No response since 7/8?

[LBD]

"bump"

[TonyKlein]

Your log now looks fine; I'd like Mosaic1 to take a look at your VXfinder log, as I have no experience using that application.

sisbkup1028k.dll

Do you have a copy of this file in your Recycle Bin? If so I would like a copy of it please for analysis.

Let me know and I'll PM you my email address. Thanks.

I am not clear on what your current status actually is.

Are you still getting errors? And if so, what and when?

VX2 looks ok but you should remove the User Agent String.

Run VX2 Finder again. Once the results come up, click the UserAgent Button on the right to remove the User Agent String.

[LBD]

I don't have a copy of the sisbkup1028k.dll file in my Recycle bin; I deleted it on 7/22 and shredded the contents of my Recycle bin.

I will remove the User Agent with VX2Finder this evening.

As far as my PC's current status, here are some details.

The PC is fine in safe mode - connects to the Internet, brings up my homepage, other websites, etc. The PC is NOT fine in normal mode - it tries to connect to the Internet, gets about 2 bars worth on the progress bar and then quickly does the rest of the bars and brings up a blank white screen with no URL in the address bar. When I type in a URL and hit enter, it does the same thing, looks like it's going to do something, and just comes up with a blank white screen. I absolutely cannot connect to a single site in normal mode. I cannot download anything, even in safe mode. I tried re-installing the Comcast Internet connection program and when I did that, I was able to connect, surf, etc. (not download though). But when I closed out that session and then double-clicked to get back in, the same old blank white screen stuff happened. I know I need 7 or 8 Windows XP Home Edition critical updates, but I get to the Microsoft Updates' page in safe mode and click to install them, but the download never happens. The only other weird thing that I've noticed is what I brought up before, that when I hover my mouse on my desktop over the Comcast Internet icon and right-click, two of the options, Open and the third one, whatever that is, the word is missing - you don't see "Open" listed on the menu and one other choice.

I ran AdAware this weekend, SpywareBlaster, Spybot, and Bazooka again. Spybot only comes up with DSO Exploit; SpywareBlaster is totally up-to-date; Bazooka found nothing, and AdAware found for the second week in a row, VX2. Last time and this time, I clicked to have it delete and quarantine it, and it does, but it keeps showing up, so something is not right. A couple weeks ago, PestScan found 5 things: EUniverse, BingoFunGames, CWS, EbatesMoneyMaker, and SandBoxer. I used the manual removal procedures at http://www.pestpatrol.com/PestInfo/... to get rid of BingoFunGames and I think EbatesMoneyMaker. I will try to run it again tonight to see if it still shows the other three.

That's where I am right now - I want my PC back and normal again!

Where is your firewall?

If you can getnthe internet in Safe Mode and not in normal, then it's time to ask yourself what runs in normal mode which doesn't in Safe Mode.

Run hijackthis in both modes and look at the running processes.

Where are the differences? Can you start disabling some of the startups in groups and then try Regular Mode. See if you can get on the internet. It would be a matter of ruling them out a few at a time.

Don't forget to re-enable after you have finished testing.

[LBD]

We have McAfee and Windows XP Home Edition has their Internet Connection Firewall, but I have had to disable that from time to time during this whole troubleshooting period.

Good news - I re-ran the VX2Finder and got rid of the user agent. I was able to download and install all of the critical Windows updates. I added our Comcast (ISP) in my trusted sites and guess what? I was actually able to get on the Internet last night in normal mode! Yahoo!

However, I did run several of the anti-spyware programs (Adaware, SpyBot, SpywareBlaster, Housecall, etc.) and Adaware found something new, Rads01.Quadrogram (malware) and deleted and quarantined it. Housecall found a non-cleanable Troj_Agent.AE on C:\System Volume Information\_restore {ED67 ..}\RP316\A0217443.exe. I deleted the file, re-booted, and could still get on the Internet in normal mode.

My question has to do with the two log files, one from Safe Mode and one from Normal Mode - can you look at them and tell me if I should have HJT fix anything?

Thanks,
Lisa

Logfile of HijackThis v1.98.0 (Normal Mode)
Scan saved at 6:34:14 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SWG\sgmain.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\SWG\sgbhp.exe
C:\Program Files\newhjt\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ComcastHSI - {08B54801-872C-48B6-A6E1-C82654633165} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {1E62ABE5-B3F6-4C97-94D3-DEA011F942BC} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {277FF29F-D738-4FF0-9D59-8505264F5DB3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\INLOADER519v.dll

Logfile of HijackThis v1.98.0 (Safe Mode)
Scan saved at 8:11:12 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\newhjt\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.SH!
O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun C:\Program Files\Real\RealPlayer\firstrun.smi"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\INLOADER519v.dll

As a test, take Comcast out of trusted and see if you still get on the internet. I see you have a new ApInit_Dlls file added.

Its name is:
INLOADER519v.dll
And it is in system32;

Go to System32 please and look to see if it is visible.

If so. right click on it and choose send to >Compressed from the menu.

This will create a new zip file.

Please email me at
Katie_3232 @hotmail.com

Send the zip as an attachment along with a reminder of this subject. I forget sometimes because I do so many.

I have added a space before the @ on that address. Remove the space and the email address will work.

I'll have a look and then send that file in for analysis. This is not normal. You removed another earlier and now you have yet one more with a new name.

[LBD]

Mo and Tony,
I didn't have to worry about the little test of taking Comcast out of my trusted sites because tonight I couldn't get on the Internet in normal mode at all. It was doing the same thing it always does - when I doubleclicked on Comcast, it gets about 2 bars on the progress bar for connecting, then quickly draws the rest of the bars and leaves a blank white screen. Just to make sure that Comcast was still in my trusted sites, I checked and it was and I removed it, but same thing. So, we've regressed a little bit from yesterday. I'm in now in safe mode. I did email you the zipped file, the second AppInit_Dll, named INLOADER519v.dll, that is showing up in the O20 line of the HJT log files. When you send files in for analysis, what does that mean and how long does it take? Thanks for all of your hard work and help!
Lisa

A couple things please.

You seem to be getting reinfected.

I'd like you to go to the Internet Explorer Address Bar and paste this in. Then press enter.

javascript:navigator.userAgent

Copy and paste the result into your next reply.

I'd like you to do a registry search for this CLSID please:
{7FDD59E7-B45B-41f5-A620-51DFF3F06D83}


As for a search of the registry here's a very nice script to help you out.

Download it and run it. When it starts, you will be prompted to enter a search phrase. Do that and go have a cup of coffee.
When you get back, a message box will be there on the desktop.Say yes to open the results. Copy and paste the contents into a reply here. Once you close that file, it will be deleted, so please save it as results.txt. We may need it again.

Here's that link:
http://www.billsway.com/vbspage/
Find Registry Search Tool And download it.

[LBD]

Here are the results from the javascript:navigator.userAgent -

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

And, for the second item, the registry search by BillsWay.com ran very quickly, 16 secs or so, and came up with NO INSTANCES of the CLSID. I doublechecked everything and still came up with the same result.

See if you can fix the Appinit_Dlls value in HijackThis and then restart.

Delete the file and see what happens. This is just repetition. It may come right back again.

As a start. let's clear the 020 entry and then reboot. Delete INLOADER519v.dll


Can you get on the internet now?


Go to start >Run and type Regedit
press enter
Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension

Right Click on Extension and choose Export from the menu.

This will make a copy of the key. Give it a name and then when saved, find the file. Right click, choose edit. Copy and paste the contents into your next reply here.


Finally. Let's disable Spyware guard. In Msconfig remove checkmarks from the SpywareGuard Entries.

Then disable the BHO.

You can download and use BHO Demon to disable the BHO

All this can easily be undone later.

Here's the link to a page where you can download BHO Demon.

http://www.computercops.biz/downloads-cat-14.html

[LBD]

I have done everything that you suggested: had HJT fix the O20 entry, rebooted, deleted INLOADER519.dll, rebooted, then I could get on the Internet. Did the Regedit key file and will post shortly in a separate msg. Disabled SpywareGuard and disabled the BHO. After doing all of that, I rebooted and discovered that I could not get on the Internet in normal mode, so I'm typing this in safe mode.

[LBD]

Regedit key file info below:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.pdf]
"Content Type"="application/pdf"
"Version"="5.0.0.2001031500"
@="Adobe Acrobat"
"Location"="C:\\Program Files\\Internet Explorer\\PLUGINS\\nppdf32.dll"

Ok It seems your problem may be related to that AppInit_Dlls file reappearing. See if you have yet another one. Do a log and let me know. The real questoin is this:

How is that thing being placed there? To be honest I don't know.



There is a new utility named Startup Tracker which sometimes shows what Hijackthis doesn't. It will get the active services too. Download extract and run it. It will place its report on the clipboard. Reply here and paste it in.
http://www.dougknox.com/xp/utils/xp_starttrack.htm

The Registry file you posted is OK.

With SpywareGuard disabled, can you download normally?

I want you to be able to get this new utility.

If you cannot, then can you get your emails? If so, PM me with you address and I'll send you a copy of the utility later.

Re-enable SpywareGuard if it hasn't been shown to be faulty. It is not the cause of your Download problems.

[LBD]

Well, there's indeed a strange thing going on here! I forgot in my two messages yesterday to tell you that after doing all of the procedures last night, I re-ran HJT and did not see the AppInit reappear (yeah!). So, I have no clue how it's getting there either. I deleted INLOADER519v.dll from System32 folder, but I still have the zipped version of same that I emailed you - should I delete that too?

I haven't been able to download normally since this whole thing happened a month ago. I'm at work now and will download the Startup Tracker onto a floppy and extract it at home this evening and run it - so stay tuned for my next post for the report from that.

About SpywareGuard - I can re-enable it, but it hasn't worked right either since all of this. It brings up the front page and I click on "check for updates" and it always fails at that point ... looks like it's going to work and then comes back with the corrupt files or virus or whatever msg. A few weeks ago, I tried deleting the SpywareGuard program and while I can get rid of most of it, it always comes back with a msg. that some other program is using a few of the files and I can't delete them. I don't know what to do with it, but it's not doing me any good not functioning.

More later when I have the Startup Tracker report.

That sounds awful! OK go ahead and leave it disabled.

When you run Startup Tracker would you run it once in Regular Mode first, save the log as a tect file. Then Boot to Safe mode and run it again please, save the log and name it Safemode.txt

I'd like to compare what is running in each mode.

Thanks.

[LBD]

Okay, Mo, I only have the normal mode Startup Tracker log file. I'll have to do the safe mode this evening when I get home and post it separately. Here's the normal mode log file:

8/4/2004 6:17:16 AM

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray SysTray.Exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
HPHmon03 C:\WINDOWS\System32\hphmon03.exe
AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Alogserv C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
ComcastSUPPORT C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
Adobe Gamma Loader.lnk
Acrobat Assistant.lnk
Microtek Scanner Finder.lnk
Microsoft Office.lnk

-- Disabled Items --
SpywareGuard

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
SMSS.EXE \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k rpcss
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
Avsynmgr.exe "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"
svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
Explorer.exe C:\WINDOWS\Explorer.EXE
VSStat.exe "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe"
Vshwin32.exe "C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe"
Avconsol.exe "C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe"
WebScanX.exe "C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe"
hpztsb04.exe "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
hphmon03.exe "C:\WINDOWS\System32\hphmon03.exe"
Directcd.exe "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
AlogServ.exe "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe"
CFD.exe "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
HPHipm09.exe C:\WINDOWS\System32\HPHipm09.exe
wcescomm.exe "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" /background
AcroTray.exe "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"
SDII.exe "C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe"
tgcmd.exe "C:\Program Files\Support.com\bin\tgcmd.exe" /server
Mcshield.exe "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"
StartupTracker3.exe "C:\Documents and Settings\System Administrator\Local Settings\Temp\Temporary Directory 1 for StartupTracker3.zip\StartupTracker3.exe"
wmiprvse.exe

-- Running Services --

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: AvSynMgr
Description: McAfee AVSync Manager
Startup Mode: Auto
Run from: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"

Name: BITS
Description: Uses idle network bandwidth to transfer data.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: McShield
Description: McAfee On Access Scanner
Startup Mode: Manual
Run from: "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"

Name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: Pml Driver
Description:
Startup Mode: Manual
Run from: C:\WINDOWS\System32\HPHipm09.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RemoteAccess
Description: Offers routing services to businesses in local area and wide area network environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: winmgmt
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: wuauserv
Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

I really needed the Safe Mode first and then the regular. There may have been something set to run and we could only see that in Safe mode.

Please go to Safe mode and run Hijackthis and Startup Tracker. SAve the logs as Safemode HT.txt and Safemode ST.txt

Then boot to Regular Windows And run both utilities.

SAve as Regular HT.txt and Regular ST.txt

[LBD]

Here are the (4) log files as you requested:

Logfile of HijackThis v1.98.0 (Safemode_HT.txt)
Scan saved at 6:38:24 PM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\newhjt\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.SH!
O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun C:\Program Files\Real\RealPlayer\firstrun.smi"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

8/4/2004 6:31:07 PM Log File of Startup Tracker (Safemode_ST.txt)

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray SysTray.Exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
HPHmon03 C:\WINDOWS\System32\hphmon03.exe
AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Alogserv C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
ComcastSUPPORT C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

DelayShred "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.SH!
RealPlayer0 "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun C:\Program Files\Real\RealPlayer\firstrun.smi"

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

-- Start Menu - Current User --
SpywareGuard.lnk
BHODemon 2.0.lnk

-- Start Menu - All Users --
Adobe Gamma Loader.lnk
Acrobat Assistant.lnk
Microtek Scanner Finder.lnk
Microsoft Office.lnk

-- Disabled Items --
SpywareGuard

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k rpcss
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
Explorer.EXE C:\WINDOWS\Explorer.EXE
StartupTracker3.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for StartupTracker3.zip\StartupTracker3.exe"
wmiprvse.exe

-- Running Services --

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: winmgmt
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Logfile of HijackThis v1.98.0 in Regular Mode (Regular_HT.txt)
Scan saved at 6:48:08 PM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\newhjt\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ComcastHSI - {08B54801-872C-48B6-A6E1-C82654633165} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {1E62ABE5-B3F6-4C97-94D3-DEA011F942BC} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {277FF29F-D738-4FF0-9D59-8505264F5DB3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://www.comcast.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

8/4/2004 6:49:14 PM Log File of Startup Tracker in Regular Mode (Regular_ST.txt)

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray SysTray.Exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
HPHmon03 C:\WINDOWS\System32\hphmon03.exe
AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Alogserv C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
ComcastSUPPORT C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
Adobe Gamma Loader.lnk
Acrobat Assistant.lnk
Microtek Scanner Finder.lnk
Microsoft Office.lnk

-- Disabled Items --
SpywareGuard

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
SMSS.EXE \SystemRoot\System32\smss.exe
CSRSS.EXE
WINLOGON.EXE winlogon.exe
SERVICES.EXE C:\WINDOWS\system32\services.exe
LSASS.EXE C:\WINDOWS\system32\lsass.exe
SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
Avsynmgr.exe "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc
VSStat.exe "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe"
VSHWIN32.EXE "C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe"
WebScanX.exe "C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe"
Avconsol.exe "C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe"
Explorer.EXE C:\WINDOWS\Explorer.EXE
hpztsb04.exe "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
hphmon03.exe "C:\WINDOWS\System32\hphmon03.exe"
Directcd.exe "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
AlogServ.exe "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe"
CFD.exe "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
wcescomm.exe "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" /background
tgcmd.exe "C:\Program Files\Support.com\bin\tgcmd.exe" /server
AcroTray.exe "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"
SDII.exe "C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe"
Mcshield.exe "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"
HPHipm09.exe C:\WINDOWS\System32\HPHipm09.exe
StartupTracker3.exe "C:\Documents and Settings\System Administrator\Local Settings\Temp\Temporary Directory 2 for StartupTracker3.zip\StartupTracker3.exe"
wmiprvse.exe

-- Running Services --

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: AvSynMgr
Description: McAfee AVSync Manager
Startup Mode: Auto
Run from: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"

Name: BITS
Description: Uses idle network bandwidth to transfer data.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: McShield
Description: McAfee On Access Scanner
Startup Mode: Manual
Run from: "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"

Name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: Pml Driver
Description:
Startup Mode: Manual
Run from: C:\WINDOWS\System32\HPHipm09.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RemoteAccess
Description: Offers routing services to businesses in local area and wide area network environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: winmgmt
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: wuauserv
Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

[LBD]

"bump"

I really don't know what else to tell you other than whatever is going on it is not visible to us. If it were my system I would format and reinstall. I rarely tell anyone to do that.