Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank and others


  • Please log in to reply
22 replies to this topic

#1 lieut.columbo

lieut.columbo

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 20 May 2005 - 07:55 PM

I was hoping someone could help me remove all of this junk from my neighbors computer. I have tried Ad-Aware, SpyBot, CWShredder, Registrar lite, Microsoft AntiSpyware, HSRemove, spyware Blaster, etc. I have tried under regular operating and under safe mode. They just keep coming back. My HiJack This list is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 8:50:09 PM, on 05/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\WINDOWS\atlph32.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\My Downloads\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02CCE402-E733-F76F-8386-A3DD9FA38B06} - C:\WINDOWS\system32\wineg.dll
O2 - BHO: Class - {52CB6BBC-C86C-BFFD-F66A-B2A88E0B1D03} - C:\WINDOWS\system32\wineg.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [atlph32.exe] C:\WINDOWS\atlph32.exe
O4 - HKLM\..\RunOnce: [sdkiz32.exe] C:\WINDOWS\system32\sdkiz32.exe
O4 - HKLM\..\RunOnce: [wintt.exe] C:\WINDOWS\system32\wintt.exe
O4 - HKLM\..\RunOnce: [ipku32.exe] C:\WINDOWS\ipku32.exe
O4 - HKLM\..\RunOnce: [d3ea.exe] C:\WINDOWS\d3ea.exe
O4 - HKLM\..\RunOnce: [mfcoc32.exe] C:\WINDOWS\mfcoc32.exe
O4 - HKLM\..\RunOnce: [appsd.exe] C:\WINDOWS\appsd.exe
O4 - HKLM\..\RunOnce: [ipiy32.exe] C:\WINDOWS\system32\ipiy32.exe
O4 - HKLM\..\RunOnce: [javalt32.exe] C:\WINDOWS\javalt32.exe
O4 - HKLM\..\RunOnce: [apiyv32.exe] C:\WINDOWS\apiyv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109898252593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netrc.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:42 PM

Posted 20 May 2005 - 10:17 PM

Hello lieut.columbo,

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

Edited by SifuMike, 20 May 2005 - 10:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lieut.columbo

lieut.columbo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 21 May 2005 - 10:08 AM

Thanks for your response SifuMike:

I got as far as step 5. When I started in regular mode, I could get to the TrendMicro website. However, right after I enter the country, Int Explorer "encounters a problem and needs to close". I cannot get past this.

Here is my new HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 11:02:08 AM, on 05/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\WINDOWS\atlph32.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {52CB6BBC-C86C-BFFD-F66A-B2A88E0B1D03} - C:\WINDOWS\system32\wineg.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [atlph32.exe] C:\WINDOWS\atlph32.exe
O4 - HKLM\..\RunOnce: [sdkiz32.exe] C:\WINDOWS\system32\sdkiz32.exe
O4 - HKLM\..\RunOnce: [ieog32.exe] C:\WINDOWS\ieog32.exe
O4 - HKLM\..\RunOnce: [javafz.exe] C:\WINDOWS\javafz.exe
O4 - HKLM\..\RunOnce: [ieuw32.exe] C:\WINDOWS\system32\ieuw32.exe
O4 - HKLM\..\RunOnce: [sysyv32.exe] C:\WINDOWS\system32\sysyv32.exe
O4 - HKLM\..\RunOnce: [wingt.exe] C:\WINDOWS\wingt.exe
O4 - HKLM\..\RunOnce: [winer.exe] C:\WINDOWS\system32\winer.exe
O4 - HKLM\..\RunOnce: [crmd32.exe] C:\WINDOWS\system32\crmd32.exe
O4 - HKLM\..\RunOnce: [winus.exe] C:\WINDOWS\system32\winus.exe
O4 - HKLM\..\RunOnce: [crbw.exe] C:\WINDOWS\crbw.exe
O4 - HKLM\..\RunOnce: [winxh.exe] C:\WINDOWS\winxh.exe
O4 - HKLM\..\RunOnce: [sysyh32.exe] C:\WINDOWS\system32\sysyh32.exe
O4 - HKLM\..\RunOnce: [sdkdc.exe] C:\WINDOWS\sdkdc.exe
O4 - HKLM\..\RunOnce: [sdkxp32.exe] C:\WINDOWS\system32\sdkxp32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109898252593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netrc.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Also, here is my About Buster log:

Scanned at: 10:23:29 AM on: 05/21/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Any ideas on how I can get IE to scan on TrendMicro's site?

Thanks for your help.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:42 PM

Posted 21 May 2005 - 11:12 AM

Try the HouseCall 6.0 now in beta testing.

http://housecall.trendmicro.com/

Turn off any other antivirus program running in the background.

Check and make sure that either Microsoft Internet Explorer (version 4.0 or above) or Netscape Navigator (version 3.01 or above) is installed on machine to be scanned for viruses.

Check if your security settings are correct for using HouseCall.

For Internet Explorer:

1. Click on View then click Internet Options.
2. Click on the Security tab.
3. Under Internet Zone, choose Customize and then click on the Settings button.
4. Under the Settings, set the following to ENABLE:

* Script ActiveX controls marked safe for scripting
* Run ActiveX controls and plugins

5. Set the following to PROMPT:

* Initialize and script ActiveX controls not marked as safe.
* Download signed ActiveX controls

6. Set ENABLE for ACTIVE SCRIPTING at the bottom of the
selection.

If this still does not work, set your browser security to LOW. Here's how:

1. From the browser, click View | Internet Options.
2. Click on the Security tab.
3. Under Internet Zone, choose LOW

If TrendMicro still does not work,
download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do not run it yet

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Post a new Hijackthis log, the Edwido log (if you ran it) and tell me how you computer is running.

*****************************************************
You have some suspicious files we need to check. Go to
Jotti's malware scan press the Browse button, and find C:\WINDOWS\system32\guard.tmp then upload and scan it.

Let me know the results.

Then do the same for this file: C:\WINDOWS\system32\netrc.exe

Copy and paste both outputs to this thread

The output should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


Edited by SifuMike, 21 May 2005 - 01:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 lieut.columbo

lieut.columbo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 21 May 2005 - 04:55 PM

No luck running Housecall. Same error message. I downloaded and ran Ewido. It scanned 95.5% and then gave me the "Security Suite.exe has encountered a problem and will be shut down" error just like the Housecall error.

Here is my latest Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 5:50:10 PM, on 05/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\My Downloads\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {52CB6BBC-C86C-BFFD-F66A-B2A88E0B1D03} - C:\WINDOWS\system32\wineg.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109898252593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netrc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I also went to Jotti's malware scan but I could not locate either of the files you said to look for. I also did a search for the files and could not locate them anywhere else on the C: drive.

Any other suggestions other than reformatting the C: drive and reinstalling Windows XP?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:42 PM

Posted 21 May 2005 - 05:49 PM

Hello lieut.columbo,

You have a CWS variant that is causing your problems. It is blocking the virus scans from running.
We have solved worse CWS problems than yours, so do not give up yet. :thumbsup:

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each.
C:\WINDOWS\atlph32.exe

********************************************

Lets stop the service, as that is one of the causes of your CWS malware problems.
We have to stop and disable this service to delete the file assocaited with it.

Go to START> RUN> type in services.msc and hit Enter
In the next window look on your right for this service:
Remote Procedure Call (RPC) Helper <--careful, this must have exact service name, there is a legitimate Remote Procedure call service (RPC) + Locator at the end of one.

Double click on the Remote Procedure Call (RPC) Helper
then Stop the Service (from the drop down menu)
Set it to disabled

It is important we stop and disable this service for this fix to work.

********************************************

While in Safe Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aoazc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {52CB6BBC-C86C-BFFD-F66A-B2A88E0B1D03} - C:\WINDOWS\system32\wineg.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [atlph32.exe] C:\WINDOWS\atlph32.exe
O4 - HKLM\..\RunOnce: [sdkiz32.exe] C:\WINDOWS\system32\sdkiz32.exe
O4 - HKLM\..\RunOnce: [ieog32.exe] C:\WINDOWS\ieog32.exe
O4 - HKLM\..\RunOnce: [javafz.exe] C:\WINDOWS\javafz.exe
O4 - HKLM\..\RunOnce: [ieuw32.exe] C:\WINDOWS\system32\ieuw32.exe
O4 - HKLM\..\RunOnce: [sysyv32.exe] C:\WINDOWS\system32\sysyv32.exe
O4 - HKLM\..\RunOnce: [wingt.exe] C:\WINDOWS\wingt.exe
O4 - HKLM\..\RunOnce: [winer.exe] C:\WINDOWS\system32\winer.exe
O4 - HKLM\..\RunOnce: [crmd32.exe] C:\WINDOWS\system32\crmd32.exe
O4 - HKLM\..\RunOnce: [winus.exe] C:\WINDOWS\system32\winus.exe
O4 - HKLM\..\RunOnce: [crbw.exe] C:\WINDOWS\crbw.exe
O4 - HKLM\..\RunOnce: [winxh.exe] C:\WINDOWS\winxh.exe
O4 - HKLM\..\RunOnce: [sysyh32.exe] C:\WINDOWS\system32\sysyh32.exe
O4 - HKLM\..\RunOnce: [sdkdc.exe] C:\WINDOWS\sdkdc.exe
O4 - HKLM\..\RunOnce: [sdkxp32.exe] C:\WINDOWS\system32\sdkxp32.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netrc.exe (file missing)


********************************************

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

C:\WINDOWS\aoazc.dll <==file
C:\WINDOWS\system32\wineg.dll <==file
C:\WINDOWS\atlph32.exe <==file
C:\WINDOWS\system32\sdkiz32.exe <==file
C:\WINDOWS\ieog32.exe <==file
C:\WINDOWS\javafz.exe <==file
C:\WINDOWS\system32\ieuw32.exe <==file
C:\WINDOWS\system32\sysyv32.exe
C:\WINDOWS\wingt.exe <==file
C:\WINDOWS\system32\winer.exe <==file
C:\WINDOWS\system32\crmd32.exe <==file
C:\WINDOWS\system32\winus.exe <==file
C:\WINDOWS\crbw.exe <==file
C:\WINDOWS\winxh.exe <==file
C:\WINDOWS\system32\sysyh32.exe <==file
C:\WINDOWS\sdkdc.exe <==file
C:\WINDOWS\system32\sdkxp32.exe <==file
C:\WINDOWS\system32\guard.tmp <==file
C:\WINDOWS\system32\netrc.exe <==file

********************************************

Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

********************************************
In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Remote Procedure Call (RPC) Helper

If Remote Procedure Call (RPC) Helper exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_Remote Procedure Call (RPC) Helper

If LEGACY_Remote Procedure Call (RPC) Helper exists, then right click on it and choose delete from the menu.

If you have trouble deleting a key, then click once on the key name to highlight it and click on the Permission menu option under Security or Edit.
Then Uncheck "Allow inheritible permissions" and press copy.
Then click on everyone and put a checkmark in "full control".
Then press apply and ok and attempt to delete the key again


********************************************


This is the step where we will use about:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files.

If it asks if you would like to do a second pass, allow it to do so.
Save the log file and post it for me.

********************************************


Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]



Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

********************************************


Run TrendMicro scan or that does not work, run Ewido scan.

Let them delete whatever they find.

********************************************

Please download, update and run Adaware SE

Run it in the Safe Mode and do a Full Scan.

Adaware SE Tutorial


Fix whatever it suggests.

********************************************

It sounds like you Hosts file has been corrupted. Lets restore the Hosts file.

Download the HOSTER from here:
http://www.funkytoad.com/download/hoster.zip

Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those
entries yourself.

********************************************

Open IE, go to Tools>Internet Options>then click on the security tab, then click on custom label. Check the following settings:

Download Signed ActiveX controls-set to Prompt.

Download Un-Signed ActiveX controls-set to Disable.

Initialize and script ActiveX controls marked as unsafe-set to disable.


********************************************


Finally, reboot and post a new Hijackthis log, Ewido scan (if you ran it), , About:Buster log and tell me how your computer is running.

Edited by SifuMike, 21 May 2005 - 09:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 lieut.columbo

lieut.columbo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 21 May 2005 - 09:32 PM

Here is my latest HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:25:58 PM, on 05/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HiJack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aoazc.dll/sp.html#37049
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109898252593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


My AB Log file:

Scanned at: 10:16:48 PM on: 05/21/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


My TrendMicro log:

Trend Micro Housecall Virus Scan197 viruses detected


Results:
We have detected 194 infected file(s) with 197 virus(es) on
your computer. Only 0 out of 0 infected files are displayed.
Detected FileAssociated Virus Name
C:\Documents and Settings\Kevin Campos\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-62a02c6b-70968ad6.zip
- BlackBox.classJAVA_BYTEVER.B
- VB.classJAVA_BYTEVER.B
- Dummy.classJAVA_BYTEVER.B
- Beyond.classJAVA_BYTEVER.G
C:\WINDOWS\SYSTEM32\apppr32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\appqi32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\appqv32.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\appuc32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\aruwh.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\atlcw.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\atley32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\atlft.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\atlhc.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\atlqp32.exeTROJ_DLOADER.LZ
C:\WINDOWS\SYSTEM32\atlut.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\azttf.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\bcrad.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\cefxs.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\cpgkr.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\creo.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\crhx32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\crjx32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\crkv32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\crpw32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\crqt32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\crrr.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\crud.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\crzk32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\cywlr.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\d3cu32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\d3fp32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\d3gt32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\d3hk32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\d3mb32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\d3qd.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\d3rk.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\d3tl32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\d3xt.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\d3yf.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\d3yk32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\dktibs.exeTROJ_DELF.MW
C:\WINDOWS\SYSTEM32\egjqd.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\eizzq.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\fnzer.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\gqtgr.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\hstvv.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\iedr.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\iegj.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\iehn32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ieki32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\iekn.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ienr.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ieou32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\ieoz32.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\iepz32.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\ieqq32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\ierq32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ieuv.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ieuz32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ieyg.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ieza.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\imcax.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\internetmgr.exeTROJ_J.A
C:\WINDOWS\SYSTEM32\ipdn32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ipiy32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ipns.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ipum32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ipwo32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ipyr.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ipys32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\javabf.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\javabw32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\javadi32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\javajd32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\javanf.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\javaoh32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\javaoq.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\javaru.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\javaup.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\javaxm32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\javaxq.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\jcklx.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\jczyn.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\jijxk.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\jxyns.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\mamfq.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\mfcbz32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mfcdw.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mfcfp.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mfcgb.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\mfclx32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\mfcpx.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\mfcqa.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\mfcsa.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\mfctl.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mfcwl.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mfczs.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mkosk.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\mqrcd.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\msdk.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\msgs32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mshq32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\msmf32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\msmz.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\msne.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\msqm32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\msvk.exeTROJ_DLOADER.LZ
C:\WINDOWS\SYSTEM32\mswc.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\msxz32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\mszu.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\netaz32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\netgz.exeTROJ_DLOADER.LZ
C:\WINDOWS\SYSTEM32\netho.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\netrf32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\netyb.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\netyx32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\nlyqq.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\ntcv.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\nthx.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ntjm.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ntok32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ntpb32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ntpc32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ntqq.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\ntsg32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ntvi32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ntvx.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\ouakn.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\owkvn.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\perfc3702.exeWORM_SDBOT.GEN
C:\WINDOWS\SYSTEM32\perfc52176.exeTROJ_SMALL.ZZ
C:\WINDOWS\SYSTEM32\qxjwo.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\rsoqe.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\sdkdd.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\sdkel32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\sdkft.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\sdkjz.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\sdkkl.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\sdkld32.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\sdkrm32.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\sdksa.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\sdkuj32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\sdkvj.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\sdkwg.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\sjhjd.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\syser32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\sysgn32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\syshr.exeTROJ_DLOADER.LZ
C:\WINDOWS\SYSTEM32\syskf32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\syslv32.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\sysnv32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\syspv32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\sysrm32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\syste32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\sysvm32.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\twddf.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\uafds.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\ugrii.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\ujcps.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\vrhyj.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\winet.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\wingr.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\winkc.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\winnk32.exeTROJ_DLOADER.GE
C:\WINDOWS\SYSTEM32\winpq.exeTROJ_DLOADER.HP
C:\WINDOWS\SYSTEM32\winso.exeTROJ_AGENT.JI
C:\WINDOWS\SYSTEM32\wintt.exeTROJ_AGENT.TQ
C:\WINDOWS\SYSTEM32\wnnta.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\woiso.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\xtxlh.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\xznqk.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\yfnfu.dllTROJ_WINSHOW.T
C:\WINDOWS\SYSTEM32\yqcso.dllTROJ_WINSHOW.T
C:\WINDOWS\sysye32.exeTROJ_DLOADER.GE
C:\WINDOWS\sysyo32.exeTROJ_DLOADER.GE
C:\WINDOWS\trmdd.dllTROJ_WINSHOW.T
C:\WINDOWS\uqblv.dllTROJ_WINSHOW.T
C:\WINDOWS\vgozd.dllTROJ_WINSHOW.T
C:\WINDOWS\vlnlt.dllTROJ_WINSHOW.T
C:\WINDOWS\vvagv.dllTROJ_WINSHOW.T
C:\WINDOWS\winbg32.exeTROJ_AGENT.JI
C:\WINDOWS\winbp.exeTROJ_DLOADER.GE
C:\WINDOWS\wincon.exeTROJ_ISTBAR.BF
C:\WINDOWS\windq.exeTROJ_AGENT.JI
C:\WINDOWS\windr32.exeTROJ_DLOADER.HP
C:\WINDOWS\wines.exeTROJ_DLOADER.HP
C:\WINDOWS\winmo32.exeTROJ_DLOADER.GE
C:\WINDOWS\winnq.exeTROJ_DLOADER.GE
C:\WINDOWS\winoq32.exeTROJ_AGENT.JI
C:\WINDOWS\winpc32.exeTROJ_DLOADER.HP
C:\WINDOWS\winsb.exeTROJ_SMALL.NP
C:\WINDOWS\wintd32.exeTROJ_AGENT.JI
C:\WINDOWS\winwz.exeTROJ_AGENT.TQ
C:\WINDOWS\winzg.exeTROJ_AGENT.JI
C:\WINDOWS\wnznb.dllTROJ_WINSHOW.T
C:\WINDOWS\xbwmw.dllTROJ_WINSHOW.T
C:\WINDOWS\yngtg.dllTROJ_WINSHOW.T




Trojan/Worm CheckNo worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed.
Trojan/Worm NameTrojan/Worm Type




Spyware Check5 spyware programs detected

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 5 spyware(s) on your computer. Only 0 out of
0 spywares are displayed.
Spyware NameSpyware Type
ADW_SEARCHAID.AAdware
ADW_ADDURL.AAdware
ADW_PREADSRV.BAdware
SPYW_NETZANY.100Spyware
ADW_APROPOS.OAdware




Microsoft Vulnerability CheckNo vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 0 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix


My computer is still running slow, however, I have not received the about:blank start page yet.

I think we might be getting closer :thumbsup:

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:42 PM

Posted 21 May 2005 - 09:50 PM

Hello lieut.columbo.

Yes, that is looking much better :thumbsup: The fact that you could run Trend Micro is a very good indication almost have it licked. But we still are not completely clean.


How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aoazc.dll/sp.html#37049


Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold
C:\WINDOWS\aoazc.dll <==file



Empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done.
I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.



In the Safe Mode, run Ewido, and run a full scan.

Post the log from the Ewido scan here for me.


Finally, reboot and post a new Hijackthis log, Ewido log and tell me how your computer is running.

Edited by SifuMike, 21 May 2005 - 11:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 lieut.columbo

lieut.columbo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 22 May 2005 - 07:26 AM

Good Morning SifuMike:

When I ran HiJack This and checked off and fixed the RO line, I could not locate the aoacz.dll file under the Windows directory or anywhere else on the C:drive. I ran Hijack This again and the RO line has been removed. I made sure the show hidden files was selected and hide protected files was unchecked.

Should I just go through with the rest of your steps anyway?

Thanks for your help.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:42 PM

Posted 22 May 2005 - 09:20 AM

Should I just go through with the rest of your steps anyway?


Yes, go through the rest of the steps. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 lieut.columbo

lieut.columbo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 22 May 2005 - 02:18 PM

Here is my latest HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 3:15:53 PM, on 05/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\My Downloads\HiJack This\HijackThis.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109898252593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Here is


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:07:12 PM, 05/22/2005
+ Report-Checksum: 4C5C41A

+ Date of database: 05/22/2005
+ Version of scan engine: v3.0

+ Duration: 51 min
+ Scanned Files: 65854
+ Speed: 21.51 Files/Second
+ Infected files: 31
+ Removed files: 31
+ Files put in quarantine: 31
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\My Downloads\HiJack This\backups\backup-20050521-191626-484.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\n_bwvkqi.txt -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\bxljo.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\crzh32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\dahtw.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ggzfr.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\iegx32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ieyg.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipod.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\javaaz32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcas32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcfm.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ntbi32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\nvcde.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\perfc18695.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\perfc28769.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\SYSTEM32\saiqm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sxtqj.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sysfn.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\syskg32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vkphe.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vtawt.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winjk32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\_prefect.exe -> TrojanProxy.Agent.dh -> Cleaned with backup
C:\WINDOWS\systt.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\tfgzv.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\wincx32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\win_g.exe -> TrojanProxy.Agent.dh -> Cleaned with backup
C:\WINDOWS\yhgog.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\ypacq.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\zmvje.dll -> Spyware.SearchPage -> Cleaned with backup


::Report End

Still running very slow.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:42 PM

Posted 22 May 2005 - 04:44 PM

Was your computer slow before you had CWS problem, or is this recent occurance? Any other symptoms besides slowness?

Looks like Ewido removed a bunch of trojans. :thumbsup:

Your Hijackthis log looks clean.

But we need to dig deeper.

I am going to check to make sure no reminents of the service still exist in your registry.

Please download ServiceFilter.zip

Extract the zip file to C:\ServiceFilter.
Inside the C:\ServiceFilter directory will be a file called ServiceFilter.vbs.
Double-click on the ServiceFilter.vbs and OK the info window that opens.

(If you have a script blocker or virus program that complains, tell it that this one is OK) When the script finishes a wordpad document should open with the unknown services listed in it.

Copy and paste the document text into your reply.

Edited by SifuMike, 22 May 2005 - 10:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 lieut.columbo

lieut.columbo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 23 May 2005 - 06:37 PM

Hi SifuMike:

This is all the info. I received from Service Filter:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
May 23, 2005 7:32:14 PM

I have a window that popped up which says
Script: C:\ServiceFilter\ServiceFilter.vbs
Line: 229
Char: 1
Error: 0x8004100A
Code: 8004100A
Source: (null)

I'm not sure if this is just because WordPad did not open.


Thanks.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:42 PM

Posted 23 May 2005 - 10:03 PM

See if you have a file called POST_THIS.TXT. If you do, then double click on it and post the log.


If you do not have a file called POST_THIS.TXT then we will use another service tool.
This makes a longer listing, but basicly does the same thing as the previous tool.

Download the file from here:

Getservices.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file.

A notepad will open up.

Please paste the contents of that notepad as a reply to this post

Edited by SifuMike, 23 May 2005 - 10:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 lieut.columbo

lieut.columbo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 23 May 2005 - 10:27 PM

Here are my results:


PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: 11F#`I
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\netrc.exe /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Helper
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASP.NET State Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
LOAD_ORDER_GROUP : Event Log
TAG : 0
DISPLAY_NAME : DCOM Server Process Launcher
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ewido security suite control
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\ewido\security suite\ewidoctrl.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ewido security suite control
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\fxssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fax
DEPENDENCIES : TapiSrv
: RpcSs
: PlugPlay
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP SSL
DEPENDENCIES : HTTP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LexBceS
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\LEXBCES.EXE
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : LexBce Server
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: McShield
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee.com McShield
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mcupdmgr.exe
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee SecurityCenter Update Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MCVSRte
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee.com VirusScan Online Realtime Engine
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 1
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: ion
: ogramFil`
: 
: ]
: 
: x6
: x6
: ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
:
: u
: n
: a
: v
: a
: i
: l
: a
: b
: l
: e
: .
:
: I
: f
:
: t
: h
: i
: s
:
: s
: e
: r
: v
: i
: c
: e
:
: i
: s
:
: d
: i
: s
: a
: b
: l
: e
: d
: ,
:
: a
: n
: y
:
: s
: e
: r
: v
: i
: c
: e
: s
:
: t
: h
: a
: t
:
: e
: x
: p
: l
: i
: c
: i
: t
: l
: y
:
: d
: e
: p
: e
: n
: d
:
: o
: n
:
: i
: t
:
: w
: i
: l
: l
:
: f
: a
: i
: l
:
: t
: o
:
: s
: t
: a
: r
: t
: .
:
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP : SmartCardGroup
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 6000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: ScsiAccess
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ScsiAccess.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ScsiAccess
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
Provides notifications for AutoPlay hardware events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{56814580-7D41-42EA-B87C-2F88B0E32A75}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
: HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: w32time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Center
DEPENDENCIES : RpcSs
: winmgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Provisioning Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users