Fire Daemon

I recently detected this application running on windows. I was informed it was part of a backdoor virus and I want to remove it. AVG is updated but didn't detect anything, I ran a backdoor virus scanner and detected two, what software scanner can detect this and remove them?

The backdoor scanner will only detect but not remove.

 

They did and I removed all the components, but I open the running processes and see fire daemon and it looks suspicious to me so I check and turns out it is. Noadware (another program for backdoor virii) picked up two files apparently under the cookies section so I cleaned my cookies (I had cookiepatrol from pestpatrol running and it didnt stop them for some reason even though it was the first to detect ebates moneymaker around the same time I had Navhelper in there). Then I had to reinstall norton and clean this fire daemon that was being caused by the Navhelper uninstaller that came with another program I tried out. I had previously quickly detected what it was doing and removed it (it also came with ebatesmoney and some others that i detected and manually removed using Bazooka). However apparenlty it didnt remove one file and that was causing the issue, norton couldnt remove it automatically either so I went ahead and had to manually delete it.

Now norton is running like 4 different SVChost.exe processes though, any clue what that is or if it's just normal? I will probably use Mcafee later on as I have heard better things about that one but my previous protection (AVG) didn't detect it for some reason.

And by the way, I do find the 02.d but not the fd.exe (since I removed it a presume). However the 02.d is under the amcru folder and named '000', I found them with regedit not explorer.

 

Yeah it was detected as a backdoor trojan.

I am running ZoneAlarm Pro, frankly it's pretty secure so I don't think it's that. Outbound traffic is not much. This particular Navhelper thing came with a CD ripping software I downloaded to test trial, I wanted to rip some CDs I have and wasn't comfortable using the windows media player options. Bad idea. This came with a couple of other things, one of which Pest Patrol emmidiately detected (Ebates Moneymaker) and I 'removed' but not really. Bazooka still found it and so I had to manually remove it but this wasn't all. Some pieces still were left behind and so I was forced tod o a system restore (as it had changed some menu options on me and I couldn't change them back) then I scanned and it was all good. Of course I didn't just restore but I removed everything that it detected first.

I will go ahead and reinstall Norton as you say since it's running like that. Yes the system restore was on, any effect from this on the scan? It did detect what was wrong by the way, but if there are any effects from it I will take them into account. I will take your word on Mcafee and feel free to recommend any programs that may do a great job. Sadly as much as i like the functionality of AVG it has missed virii in the past and did so again so I can't really trust it even though I check for updates daily.

 

Do you have this program called pc security on your computer?

c\windows\sdaemon.exe is part of that program that program will not run without it.

 

No I don't. Whats more reinstalled Norton and check the system processes and now there are two svchost.exe running instead of three but not listed as local machine and what not under uer name. Also the Firedaemon.exe is back.

Just to clarify the running processes list it as Firedaemon.exe not fd.exe

 

let me see if we can clafiry this

the bad trojan process is fd.exe

on your last post you said you had firedaemon.exe


if you have fd.exe running then you have the trojan

but if you have firedaemon.exe running what you have is the following

firedaemon - firedaemon.exe - Process Information
Process File: firedaemon or firedaemon.exe
Process Name: Firedaemon
Description: Application that works in the background and allows a user to install and run any other suitable application as a Windows NT or 2000 service.
Company: Sublime Solutions
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A


http://www.liutilities.com/products/wintaskspro/processlibrary/firedaemon/

Which one do you see?

 

Other friends have confirmed the harmless nature of firedaemon.exe. My original concern came from this: http://www.answersthatwork.com/Tasklist_pages/tasklist_f.htmSearch

Firedaemon.exe is listed there as as a harmful processes so I became concerned. Maybe it's wrong but thanks for clarifying it for me, at least something good came out of this, i found the hidden Navhelper uninstall from the scan. My ports are secure too.

As far as Norton, I will scan without the system restore on (if that is what you're suggesting) and uninstall it with it off and reinstall, I already reinstalled it once.

 

Update: Alright i uninstalled all the Norton Programs but LivReg gave an error saying I didnt have enough access to remove it even though I am the 'admin' level user for this pc.

Note: By the way, is winmgnt.exe a safe program to allow access to the internet?

 

trying to remove norton from your system is a nightmare. That program instals itselfs in the darkest not-known-to-man parts of your registry. Last time I dealt with that program. I had to install it again and then try to uninstall it again and back and forth. Good luck here is a link that might help

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606

winmgnt.exe Not sure but if you meant winmgmt.exe

then

yes

winmgmt.exe is safe to allow to get out to the internet

Process File: winmgmt or winmgmt.exe
Process Name: Windows Management Service
Description: Windows Management Instrumentation from Microsoft that allows you to write scripts for the management of devices, user accounts, services, networking, and other aspects of your Windows 98/ME/NT/2000 system.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A


http://www.liutilities.com/products/wintaskspro/processlibrary/winmgmt/

 

Thanks for the help.

I mentioned the various svchost.exe processes running earlier so I wanted to mention again that now I still have svchost.exe running and when I check on the Task Manager database site it does list some virii with similar names aide from the needed processes, so I want to make sure it's all safe even though I scanned. http://www.imagedump.com/index.cgi?pick=get&tp=59364&poll_id=0&warned=y (just click to view the image when it asks since it doesnt allow direct linking sadly).

This is what the task manager looks like, so any observations on it would be greatly appreciated.

 

thanks for the link, although that doesn't remove the version I have running it's good to know. As far as winmgmt.exe, it is winmgnt.exe

Here is a larger shot of what I have currently running. http://www.imagedump.com/index.cgi?pick=setandget&tp=59368&poll_id=0&category_id=20&warned=y (this time all can be seen).

 

Everything looks good, on your file one thing

take a look at the following website it will help you on determining what processes you should have running

http://www.blackviper.com/WinXP/servicecfg.htm

also

mdm.exe does not need to be running (machine debug manager)
jusched.exe does not need to be running (java)
imgicon.exe not to sure about running (you must have a zipdrive)
the svchosts are normal

when using xp you will have several running at the same time


you also have pest patrol running which personally I do not. (just my personal opinion)

the other ones you need so that windows runs properly

 

Excellent, thank you for the hlep. I will look up NAV or Norton on the MG message bards. Thanks to you two.

 

OH OH please take a look at this

something might be wrong here

You are running services that pertain to the following info

http://www.sophos.com/virusinfo/analyses/trojhalea.html

just looks fishy

edit:just to make sure check it out. I would venture to say that you are safe but it is a good idea to investigate it anyways

 

Ah yes. It lists there some of the things I suspected such as that windows process. I will install this anti virus and follow the instructions to check and hopefully see and if it can be removed. Mind if I update you once I have ran the anti virus with another shot to see if it's been removed?

 

let us know what happens

 

Seems to be unable to logon after its install, an error pops up and fails to logon, the anti virus that is. Any ideas? I disabled the firewall but nothing came of it. Seems to just be for NT and I am running XP.

Just as a side suggestion, any recommendations for a stable antivirus software to use permanently?

 

panda is what I use.
try this

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

its an online free virus scan.

also see this thread a lot of people here took advantage of this deal. try it it might still be good
http://www.majorgeeks.com/vb/showthread.php?t=29036&highlight=panda

 

Thanks Xflat, I have put all of those components to use agaisn't spyware and trojans. I assume SpyBlaster is running even though it isn't in the systray, but the SpywareGuard is there, once again thanks. I already used Spybot so I just added Adaware again.

I use Hijack this to create a log and post for help elsewhere, it does seem Iexplorer.exe and winmgnt.exe are trojans of some sort, there could possibly be other processes as well as from what I've read, a lot of these are duplicates of legimate functions with only slight file name changes. I could post the highjackthis log if you can help? Adaware and Spybot didn't detect them.

 

Im pretty bored so please feel free to post your log i dont mind having a quick look

 

The curious thing is that while winmgnt.exe shows under running proccess on the highjackthis window it doesn't show. I went to http://www.spywareinfo.com/~merijn/cwschronicles.html to check for the tell-tale files it uses and non appear in that window, perhaps because I didin't allow it webaccess when it requested it.

Logfile of HijackThis v1.97.7
Scan saved at 9:59:17 AM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\windows\system32\spool\printers\FireDaemon.exe
c:\windows\system32\spool\printers\winmgnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mario\Local Settings\Temporary Internet Files\Content.IE5\KZZ72ODP\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Good idea, I am guessing your link works for disabling those (from running once and for all) too right? I will look for them there.

 

Also just one more thing, how can I allow for some cookies to come through, such as those remembering I've visited the page and what links I've clicked.

 

Well most of it looks fairly clean on first inspection.
But i would be worried about two supposedly legitimate tasks, are attached to your printer spool service
C:\windows\system32\spool\printers\FireDaemon.exe
c:\windows\system32\spool\printers\winmgnt.exe

Are these services showing up in task manager at any time

I would personally reboot into safe mode and rename them to something like
FireDaemon.old and winmgnt.old
Then run your machine for a bit and see what happens before wiping them out

Although to be honest if it was my machine i would just nuke them, as they shouldnt be in that folder in the first place
Just giving you the safety first option, also you may have to show hidden files or folders to be able to access the folder they are in

 

Those are exactly the ones I am worried about. I posted a picture of my running processes before. I also see another file explorer.exe, which is not ieplore.exe (which is legit as I know). Explorer is listed as part of the problem with winmgnt.exe in the highjackthis site.

Tell me how to nuke them and i gladly will as these are part of the issues i am trying to remove. No trojan scanner will detect them.

Here is the list of processes they list as part of this issue, as you can see the majority sort of resemble legit programs.:

Known filenames used by this variant:
C:\Program Files\directx\directx.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Windows\explore.exe (note the missing 'r')
C:\Windows\System\internet.exe
C:\Windows\Media\wmplayer.exe
C:\Windows\Help\helpcvs.exe
C:\Program Files\Accessories\accesss.exe
C:\Games\systemcritical.exe
C:\Documents Settings\sistem.exe
C:\Program Files\Common Files\Windows Media Player\wmplayer.exe
C:\Windows\Start Menu\Programs\Accessories\Game.exe
C:\Windows\sistem.exe
C:\Windows\System\RunDll16.exe
C:\Windows\iexplorer.exe (note the extra 'i' or the extra 'r')
C:\y.exe
C:\x.exe

c:\funny.exe
c:\funniest.exe
c:\Windows\notepad32.exe
C:\Windows\system\kazaa.exe
C:\Windows\system32\kazaa.exe
C:\Program Files\Common Files\Services\iexplorer.exe
C:\Program Files\Common Files\Services\explore.exe
C:\Program Files\Common Files\Services\exploreer.exe
C:\Program Files\Common Files\Services\sistem.exe
C:\Program Files\Common Files\Services\critical.exe
C:\Program Files\Common Files\Services\directx.exe
C:\Program Files\Common Files\Services\internet.exe
C:\Program Files\Common Files\Services\window.exe
C:\Program Files\Common Files\Services\winmgnt.exe
C:\Program Files\Common Files\Services\clrssn.exe
C:\Program Files\Common Files\Services\explorer32.exe
C:\Program Files\Common Files\Services\win32e.exe
C:\Program Files\Common Files\Services\directx32.exe
C:\Program Files\Common Files\Services\uninstall.exe
C:\Program Files\Common Files\Services\volume.exe
C:\Program Files\Common Files\Services\autorun.exe
C:\Program Files\Common Files\Services\users32.exe
C:\Program Files\Common Files\Services\notepad.exe
C:\Program Files\Common Files\Services\win64.exe
C:\Program Files\Common Files\Services\inetinf.exe
C:\Program Files\Common Files\Services\time.exe
C:\Program Files\Common Files\Services\systeem.exe

c:\Windows\system32\iexplorer.exe
c:\Windows\system32\explore.exe
c:\Windows\system32\exploreer.exe
c:\Windows\system32\sistem.exe
c:\Windows\system32\critical.exe
c:\Windows\system32\directx.exe
c:\Windows\system32\internet.exe
c:\Windows\system32\window.exe
c:\Windows\system32\winmgnt.exe
c:\Windows\system32\clrssn.exe
c:\Windows\system32\explorer32.exe
c:\Windows\system32\win32e.exe
c:\Windows\system32\directx32.exe
c:\Windows\system32\uninstall.exe
c:\Windows\system32\volume.exe
c:\Windows\system32\autorun.exe
c:\Windows\system32\users32.exe
c:\Windows\system32\win64.exe
c:\Windows\system32\inetinf.exe
c:\Windows\system32\time.exe
c:\Windows\system32\systeem.exe

 

Ok well explorer.exe is very much needed but other processes can latch onto it
To get rid of those exes open a normal explorer window-click tools--folder options--view-- and check the box to show hidden files and folders--apply and ok
Next reboot into safe mode make sure you have admin rights, then locate the folder c:\windows\system32\spool\printers
easy enough to do just go windows explorer--C drive--windows--system 32--spool--printers open that folder and if those exes are in there just select and delete reboot into windows re-run Hijack this and see if they are there
Hopefully theres no hook in the registry recreating these

Just reading through this thread again make sure you disable System Restore and rebooting to clean out the folder before running a full system scan with your Anti-virus

 

New log, I think it's clean now but you tell me. Thank you very much for putting up with my ignorance of these things.

Logfile of HijackThis v1.97.7
Scan saved at 11:28:10 AM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mario\Local Settings\Temporary Internet Files\Content.IE5\XS0B9P8P\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Ah yes, looking through this link I also noticed csrss.exe, but isn't that critical? that link is a bit confusing to me since it's listing some things I can't remove as possible trojans.

 

That looks better

I dont see csrss.exe running but that is a genuine process as long as its located in system32

 

Yeah, I wonder why some processes don't show on that list. How do that the one showing up in the task manager is indeed running from system32? Since highjackhis doesnt show it on the log.

 

Just use the search facility within Windows, make sure you check the box to search hidden files and folders
You should find it in C:\Windows\System32 and possibly in your prefetch folder depending on your settings
if it turns up anywhere else then its a baddy