtLmSsp   -   on demand
*Removable Storage   NtmsSvc   -   on demand
*NVIDIA Driver Helper Service   NVSvc   -   auto
*Office Source Engine   ose   -   on demand
*Plug and Play   PlugPlay   running   auto
*IPSEC Services   PolicyAgent   running   auto
*Protected Storage   ProtectedStorage   running   auto
*Remote Access Auto Connection Manager   RasAuto   -   disabled
*Remote Access Connection Manager   RasMan   running   on demand
*Remote Desktop Help Session Manager   RDSessMgr   -   on demand
*Routing and Remote Access   RemoteAccess   -   disabled
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
*Remote Procedure Call (RPC)   RpcSs   running   auto
*QoS RSVP   RSVP   -   on demand
*Security Accounts Manager   SamSs   running   auto
*SAVScan   SAVScan   running   auto
*ScriptBlocking Service   SBService   -   auto
*Smart Card Helper   SCardDrv   -   on demand
*Smart Card   SCardSvr   -   on demand
*Task Scheduler   Schedule   running   auto
*Secondary Logon   seclogon   running   auto
*System Event Notification   SENS   running   auto
*Internet Connection Firewall (ICF) / Internet C   SharedAccess   -   on demand
`onnection Sharing (ICS)
*Shell Hardware Detection   ShellHWDetection   running   auto
*Symantec Network Drivers Service   SNDSrvc   running   auto
*Print Spooler   Spooler   running   auto
*System Restore Service   srservice   -   auto
*SSDP Discovery Service   SSDPSRV   running   on demand
*Windows Image Acquisition (WIA)   stisvc   running   auto
*MS Software Shadow Copy Provider   SwPrv   -   on demand
*Symantec Core LC   Symantec Core LC   running   auto
*SymWMI Service   SymWSC   -   auto
*Performance Logs and Alerts   SysmonLog   -   on demand
*Telephony   TapiSrv   running   on demand
*Terminal Services   TermService   running   on demand
*Themes   Themes   running   auto
*Distributed Link Tracking Client   TrkWks   running   auto
*Windows User Mode Driver Framework   UMWdf   running   auto
*Upload Manager   uploadmgr   running   auto
*Universal Plug and Play Device Host   upnphost   -   on demand
*Uninterruptible Power Supply   UPS   -   on demand
*Volume Shadow Copy   VSS   -   on demand
*Windows Time   W32Time   running   auto
*WebClient   WebClient   running   auto
*Windows Management Instrumentation   winmgmt   running   auto
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
*WMI Performance Adapter   WmiApSrv   -   on demand
*Automatic Updates   wuauserv   running   auto
*Wireless Zero Configuration   WZCSVC   running   auto
*Iomega Active Disk   _IOMEGA_ACTIVE_DISK_   running   auto
»Application specific

** HijackThis.log **
Logfile of HijackThis v1.99.1
Scan saved at 7:52:52 PM, on 4/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 1159680172 auto.search.msn.com
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098110564015 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098110564015\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab (http://\"http://www.nick.com/common/groove/gx/GrooveAX27.cab\")
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab (http://\"http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab (http://\"http://www.snapfish.com/SnapfishUpload.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab (http://\"http://download.toontown.com/sv1.0.14.48/ttinst.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 01, 2005, 03:35:05 AM: Thanks for supplying the log from Locate.bat
Just to make sure, can you supply a Proper log from Startdreck too
Here's the instructions
Open StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 01, 2005, 08:54:21 AM: Per your request, I have attached the log with the new config settings. Also, I wanted to note that at the same time all of this webtracer stuff started happening, my Norton AV autoprotect stopped functioning and my Norton Internet Security was disabled and can't be re-enabled. Don't know if it is related or not. I was able to download all the latest virus defs and run a manual scan, I just can't get the auto-protect back on. I have also run a scan with AdAware SE but it wouldn't let me download any updates, so the things I found were probably just the basics. Thanks for your assistance.

Anyway, here are the startdreck logs --

StartDreck (build 2.1.7 public stable) - 2005-05-01 @ 08:47:03 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Owner at BIGMAMA

»Registry
»Files
»System/Drivers
»NT Services
*Alerter   Alerter   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service   ALG   -   on demand
`binary: C:\WINDOWS\System32\alg.exe
*Application Management   AppMgmt   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*ASP.NET State Service   aspnet_state   -   on demand
`binary: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
*Windows Audio   AudioSrv   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Background Intelligent Transfer Service   BITS   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser   Browser   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Event Manager   ccEvtMgr   running   auto
`binary: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*Symantec Network Proxy   ccProxy   running   auto
`binary: "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"
*Symantec Password Validation   ccPwdSvc   -   on demand
`binary: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
*Symantec Settings Manager   ccSetMgr   running   auto
`binary: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*Indexing Service   CiSvc   -   on demand
`binary: C:\WINDOWS\system32\cisvc.exe
*ClipBook   ClipSrv   -   on demand
`binary: C:\WINDOWS\system32\clipsrv.exe
*COM+ System Application   COMSysApp   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services   CryptSvc   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client   Dhcp   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
`binary: C:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager   dmserver   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client   Dnscache   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k NetworkService
*EPSON Printer Status Agent2   EPSONStatusAgent2   running   auto
`binary: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
*Error Reporting Service   ERSvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log   Eventlog   running   auto
`binary: C:\WINDOWS\system32\services.exe
*COM+ Event System   EventSystem   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility   FastUserSwitchingCom   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fax   Fax   -   on demand
`binary: C:\WINDOWS\system32\fxssvc.exe
*Help and Support   helpsvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Human Interface Device Access   HidServ   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service   ImapiService   -   on demand
`binary: C:\WINDOWS\System32\imapi.exe
*Iomega Activity Disk2   Iomega Activity Disk   -   disabled
`binary: ""
*Iomega App Services   Iomega App Services   running   auto
`binary: "C:\PROGRA~1\Iomega\System32\AppServices.exe"
*Server   lanmanserver   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation   lanmanworkstation   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper   LmHosts   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger   Messenger   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing   mnmsrvc   -   on demand
`binary: C:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator   MSDTC   -   on demand
`binary: C:\WINDOWS\System32\msdtc.exe
*Windows Installer   MSIServer   -   on demand
`binary: C:\WINDOWS\System32\msiexec.exe /V
*Norton AntiVirus Auto Protect Service   navapsvc   running   auto
`binary: "C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"
*Network DDE   NetDDE   -   on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Network DDE DSDM   NetDDEdsdm   -   on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Net Logon   Netlogon   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Network Connections   Netman   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA)   Nla   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NT LM Security Support Provider   NtLmSsp   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Removable Storage   NtmsSvc   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*NVIDIA Driver Helper Service   NVSvc   -   auto
`binary: C:\WINDOWS\System32\nvsvc32.exe
*Office Source Engine   ose   -   on demand
`binary: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
*Plug and Play   PlugPlay   running   auto
`binary: C:\WINDOWS\system32\services.exe
*IPSEC Services   PolicyAgent   running   auto
`binary: C:\WINDOWS\System32\lsass.exe
*Protected Storage   ProtectedStorage   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager   RasAuto   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager   RasMan   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager   RDSessMgr   -   on demand
`binary: C:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access   RemoteAccess   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
`binary: C:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC)   RpcSs   running   auto
`binary: C:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP   RSVP   -   on demand
`binary: C:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager   SamSs   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*SAVScan   SAVScan   running   auto
`binary: C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
*ScriptBlocking Service   SBService   -   auto
`binary: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
*Smart Card Helper   SCardDrv   -   on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Smart Card   SCardSvr   -   on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler   Schedule   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon   seclogon   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification   SENS   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Internet Connection Firewall (ICF) / Internet C   SharedAccess   -   on demand
`onnection Sharing (ICS)
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection   ShellHWDetection   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Network Drivers Service   SNDSrvc   running   auto
`binary: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
*Print Spooler   Spooler   running   auto
`binary: C:\WINDOWS\system32\spoolsv.exe
*System Restore Service   srservice   -   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service   SSDPSRV   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA)   stisvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider   SwPrv   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{80A0071B-FFF9-443D-ACBC-93ACFC851833}
*Symantec Core LC   Symantec Core LC   running   auto
`binary: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
*SymWMI Service   SymWSC   -   auto
`binary: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
*Performance Logs and Alerts   SysmonLog   -   on demand
`binary: C:\WINDOWS\system32\smlogsvc.exe
*Telephony   TapiSrv   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services   TermService   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes   Themes   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Distributed Link Tracking Client   TrkWks   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows User Mode Driver Framework   UMWdf   running   auto
`binary: C:\WINDOWS\System32\wdfmgr.exe
*Upload Manager   uploadmgr   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host   upnphost   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply   UPS   -   on demand
`binary: C:\WINDOWS\System32\ups.exe
*Volume Shadow Copy   VSS   -   on demand
`binary: C:\WINDOWS\System32\vssvc.exe
*Windows Time   W32Time   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WebClient   WebClient   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation   winmgmt   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter   WmiApSrv   -   on demand
`binary: C:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates   wuauserv   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration   WZCSVC   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Iomega Active Disk   _IOMEGA_ACTIVE_DISK_   running   auto
`binary: "C:\Program Files\Iomega\AutoDisk\ADService.exe"
»NT Kernel- and FS-drivers
*Abiosdsk   Abiosdsk   -   disabled
`binary:
*abp480n5   abp480n5   -   disabled
`binary:
*Microsoft ACPI Driver   ACPI   running   boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC   ACPIEC   -   disabled
`binary:
*adpu160m   adpu160m   -   disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller   aec   -   on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment   AFD   running   auto
`binary: \SystemRoot\System32\drivers\afd.sys
*AFS2K   AFS2K   running   system
`binary:
*Intel AGP Bus Filter   agp440   running   boot
`binary: \SystemRoot\System32\DRIVERS\agp440.sys
*Aha154x   Aha154x   -   disabled
`binary:
*aic78u2   aic78u2   -   disabled
`binary:
*aic78xx   aic78xx   -   disabled
`binary:
*Service for Realtek AC97 Audio (WDM)   ALCXWDM   running   on demand
`binary: system32\drivers\ALCXWDM.SYS
*AliIde   AliIde   -   disabled
`binary:
*AMD K7 Processor Driver   AmdK7   -   system
`binary: System32\DRIVERS\amdk7.sys
*amsint   amsint   -   disabled
`binary:
*1394 ARP Client Protocol   Arp1394   running   on demand
`binary: System32\DRIVERS\arp1394.sys
*asc   asc   -   disabled
`binary:
*asc3350p   asc3350p   -   disabled
`binary:
*asc3550   asc3550   -   disabled
`binary:
*RAS Asynchronous Media Driver   AsyncMac   -   on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller   atapi   running   boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk   Atdisk   -   disabled
`binary:
*ATM ARP Client Protocol   Atmarpc   -   on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver   audstub   running   on demand
`binary: System32\DRIVERS\audstub.sys
*Beep   Beep   running   system
`binary:
*cbidf2k   cbidf2k   -   disabled
`binary:
*Closed Caption Decoder   CCDECODE   -   on demand
`binary: System32\DRIVERS\CCDECODE.sys
*cd20xrnt   cd20xrnt   -   disabled
`binary:
*Cdaudio   Cdaudio   -   system
`binary:
*Cdfs   Cdfs   running   disabled
`binary:
*CD-ROM Driver   Cdrom   running   system
`binary: System32\DRIVERS\cdrom.sys
*Changer   Changer   -   system
`binary:
*CmdIde   CmdIde   -   disabled
`binary:
*Cpqarray   Cpqarray   -   disabled
`binary:
*dac960nt   dac960nt   -   disabled
`binary:
*Disk Driver   Disk   running   boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot   dmboot   -   disabled
`binary: System32\drivers\dmboot.sys
*dmio   dmio   -   disabled
`binary: System32\drivers\dmio.sys
*dmload   dmload   -   disabled
`binary: System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer   DMusic   -   on demand
`binary: system32\drivers\DMusic.sys
*dpti2o   dpti2o   -   disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler   drmkaud   -   on demand
`binary: system32\drivers\drmkaud.sys
*Fastfat   Fastfat   running   disabled
`binary:
*fasttx2k   fasttx2k   running   boot
`binary: \SystemRoot\System32\DRIVERS\fasttx2k.sys
*Floppy Disk Controller Driver   Fdc   running   on demand
`binary: System32\DRIVERS\fdc.sys
*VIA Rhine Family Fast Ethernet Adapter Driver S   FETNDISB   running   on demand
`ervice
`binary: System32\DRIVERS\fetnd5b.sys
*Fips   Fips   running   system
`binary:
*Floppy Disk Driver   Flpydisk   running   on demand
`binary: System32\DRIVERS\flpydisk.sys
*Volume Manager Driver   Ftdisk   running   boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*Generic Packet Classifier   Gpc   running   on demand
`binary: System32\DRIVERS\msgpc.sys
*Microsoft HID Class Driver   HidUsb   -   on demand
`binary: System32\DRIVERS\hidusb.sys
*hpn   hpn   -   disabled
`binary:
*i2omgmt   i2omgmt   -   system
`binary:
*i2omp   i2omp   -   disabled
`binary:
*i8042 Keyboard and PS/2 Mouse Port Driver   i8042prt   running   system
`binary: System32\DRIVERS\i8042prt.sys
*ialm   ialm   -   on demand
`binary: System32\DRIVERS\ialmnt5.sys
*CD-Burning Filter Driver   Imapi   running   system
`binary: System32\DRIVERS\imapi.sys
*ini910u   ini910u   -   disabled
`binary:
*IntelIde   IntelIde   -   disabled
`binary: \SystemRoot\System32\DRIVERS\intelide.sys
*Iomega Devices Disk Filter Services   iomdisk   running   boot
`binary: \SystemRoot\System32\DRIVERS\iomdisk.sys
*IP Traffic Filter Driver   IpFilterDriver   -   on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver   IpInIp   -   on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator   IpNat   -   on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver   IPSec   running   system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service   IRENUM   -   on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver   isapnp   running   boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver   Kbdclass   running   system
`binary: System32\DRIVERS\kbdclass.sys
*Microsoft Kernel Wave Audio Mixer   kmixer   -   on demand
`binary: system32\drivers\kmixer.sys
*KSecDD   KSecDD   running   boot
`binary:
*lbrtfdc   lbrtfdc   -   system
`binary:
*ltmdmntc   ltmdmntc   running   auto
`binary: \??\C:\WINDOWS\System32\drivers\ltmdmntc.sys
*Agere Modem Driver   ltmodem5   running   on demand
`binary: System32\DRIVERS\ltmdmnt.sys
*mnmdd   mnmdd   running   system
`binary:
*Modem   Modem   running   on demand
`binary:
*Mouse Class Driver   Mouclass   running   system
`binary: System32\DRIVERS\mouclass.sys
*MountMgr   MountMgr   running   boot
`binary:
*mraid35x   mraid35x   -   disabled
`binary:
*mrtRate   mrtRate   -   auto
`binary:
*WebDav Client Redirector   MRxDAV   running   on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb   MRxSmb   running   system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs   Msfs   running   system
`binary:
*Microsoft Streaming Service Proxy   MSKSSRV   -   on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy   MSPCLOCK   -   on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy   MSPQM   -   on demand
`binary: system32\drivers\MSPQM.sys
*Microsoft Streaming Tee/Sink-to-Sink Converter   MSTEE   -   on demand
`binary: system32\drivers\MSTEE.sys
*Mup   Mup   running   boot
`binary:
*MxlW2k   MxlW2k   running   on demand
`binary:
*NABTS/FEC VBI Codec   NABTSFEC   -   on demand
`binary: System32\DRIVERS\NABTSFEC.sys
*NAVENG   NAVENG   running   on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050428.018\NAVENG.Sys
*NAVEX15   NAVEX15   running   on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050428.018\NavEx15.Sys
*NDIS System Driver   NDIS   running   boot
`binary:
*Microsoft TV/Video Connection   NdisIP   -   on demand
`binary: System32\DRIVERS\NdisIP.sys
*Remote Access NDIS TAPI Driver   NdisTapi   running   on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol   Ndisuio   running   on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver   NdisWan   running   on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy   NDProxy   running   on demand
`binary:
*NetBIOS Interface   NetBIOS   running   system
`binary: System32\DRIVERS\netbios.sys
*NetBT   NetBT   running   system
`binary: System32\DRIVERS\netbt.sys
*1394 Net Driver   NIC1394   running   on demand
`binary: System32\DRIVERS\nic1394.sys
*Npfs   Npfs   running   system
`binary:
*Ntfs   Ntfs   running   disabled
`binary:
*Null   Null   running   system
`binary:
*nv   nv   -   on demand
`binary: System32\DRIVERS\nv4_mini.sys
*nVidia WDM Video Capture (universal)   nvcap   -   auto
`binary: System32\DRIVERS\nvcap.sys
*nVidia WDM A/V Crossbar   NVXBAR   -   auto
`binary: System32\DRIVERS\NVxbar.sys
*NVIDIA nForce AGP Bus Filter   nv_agp   running   boot
`binary: \SystemRoot\System32\DRIVERS\nv_agp.sys
*IPX Traffic Filter Driver   NwlnkFlt   -   on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver   NwlnkFwd   -   on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*NWLink IPX/SPX/NetBIOS Compatible Transport Pro   NwlnkIpx   running   auto
`tocol
`binary: System32\DRIVERS\nwlnkipx.sys
*NWLink NetBIOS   NwlnkNb   running   auto
`binary: System32\DRIVERS\nwlnknb.sys
*NWLink SPX/SPXII Protocol   NwlnkSpx   running   auto
`binary: System32\DRIVERS\nwlnkspx.sys
*VIA OHCI Compliant IEEE 1394 Host Controller   ohci1394   running   boot
`binary: \SystemRoot\System32\DRIVERS\ohci1394.sys
*Parallel port driver   Parport   running   on demand
`binary: System32\DRIVERS\parport.sys
*PartMgr   PartMgr   running   boot
`binary:
*ParVdm   ParVdm   running   auto
`binary:
*PCI Bus Driver   PCI   running   boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump   PCIDump   -   system
`binary:
*PCIIde   PCIIde   running   boot
`binary: \SystemRoot\System32\DRIVERS\pciide.sys
*Pcmcia   Pcmcia   -   disabled
`binary:
*PDCOMP   PDCOMP   -   on demand
`binary:
*PDFRAME   PDFRAME   -   on demand
`binary:
*PDRELI   PDRELI   -   on demand
`binary:
*PDRFRAME   PDRFRAME   -   on demand
`binary:
*perc2   perc2   -   disabled
`binary:
*perc2hib   perc2hib   -   disabled
`binary:
*Padus ASPI Shell   pfc   running   on demand
`binary: \??\C:\WINDOWS\System32\drivers\pfc.sys
*Iomega Parallel Port Legacy Filter Driver   ppa3   running   boot
`binary: \SystemRoot\System32\DRIVERS\ppa3.sys
*WAN Miniport (PPTP)   PptpMiniport   running   on demand
`binary: System32\DRIVERS\raspptp.sys
*Processor Driver   Processor   running   system
`binary: System32\DRIVERS\processr.sys
*Ps2   Ps2   running   on demand
`binary: System32\DRIVERS\PS2.sys
*QoS Packet Scheduler   PSched   running   on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver   Ptilink   running   on demand
`binary: System32\DRIVERS\ptilink.sys
*PxHelp20   PxHelp20   running   boot
`binary: \SystemRoot\System32\DRIVERS\PxHelp20.sys
*ql1080   ql1080   -   disabled
`binary:
*Ql10wnt   Ql10wnt   -   disabled
`binary:
*ql12160   ql12160   -   disabled
`binary:
*ql1240   ql1240   -   disabled
`binary:
*ql1280   ql1280   -   disabled
`binary:
*Remote Access Auto Connection Driver   RasAcd   running   system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP)   Rasl2tp   running   on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver   RasPppoe   running   on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel   Raspti   running   on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss   Rdbss   running   system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD   RDPCDD   running   system
`binary: System32\DRIVERS\RDPCDD.sys
*RDPWD   RDPWD   -   on demand
`binary:
*Digital CD Audio Playback Filter Driver   redbook   running   system
`binary: System32\DRIVERS\redbook.sys
*Realtek RTL8139/810x Family Fast Ethernet NIC N   rtl8139   -   on demand
`T Driver
`binary: System32\DRIVERS\R8139n51.SYS
*S3Psddr   S3Psddr   -   on demand
`binary: System32\DRIVERS\s3gnbm.sys
*SAVRT   SAVRT   running   system
`binary: \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
*SAVRTPEL   SAVRTPEL   running   system
`binary: \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
*Secdrv   Secdrv   -   on demand
`binary: System32\DRIVERS\secdrv.sys
*Serenum Filter Driver   Serenum   running   on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver   Serial   running   system
`binary: System32\DRIVERS\serial.sys
*Sfloppy   Sfloppy   -   system
`binary:
*Simbad   Simbad   -   disabled
`binary:
*SiS315   SiS315   -   on demand
`binary: System32\DRIVERS\sisgrp.sys
*SiS AGP Filter   SISAGP   running   boot
`binary: \SystemRoot\System32\DRIVERS\SISAGPX.sys
*SiSkp   SiSkp   running   system
`binary: System32\DRIVERS\srvkp.sys
*BDA Slip De-Framer   SLIP   -   on demand
`binary: System32\DRIVERS\SLIP.sys
*Sparrow   Sparrow   -   disabled
`binary:
*Microsoft Kernel Audio Splitter   splitter   -   on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver   sr   -   disabled
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv   Srv   running   on demand
`binary: System32\DRIVERS\srv.sys
*BDA IPSink   streamip   -   on demand
`binary: System32\DRIVERS\StreamIP.sys
*Software Bus Driver   swenum   running   on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer   swmidi   -   on demand
`binary: system32\drivers\swmidi.sys
*symc810   symc810   -   disabled
`binary:
*symc8xx   symc8xx   -   disabled
`binary:
*SYMDNS   SYMDNS   running   on demand
`binary: \SystemRoot\System32\Drivers\SYMDNS.SYS
*SymEvent   SymEvent   running   on demand
`binary: \??\C:\Program Files\Symantec\SYMEVENT.SYS
*SYMFW   SYMFW   running   on demand
`binary: \SystemRoot\System32\Drivers\SYMFW.SYS
*SYMIDS   SYMIDS   running   on demand
`binary: \SystemRoot\System32\Drivers\SYMIDS.SYS
*SYMIDSCO   SYMIDSCO   running   on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050303.027\symidsco.sys
*symlcbrd   symlcbrd   running   auto
`binary: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys
*SYMNDIS   SYMNDIS   running   on demand
`binary: \SystemRoot\System32\Drivers\SYMNDIS.SYS
*SYMREDRV   SYMREDRV   running   on demand
`binary: \SystemRoot\System32\Drivers\SYMREDRV.SYS
*SYMTDI   SYMTDI   running   system
`binary: \SystemRoot\System32\Drivers\SYMTDI.SYS
*sym_hi   sym_hi   -   disabled
`binary:
*sym_u3   sym_u3   -   disabled
`binary:
*Microsoft Kernel System Audio Device   sysaudio   running   on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver   Tcpip   running   system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE   TDPIPE   -   on demand
`binary:
*TDTCP   TDTCP   -   on demand
`binary:
*Terminal Device Driver   TermDD   running   system
`binary: System32\DRIVERS\termdd.sys
*TosIde   TosIde   -   disabled
`binary:
*Udfs   Udfs   -   disabled
`binary:
*ultra   ultra   -   disabled
`binary:
*Microcode Update Driver   Update   running   on demand
`binary: System32\DRIVERS\update.sys
*Microsoft USB 2.0 Enhanced Host Controller Mini   usbehci   running   on demand
`port Driver
`binary: System32\DRIVERS\usbehci.sys
*Microsoft USB Standard Hub Driver   usbhub   running   on demand
`binary: System32\DRIVERS\usbhub.sys
*Microsoft USB Open Host Controller Miniport Dri   usbohci   -   on demand
`ver
`binary: System32\DRIVERS\usbohci.sys
*Microsoft USB PRINTER Class   usbprint   running   on demand
`binary: System32\DRIVERS\usbprint.sys
*USB Scanner Driver   usbscan   running   on demand
`binary: System32\DRIVERS\usbscan.sys
*USB Mass Storage Driver   USBSTOR   running   on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor   usbuhci   running   on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*VgaSave   VgaSave   running   system
`binary: \SystemRoot\System32\drivers\vga.sys
*VIA AGP Filter   viaagp1   running   boot
`binary: \SystemRoot\System32\DRIVERS\viaagp1.sys
*viagfx   viagfx   running   on demand
`binary: System32\DRIVERS\vtmini.sys
*ViaIde   ViaIde   running   boot
`binary: \SystemRoot\System32\DRIVERS\viaide.sys
*VolSnap   VolSnap   running   boot
`binary:
*Remote Access IP ARP Driver   Wanarp   running   on demand
`binary: System32\DRIVERS\wanarp.sys
*WDICA   WDICA   -   on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver   wdmaud   running   on demand
`binary: system32\drivers\wdmaud.sys
*Windows Socket 2.0 Non-IFS Service Provider Sup   WS2IFSL   -   on demand
`port Environment
`binary: \SystemRoot\System32\drivers\ws2ifsl.sys
*World Standard Teletext Codec   WSTCODEC   -   on demand
`binary: System32\DRIVERS\WSTCODEC.SYS
*X4HS32   X4HS32   running   auto
`binary: \??\C:\Program Files\EXEtender\X4HS32.Sys
*Intel® Graphics Platform (SoftBIOS) Driver   {6080A529-897E-4629-   -   on demand
`binary: system32\drivers\ialmsbw.sys
*Intel® Graphics Chipset (KCH) Driver   {D31A0762-0CEB-444e-   -   on demand
`binary: system32\drivers\ialmkchw.sys
»Application specific
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 01, 2005, 01:48:05 PM: Can you do me a favor please
Locate.bat and Startdreck both identify the same file, but I'm sure there is also a legit file by the same name

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Navigate to this file
C:\WINDOWS\SYSTEM32\DRIVERS\LTMDMNTC.SYS
Right click on LTMDMNTC.SYS and left click properties
Version tab if one
Let me know any info you can find about it including date and size
Does it show who it's related too?

Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\SYSTEM32\DRIVERS\LTMDMNTC.SYS <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 01, 2005, 02:08:10 PM: Okay. I checked everything. Ltmdmntc.sys does not have a version tab. The date is 7/2/2003 1:33 AM and it is 31KB. Just to know that I also found another file in that directory. It is named ltmdmnt.sys. It had a version tab. It is from Agere Systems 2003 and is listed as Agere Windows Modem. It has the same date and it is 638KB.

When I ran the scan you asked for I got the following results (ltmdmtnc.sys) --
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

For the heck of it, I scanned the other file as well (ltmdmtn.sys). It scanned fine and said nothing was found.

Let me know if there is anything else I need to run. Thanks for your help.
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 01, 2005, 02:25:54 PM: Let's play it safe this time and we'll get it next time if needed
ltmdmnt.sys is legit

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

After that find and delete these files
C:\WINDOWS\stsheets.dat <-file
C:\WINDOWS\hosts <file, in the Windows folder only

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)

O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh Hijackthis log afterwards
Run Locate.bat again and post the log
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 01, 2005, 04:17:57 PM: Okay. I did everything you recommended. When I ran HijackThis in safe mode I did not see entries for R0, O1, or O19. I did everything else as stated. When I went back to normal mode and tried to change the internet options from the control panel, it kept changing back the home page. I ran HijackThis in normal mode and saw the webtracer entry in there (I could also see the R0, O1, and O19 entried in normal mode). I started the whole process over but I still didn't see the R0, O1, or O19 entry in safe mode. Again, when I got to the internet options in the control panel I still couldn't reset the home page. Here are my log files --

** locate.bat **
C:\WINDOWS\SYSTEM32\DRIVERS\LTMDMNTC.SYS

** HijackThis.log **
Logfile of HijackThis v1.99.1
Scan saved at 4:09:47 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 1159680172 auto.search.msn.com
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098110564015 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098110564015\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab (http://\"http://www.nick.com/common/groove/gx/GrooveAX27.cab\")
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab (http://\"http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab (http://\"http://www.snapfish.com/SnapfishUpload.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab (http://\"http://download.toontown.com/sv1.0.14.48/ttinst.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 01, 2005, 07:08:03 PM: Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)

O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart into safe mode

Navigate to this file
C:\WINDOWS\SYSTEM32\DRIVERS\LTMDMNTC.SYS
Right click on LTMDMNTC.SYS and rename it too LTMDMNTC.old

Delete these files
C:\WINDOWS\stsheets.dat <-file
C:\WINDOWS\hosts <file, in the Windows folder only

Restart back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh Hijackthis log afterwards
Could you also open Hijackthis>>Open misc tools section
Open the Hosts file manager
Click "Open In Notepad"
Copy and paste back the whole contents of the hosts text file that opens
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 01, 2005, 08:50:31 PM: I think we are getting closer because my internet options allowed me to reset my home page to MSN. Here is what I did and what happened along the way.

1. I ran HijackThis in normal mode (logged on as Owner, could not log on as admin).
2. I checked all that you asked for but got the following error. "HijackThis could not write the selected changes to your hosts file. The probablye cause is that some program is denying access to it, or that your user account doesn't have rights to write to it."
3. I then selected all but the O1 host and select Fix Checked and it worked without the error.
4. I started in safe mode as Admin (this is the only place I can choose Admin)
5. I renamed the LTMDMNTC.SYS file to .OLD
6. I deleted the two files -- stssheets.dat and hosts. I found it interesting that there was a hosts.new file that was created only minutes before (I didn't touch this one)
7. I restarted in Normal mode and reset my browser settings. (It reset the home page.)
8. I ran HijackThis and have posted the log below. I see there is still a webtracer in there, but things are looking better.
9. I opened the Misc Tools section for HijackThis but when I clicked to open the Hosts file manager I got the following error "Cannot find the hosts file. Do you want to created a new, default hosts file?" I did not select Yes because I didn't know if this was the proper selection. Please let me know what I should do here.

** HijackThis log **
Logfile of HijackThis v1.99.1
Scan saved at 8:35:30 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098110564015 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098110564015\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab (http://\"http://www.nick.com/common/groove/gx/GrooveAX27.cab\")
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab (http://\"http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab (http://\"http://www.snapfish.com/SnapfishUpload.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab (http://\"http://download.toontown.com/sv1.0.14.48/ttinst.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O19 - User stylesheet: C:\WINDOWS\stsheets.dat (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 01, 2005, 09:35:39 PM: Go ahead and delete the hosts.new file in the Windows folder

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (http://\"http://rl.webtracer.cc/-/?pcscm\") (obfuscated)

O19 - User stylesheet: C:\WINDOWS\stsheets.dat (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Back in Windows
Open up Hosts file manager in Hijackthis and allow it to create a new hosts file

Afterwards
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Post back with a fresh Hijackthis log afterwards

NOTE: Normally in a Hijackthis log, I will see 04 entries in the log
Legit entries, such as ones associated with your virus scanner
Have you tried fixes with hijackthis before posting your log here???
Or do you have entries disabled on startup with Msconfig??
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 01, 2005, 11:32:19 PM: I deleted the hosts.new folder, ran a new scan with HijackThis, and removed the entries using Fix Checked. I created the new Hosts file and the print out of it is below. I tried to run AdAware SE Personal 1.05, but I continue to get the same error I received before when I try to get updates. It says "Error Retrieving Update". I try it with and without the HTTP Proxy selection. I can run a scan with it, but can't get any updated defs.

In answer to your question about my AV protection. I have both Norton AV and Norton Internet Security. Both are legit and expire in July 2005. I got some type of warning about a week or so ago that said something about my subscription was going to expire. I set it on "remind me later" and ignored it since I knew it wasn't for a while. I cannot enable security on NIS and I can't enable autoprotect on NAV. I can do a scan with NAV and update defs but that is it. I have only used MSConfig in the past to do a safe mode boot back when I thought I had a virus (W32.Gaobot.DEY) and was following the Symantec steps on their site. But NAV and NIS already weren't working. I had never heard of HijackThis until I came here, so I had never used that before.

I went ahead and did another scan it HighjackThis and posted the log below even though I didn't make it all the way through your steps. Also, I'm now throwing a bunch of "Windows Explorer has to close" errors. Thanks.

** Hosts File**
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

** HijackThis log **
Logfile of HijackThis v1.99.1
Scan saved at 11:15:32 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098110564015 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098110564015\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab (http://\"http://www.nick.com/common/groove/gx/GrooveAX27.cab\")
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab (http://\"http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab (http://\"http://www.snapfish.com/SnapfishUpload.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab (http://\"http://download.toontown.com/sv1.0.14.48/ttinst.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 01, 2005, 11:37:35 PM: Could you also do the following
Go to this link
http://www.lavasoftusa.com/support/download/ (http://\"http://www.lavasoftusa.com/support/download/\")
Download the latest definition file

UNZIP it to your
C:\Program Files\Lavasoft\Ad-Aware SE Personal folder
Allow to overwrite if prompted and run another scan
Restart if Criticals are found and fixed

I'll look into your updating problems

I would try a total uninstall of Norton's and reinstall

EDIT>>Also, go to start>>run>>type in eventvwr
double click Applications
Do you see error messages, double click on them and see what there related too
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 02, 2005, 12:10:40 AM: I just got the defs downloaded and installed manually for AdAware. I will run the scan tonight and post the info tomorrow. There were a few errors in eventviewer and I'm listing them below. For my NAV and NIS, I have been researching on Symantec and trying all that they say. I still can't get them to start on their own even though they say in the services, etc. that they are started. I have found the box the software came in. Now I just have to find the CD and hope that it is still in the sleeve with the activation numbers. /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

**Event Viewer errors (all errors say to contact Microsoft) **
Fault bucket 22978895.

Faulting application explorer.exe, version 6.0.2800.1106, faulting module ntdll.dll, version 5.1.2600.1106, fault address 0x00001e3f.

Faulting application explorer.exe, version 6.0.2800.1106, faulting module uxtheme.dll, version 6.0.2800.1106, fault address 0x0000b49d.

Faulting application explorer.exe, version 6.0.2800.1106, faulting module unknown, version 0.0.0.0, fault address 0x68df404c.

Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 02, 2005, 12:25:42 AM: The only thing I can really find is that you can't update Ad-Aware automatically because of the possibility of a Firewall
Since your having problems with Norton's
I would bet it is the cause of it all
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 02, 2005, 09:25:54 AM: I finished the AdAware scan and got 12 criticals. Three were Alexa registry entries and the others were various files including some browser hijacks (some of the sites that I was being taken to) and a Coulumb Dialer. I cleaned everything up and have run a fresh HijackThis and posted below. I would assume the firewall you are saying that I am having trouble with must not be related to my NIS, but to my router. I am fairly new to routers, so I will poke around there. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 9:21:52 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098110564015 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098110564015\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab (http://\"http://www.nick.com/common/groove/gx/GrooveAX27.cab\")
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab (http://\"http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab (http://\"http://www.snapfish.com/SnapfishUpload.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab (http://\"http://download.toontown.com/sv1.0.14.48/ttinst.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 02, 2005, 12:47:24 PM: I don't know if this helps in solving my final issues of connection, but I also cannot get MSN Messenger to work now. It says I'm not connected to the internet. I have two other laptops that are connected wireless through my router and all of there features are working fine. It is just my hardwired desktop that has been having all these issues. I looked at the firewall for the router, but it is pretty extensive to change. I'm not sure if that is the correct direction anyway since all my other computers are working fine.
Title: Need help w/ hitchhiker - logs included
Post by: scrappingmama on May 02, 2005, 03:48:30 PM: After getting all types of access problems for MSN Messenger, my online banking, an internet game and any javascript I finally gave up on Norton. Using their tools, it showed that a registry entry was corrupt or missing (I think you said this). I can't seem to find the disks to reinstall, but I had to get into my other apps. Therefore, I removed all of Norton. I am installing one of the free apps that I have seen posted here before. Thanks for all your help. Any other words of guidance would be appreciated but not required. /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: Need help w/ hitchhiker - logs included
Post by: guestolo on May 02, 2005, 06:18:56 PM: I missed one bad active x control in your log to clean out

With all other windows closed, can you have Hijackthis fix this entry
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")

Retstart the computer

Back in Windows, I'm not sure how far you got on uninstalling Nortons
But if you got it totally removed
I would definitely look into the free versions of AVG or AVAST
from my links above
You only need one, more than one is not a good thing

Once you have everything running good

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Title: Need help w/ hitchhiker - logs included
Post by: Drifta on May 03, 2005, 07:03:51 PM: hi ive been having problems with my machine ive posted my hijack this below hopefully you could recommend me something to help. cheers thanks

Logfile of HijackThis v1.99.0
Scan saved at 2:24:50 p.m., on 28/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/ (http://\"http://www.xtra.co.nz/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109985564832 (http://\"http://v5.windowsupdate.microsoft.com/v5co...b?1109985564832\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

thanks for any help you can provide