# (Solved) Trying to remove SAHagent and fix an internet connection problem.



## CypherZ28 (Nov 20, 2003)

I posted this in "Windows 95/98/Me" accidentally..... sorry for that, i didn't scroll down far enough to see this forum 

Hello all, i'm a new member...found the forums doing google searches as to how to remove SAHagent. I have two problems.

#1)
I installed Imesh, and it loaded lots of adware as i'm sure most of you know.......i used ad-aware to try to remove it......then i couldn't connect to the internet. I uninstalled Imesh and re-installed for the heck of it and bam I have an internet connection ( i never lost my network connection ).......So now imesh is uninstalled and most of the adware is also but SAHagent is still in my Add/Remove programs list.... and still shows up in Ad-aware searches now and then. When i try to remove the program using "Add/Remove programs" my computer shuts down.

#2)
I have a wireless internet connection.....I use microsoft software and network hardware. On this computer ( which is wirelessly connected to the network ) i often lose my ability to connect to servers i.e.; mail servers, aol server for aim, web pages. I have to close Microsoft broadband networking utility....... and then open it again. Once it loads the program and figures out i have an internet connection i can connect to things for sometimes a day..... or sometime for as little as a few web page clicks. I have no idea why this happens.... but i do know it has to do with this computer...... no other computers on the network have problems.

(I have hijackthis and ad-aware....should i get spybot?)
thanks for the time, i know it was a lot to read. sorry


----------



## dvk01 (Dec 14, 2002)

o to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, 
so *do NOT fix anything yet.*
Someone here will be happy to help you analyze the results.


----------



## CypherZ28 (Nov 20, 2003)

Here is the "Hijack This!" List.

Logfile of HijackThis v1.97.7
Scan saved at 6:46:47 PM, on 11/20/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\FIREWALL\PAVFIRES.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTASK.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\POPUPSTOPPER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\SMUTILITYBAR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\IM NETWORKS\IM RADIO TUNER\IM_TRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNUTIL.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mateo's Computer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50018
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"
O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\POPUPSTOPPER.EXE"
O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\SMUtilityBar.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - Startup: iM StartCenter.lnk = C:\Program Files\iM Networks\iM Radio Tuner\iM_Tray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/webtwo/download.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...t.com/download/vet_install_popup.html?1&false
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37922.2585648148
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth/internetwasherpro.cab


----------



## bandit429 (Feb 12, 2002)

Do not double post,,,,its confusing for those who are trying to assist you. Reply here to this thread.


Closing older thread since this one is responded to.
Dave


----------



## bandit429 (Feb 12, 2002)

Have hijack fix this one,,,,,,,and did you ever have Escorcher antivirus??

O10 - Broken Internet access because of LSP provider 'lsp.dll' missing


----------



## CypherZ28 (Nov 20, 2003)

thanks for the LSP provider tip, i just removed SAHagent with Add/Remove.......and no i've never had Escorcher antivirus why do you ask ?

Anyone have any ideas about my second problem?


----------



## bandit429 (Feb 12, 2002)

Im sorry that was confusing,,,,,run hijack this,,,and after the scan is finished have hijack fix the one below. Give it a check to see if it helped and let us know.

O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

Edit: here is why I asked,,,,,,,,

O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/webtwo/download.exe


----------



## CypherZ28 (Nov 20, 2003)

Thanks for your help......everything seems to be working well now. I appreciate your time 

**edit: It was clear enough the first time you explained it


----------



## bandit429 (Feb 12, 2002)

You are sure welcome!!!!!!!     From all of us.


----------



## jbcoops (Mar 18, 2003)

I have had a number of problems with my computer as well. Here is a list of some things in a nutshell... pictures to follow:

1) Got the Welchia worm a few months back... and things have been sick ever since. So... at least (in my mind anyways) I can blame everything on the ******* who propogated that. Worm was cleaned (supposedly), but ever since I have not been able to use Outlook. I've already had a thread on this one... and I'm planning on getting XP Pro and hope that installing that will get rid of whatever plagued... and continues to plague, my home edition.

2) Windows won't minimize to the taskbar. I've had this before, and fixed it somehow... but don't remember exactly... and can't find the route now. Ideas? Links?

3) Connecting via Mozilla is now a pain... guess I need to get the latest (currently running 1.4b) but I don't know if it's Mozilla, or something else.

4) I currently have way too many things on autostartup. Now... I've been through msconfig many times, and frankly, I don't even know how and why some of these things are listed in startup, and I'm a bit weirded out about it because there is some off chance that some gremlin is in there tweaking things from the outside ethernether world.

5) Can't switch users. This is a recent malady... and I thought it was because I had turned off something useful in startup. I'll leave it to your imaginations.

I'm going to upload screenshots of my startup menu, as well as the hijack.exe log I created.

Logfile of HijackThis v1.97.7
Scan saved at 3:24:13 PM, on 11/26/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\WINDOWS\System32\SahAgent.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Actual Windows Minimizer\ActualWindowsMinimizerCenter.exe
C:\Program Files\Atomica\Atomica Client\Atomica.exe
C:\WINDOWS\System32\rsvp.exe
C:\PROGRA~1\COMMON~1\ATOMIC~1\agtserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Adobe\GoLive 6.0_ENG\GoLive.exe
C:\Program Files\Actual Windows Minimizer\ActualWindowsMinimizerConfig.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmjb.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.commonname.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Piranha Brothers Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\Program Files\iMesh\Client\SbCIe026.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\conflict.1\googletoolbar_en_2.0.95-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HLIeBar - {0A120D41-244B-11D5-8122-005004F6D77D} - C:\PROGRA~1\HUMANL~1\bin\HLIeBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\conflict.1\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [Actual Windows Minimizer] C:\Program Files\Actual Windows Minimizer\ActualWindowsMinimizerCenter.exe
O4 - Startup: Atomica.lnk = C:\Program Files\Atomica\Atomica Client\Atomica.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &2 Customize Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &7 Fill Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\AddressBar\createnote.htm
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\Atomica\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\AddressBar\createbookmark.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\AddressBar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
O9 - Extra button: Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: RF toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Photoshop (HKCU)
O9 - Extra 'Tools' menuitem: Photoshop (HKCU)
O9 - Extra button: AddaButton (HKCU)
O9 - Extra 'Tools' menuitem: AddaButton (HKCU)
O9 - Extra button: SnagIt 6 (HKCU)
O9 - Extra 'Tools' menuitem: SnagIt 6 (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/js1_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bs0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/ks0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/cs0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/flts0_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/10a7c9e46303a2727115/netzip/RdxIE.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www106.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://www.pqpc.com/plugin/axversion/1410/printQuick1410.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2114095005fb69e9a205/netzip/RdxIE2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {7353F495-F870-40AB-8684-23AA40675BDB} (iVocalize Internet Conference Setup) - http://www.talkingcommunities.com/client/ivsetup.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37388.8531018519
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B1246F8F-7A4A-11D3-BE28-0020AF31C4F6} (QuickVideo ActiveX Capture) - http://www.talkway.com/bin/api/1.10b/ACAP.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://E:\Bin\html\files\MotivePreQual.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0014.cab

Now... from what I've read... SAHAgent is attached to iMesh... and... there's no way to disentangle them... so... I'll have to p*ss my wife off and uninstall iMesh to uninstall SAHAgent. I don't know what else may be happening... but any help would be appreciated on any of the problems I've been having.


----------



## P.A.JOe (Nov 28, 2003)

I've been having problems for months now.

After reading this post, I ran the HJT and then SpyBot.


 PROBLEMS ARE SOLVED  

Thanks again for the help,


Joe


----------



## brazilianx (Dec 4, 2003)

Well, before I found this thread my brother came within an inch of reformatting my hard drive until we discovered the Sah Agent. A filthy beast of an adware which took my internet explorer out completely. Extremely annoying to say the least.
Anyway other than just moaning I advise anyone with the Sah Agent (not sure where it came from) to check out Pest Patrol for complete and utter irradication.

http://www.safersite.com/PestInfo/s/sahagent.asp

Good luck and if anyone can tell me why these things are created I might sleep a little easier.

D


----------



## bandit429 (Feb 12, 2002)

Hello,,,,,,,,,,Nice to meet you ,, I hope our thread helped you...Bunches of nice people here.


----------



## Ragin (Dec 4, 2003)

This was really helpful.

sahagent was messing with my internet for about a week, although some of my programs would be able to update their stuff...which boggled me. Wasn't sure if sahagent was the culprit for awhile, so I tried a number of things first... and before I felt I had to go to last resort (reformatting) thought I'd check out this sahagent program cause it'd keep popping up on startup. 

Thanks again, saved me a lot of time for someone who doesn't have too much. 

Rags


----------



## bandit429 (Feb 12, 2002)

Very GOOD!!


----------



## pblodiablo (Dec 6, 2003)

Sorry to be bothersome, but could one of you guys check out this. I dont know if i have a prob or not, it seems to work fine, but when i play unreal tournament it will run great then it will just slowwww down. and lag alot but then i will kick back in and run fast.. also my computer was lockin up last night when i was on yahoo chat. its the first time iv ever chatted on it and i kept getting the blue screen of death. i have ad aware 6, spybote, and i have run my antivirus. i also did all of them in safemode also. nothing came up expt for this weather thing that always pops up in adaware. but anyways, it still just seems like its not working well. or i could just be me, im a performance freak. also on that note, is there any tips on how to make it faster without adding software, and iv done everything thing like making the paging files both min and max 1200, turning off auto updater and so on...

thanx for taking time to read this.

Logfile of HijackThis v1.97.7
Scan saved at 4:39:05 PM, on 12/6/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\spybot\ave32\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\spybot\ave32\navapw32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\spybot\ave32\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {FF871872-3147-40A5-8F13-E1FB5C59DF8D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\spybot\ave32\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KRH] C:\WINDOWS\KRH.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\spybot\ave32\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1070482226406
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37888.5359027778
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://us.i1.yimg.com/us.yimg.com/i/chat/webcam/v110/yvwrctl.cab


----------



## jilly82bean (Dec 10, 2003)

I've been having problems with my internet either not connecting or just deciding it won't let me do anything when I am trying to go to a different site. Any help would be really appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 10:19:34 PM, on 12/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Digital Imaging\bin\hpobnz08.exe
D:\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\USBSircs\usbsircs.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\Giga Pocket\GPVSvr.exe
D:\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
D:\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\valued customer\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/assist/cc/1.0/assist_ct.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~4.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.4425925926
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll


----------



## bandit429 (Feb 12, 2002)

Jilly,,,Welcome to TSG. You have a lot there that needs to be taken care of would you please click the link I pasted at the bottom for you an post it there in Windows XP,,,I will try to see you there.

Click below.
http://forums.techguy.org/newthread.php?action=newthread&forumid=21


----------



## jilly82bean (Dec 10, 2003)

I've moved it. Sorry about putting it on the wrong forum.


----------



## bandit429 (Feb 12, 2002)




----------



## andres1983 (Dec 12, 2003)

ok, I´m new here, I havn´t had any troble with sahagent yet, but I personally don´t like a virus in my machine, I dont thuink enyone does, but I heard from I guy you wer the best. I got the hijackthis and here is my saved log, I dont no if you send it to me to my email, but if you could please do, [email protected]
thank you.

Logfile of HijackThis v1.97.7
Scan saved at 07:31:38 p.m., on 11/12/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SAHAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\CMEII\CMESYS.EXE
C:\ARCHIVOS DE PROGRAMA\LEXMARKX83\ACMONITOR_X83.EXE
C:\ARCHIVOS DE PROGRAMA\LEXMARKX83\ACBTNMGR_X83.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\WINAMP3\WINAMPA.EXE
C:\ARCHIVOS DE PROGRAMA\THE HACKER\THAV.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\ARCHIVOS DE PROGRAMA\IMESH\CLIENT\IMESHCLIENT.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Archivos de programa\NewDotNet\newdotnet5_48.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\ARCHIVOS DE PROGRAMA\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\ARCHIVOS DE PROGRAMA\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\ARCHIV~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\ARCHIV~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\ARCHIV~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [THD32.EXE] C:\ARCHIV~1\THEHAC~1\THD32.EXE /NOMSG
O4 - HKLM\..\Run: [TheHackerConsola] C:\ARCHIV~1\THEHAC~1\THAV.EXE /NOPRE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reboot.exe
O4 - Startup: iMesh.lnk = C:\Archivos de programa\iMesh\Client\iMeshClient.exe
O4 - Startup: GStartup.lnk = C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Coches (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1066960501470
O16 - DPF: {5C3A9EA6-4068-46B8-8B5A-692FB10607B1} (IntDialerData Class) - http://www.estoeslaselva.com/dist/2/DialerData.cab
O16 - DPF: {A3499961-A717-4C45-B08D-3D3B8B068AB5} (ADSLPlugin Class) - http://www.accesoonline.com/dist/2/ADSLPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB


----------



## *GG* (Dec 15, 2003)

i downloaded imesh and now this things comes up all the time saying sahagent has a problem or something like that and i just click 'dont send' and sometimes now my internet says 'incorrect page error' or 'cannot find server' can someone please tell me how to fix it, i did go to that scan thing but i didnt no what to delete! please help it would be great, cheers

G


----------



## bandit429 (Feb 12, 2002)

GG Could you start a thread about your problem?

Click just below and type all information and copy then paste your hijack log in.

http://forums.techguy.org/newthread.php?action=newthread&forumid=54


----------



## sigeek3 (Jan 2, 2004)

Hello, 
I am having problems with my internet connection, this is what happened:
I got the sahagent.exe, sahdownloader.exe popping up everytime I was getting to the internet, so I did a google search for it n pestpatrol gave me the answer on how to get rid of it that involved uninstalling them from the ctrl panel and or also on the registry editor, then ran adaware and deleted some entries from sahagent n sahdownloader, plus some more entries(always did that with no problem), so then restarted computer and there UNABLE TO CONNECT TO THE INTERNET, my network connection exists but CANNOT CONNECT(I have win XP Pro, DSL, tried rebooting my dsl but NOTHING........please help me? did I delete some important entries by mistake or what ?its been a day already.
Thx
Juan
PS:Sorry also since I have the AVAST free antivirus, now ever since that problem it also says that it cannot protect me from the internet or any email.......if I can just get my internet connection back, then I can work something out for the antivirus, please help me?
Thx a lot.


----------



## sigeek3 (Jan 2, 2004)

thank you, my problem have been fixed, I ran HIJACKTHIS.
thx
Juan


----------



## bandit429 (Feb 12, 2002)

you are very welcome Juan. Happy new year!


----------

