Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacked by a-search.biz/wmid=1010


  • Please log in to reply
25 replies to this topic

#1 ihatehijacks

ihatehijacks

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 05 November 2004 - 10:24 AM

Hello guys,

My browser has been hijacked by a variant of a-search.biz/wmid=1010
I am an experienced computer-user, and I have tried about everything, including removing the tgbrfv_5.dll and executable manually after having changed the attributes by using the DOS command prompt, but the motherbleeper still returnes

Here is my hijackthis.log:
can somebody help me?

Logfile of HijackThis v1.98.2
Scan saved at 4:19:04 PM, on 11/5/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\PivX\Qwik-Fix\qfloadsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\PivX\Qwik-Fix\qfui.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kpne.dat
C:\CWS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=1&q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ou.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Open Universiteit Nederland
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ScriptSentry] C:\CWS\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [iframeworks.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fhpd.dat
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Microsoft® VBScript® Console - {400FDBE6-7837-47C2-8175-4BF7AB896061} - (no file)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {400FDBE6-7837-47C2-8175-4BF7AB896061} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - Home Prefix: http://www.heretofind.com/show.php?id=1&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=1&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=1&q=
O14 - IERESET.INF: START_PAGE_URL=http://www.ou.nl

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 05 November 2004 - 03:42 PM

Download KillBox here:
KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\Windows\system32\TGBRFV_5.dll
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\TGBRFV_.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.


I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=1&q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=1&q=%s
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [iframeworks.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fhpd.dat
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Microsoft® VBScript® Console - {400FDBE6-7837-47C2-8175-4BF7AB896061} - (no file)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {400FDBE6-7837-47C2-8175-4BF7AB896061} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - Home Prefix: http://www.heretofind.com/show.php?id=1&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=1&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=1&q=

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\Temp\fhpd.dat


Reboot your computer to go back to normal mode and post a new log.

#3 ihatehijacks

ihatehijacks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 06 November 2004 - 03:17 PM

I fixed all those things, bt the F2 -line is not going away. deleted the dll and executable with killbox, and rebooted in safe mode. Then deleted fhpd.dat (and abbb.dat) in temp-folder. Rebooted to post this log, but browser still hijacked.
Here is my new log (and thanks for your efforts so far)

Logfile of HijackThis v1.98.2
Scan saved at 9:09:15 PM, on 11/6/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\PivX\Qwik-Fix\qfloadsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\PivX\Qwik-Fix\qfui.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\CWS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ou.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Open Universiteit Nederland
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ScriptSentry] C:\CWS\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O14 - IERESET.INF: START_PAGE_URL=http://www.ou.nl

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 07 November 2004 - 05:19 PM

The first thing I need you to do is download the file from here:

Getservices.zip - Get list of XP/2000/NT Services

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post along with a brand new hijackthis log.

#5 ihatehijacks

ihatehijacks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 November 2004 - 07:22 AM

ok, here are the logs... (I'm using mozilla firefox as browser at the moment, untill my Internet explorer hijacking problem is solved)

PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AlertManager
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Associates Alert Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
(null)
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dfs
Manages logical volumes distributed across a local or wide area network.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\Dfssvc.exe
LOAD_ORDER_GROUP : Dfs
TAG : 0
DISPLAY_NAME : Distributed File System
DEPENDENCIES : LanmanWorkstation
: LanmanServer
: DfsDriver
: Mup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Administrative service for disk management requests
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Logical Disk Manager Watchdog Service
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Provides automatic distribution of events to subscribing COM components.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Helps you send and receive faxes
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\faxsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fax Service
DEPENDENCIES : TapiSrv
: RpcSs
: PlugPlay
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: IISADMIN
Allows administration of Web and FTP services through the Internet Information Services snap-in.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\inetsrv\inetinfo.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IIS Admin Service
DEPENDENCIES : RPCSS
: ProtectedStorage
SERVICE_START_NAME: LocalSystem
COMMAND : reset.exe" /fail=%1%
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Run command DELAY: 1 seconds
: Run command DELAY: 1 seconds
: Run command DELAY: 1 seconds

SERVICE_NAME: iPodService
iPod hardware management services
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\iPod\bin\iPodService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : iPod Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: IsmServ
Allows sending and receiving messages between Windows Advanced Server sites.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\ismserv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intersite Messaging
DEPENDENCIES : SamSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: kdc
Generates session keys and grants service tickets for mutual client/server authentication.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Kerberos Key Distribution Center
DEPENDENCIES : RpcSs
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Provides RPC support and file, print, and named pipe sharing.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Provides network connections and communications.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LicenseService
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\llssrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : License Logging Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper Service
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: McShield
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Associates McShield
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: McTaskManager
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Associates Task Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Allows authorized people to remotely access your Windows desktop using NetMeeting.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\MsiExec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for dynamic data exchange (DDE).
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages shared dynamic data exchange and is used by Network DDE
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: ted Transaction Coordinator
: Manager
: ȉ
: ȉ
: h
: 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NISSERV
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Norton Internet Security\NISSERV.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Norton Internet Security Service
DEPENDENCIES : RpcSs
: NISUM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NISUM
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Norton Internet Security\NISUM.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Norton Internet Security Accounts Manager
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtFrs
Maintains file synchronization of file directory contents among multiple servers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\system32\ntfrs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : File Replication
DEPENDENCIES : EventLog
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
Manages removable media, drives, and libraries.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Manages device installation and configuration and notifies programs of device changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Policy Agent
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: qfcoresvc
Provides proactive threat mitigation and security updates for the local computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\PivX\Qwik-Fix\qfloadsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Qwik-Fix
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Allows remote registry manipulation.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\regsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost -k rpcss
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\rsvp.exe -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Provides support for legacy smart card readers attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
Enables a program to run at a designated time.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\MSTask.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : RunAs Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Connection Sharing
DEPENDENCIES : RasMan
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SMTPSVC
Transports electronic mail across the network
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\inetsrv\inetinfo.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Simple Mail Transport Protocol (SMTP)
DEPENDENCIES : IISADMIN
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SNDSrvc
Symantec Network Drivers Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Symantec Network Drivers Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SymProxySvc
Symantec Transparent Proxy Server
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Norton Internet Security\SymProxySvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Norton Internet Security Proxy Service
DEPENDENCIES : RpcSs
: NISUM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Configures performance logs and alerts.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k tapisrv
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\termsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TlntSvr
Allows a remote user to log on to the system and run console programs using the command line.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\tlntsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telnet
DEPENDENCIES : RpcSs
: TcpIp
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkSvr
Stores information so that files moved between volumes can be tracked for each volume in the domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Server
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Sends notifications of files moving between NTFS volumes in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UtilMan
Starts and configures accessibility tools from one window
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\UtilMan.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Utility Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Sets the computer clock.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W3SVC
Provides Web connectivity and administration through the Internet Information Services snap-in.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\inetsrv\inetinfo.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : World Wide Web Publishing Service
DEPENDENCIES : IISADMIN
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WinMgmt
Provides system management information.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\WBEM\WinMgmt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\Services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

Logfile of HijackThis v1.98.2
Scan saved at 1:17:18 PM, on 11/10/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\PivX\Qwik-Fix\qfloadsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.exe
C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\PivX\Qwik-Fix\qfui.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\CWS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ou.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Open Universiteit Nederland
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ScriptSentry] C:\CWS\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O14 - IERESET.INF: START_PAGE_URL=http://www.ou.nl

#6 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:01:47 AM

Posted 10 November 2004 - 07:46 AM

ihatehijacks, please update to Windows 2000 Service Pack 4 and ALL Critical Updates
http://www.microsoft.com/windows2000/downl...sp4/default.asp

Review Windows 2000 Services for un-needed and resource wasting services.
http://www.blackviper.com/WIN2K/servicecfg.htm

Install the prevention protection below and help your university friends from being infected on the Internet.

Empty the Recycle Bin frequently.

Run CleanUp! as the Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
http://cleanup.stevengould.org/
Then reboot to let it clean out what it found.

By the way, in order to improve Internet Explorer (IE) performance the Temporary(TIF)should be cleaned out periodically.
Also, it is a good idea to limit the size of the TIF to 200MB for performance sake.
In IE go to Tools then Internet Options then Settings and move the slider down to 200MB.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 10 November 2004 - 10:57 AM

Please download Reglook from here:

http://computercops.biz/modules.php?name=F...ownload&id=3618

Extract the program and run it. When it has completed it will create a log. Post that log as a reply to this topic

#8 ihatehijacks

ihatehijacks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 17 November 2004 - 02:14 PM

I do not find anything at that link. (is it possible that it has changed?)
Should I do wat Calamityken wrote in the previous comment? I am not eager to do so because last time I tried to install a service pack the whole system crashed...

#9 ihatehijacks

ihatehijacks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 17 November 2004 - 03:22 PM

Hi Grinler,

I found reglook by following the instructions of one your collegues in one of the other topics. (see my previous comment);
this is the log: This looks suspicious I think? ->[Userinit] = "Userinit.exe,TGBRFV_" (REG_SZ)



A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 04:29(UTC) 17/02/2004)
[AppInit_DLLs] = "" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 2 subkeys and 26 value entries - last modified 19:54(UTC) 06/11/2004)
[Userinit] = "Userinit.exe,TGBRFV_" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 17:27(UTC) 24/05/2001)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 17 November 2004 - 03:28 PM

Post a new hijackthis log and we will clean you up

#11 ihatehijacks

ihatehijacks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 17 November 2004 - 03:40 PM

Ok, here it is...

Logfile of HijackThis v1.98.2
Scan saved at 9:34:58 PM, on 11/17/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\PivX\Qwik-Fix\qfloadsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\PivX\Qwik-Fix\qfui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\CWS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ou.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Open Universiteit Nederland
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ScriptSentry] C:\CWS\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O14 - IERESET.INF: START_PAGE_URL=http://www.ou.nl

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 17 November 2004 - 08:35 PM

Note, please read this carefully, as the steps do repeat a few times, but the last step does change a bit

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

Select the Delete on reboot option.


In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\TGBRFV_.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\TGBRFV_5.dll

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.



Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\TGBRFV_.dll

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the YES button.


Your computer will now reboot and check to see if the file is gone.


When it reboots, fix these entries in hijackthis:

F2 - REG:system.ini: UserInit=Userinit.exe,

Reboot and post a new log

#13 ihatehijacks

ihatehijacks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 23 November 2004 - 02:47 PM

Hi Grinler,

I did exactly as you told me and...it got even worse!
The "F2 - REG:system.ini: UserInit=Userinit.exe," entry is still there, but now there are is a new R0 and R1-entry as well... (see Hijack this log infra)
This thing seems to be immortal!

Logfile of HijackThis v1.98.2
Scan saved at 8:34:31 PM, on 11/23/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\PivX\Qwik-Fix\qfloadsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PivX\Qwik-Fix\qfui.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\CWS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=1010
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ou.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://a-search.biz?wmid=1010
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Open Universiteit Nederland
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ScriptSentry] C:\CWS\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O14 - IERESET.INF: START_PAGE_URL=http://www.ou.nl

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 23 November 2004 - 03:27 PM

Download this file:

http://www.bleepingcomputer.com/files/pv.php

and extract it to c:\pv.

Navigate to that directory and double-click on the runme.bat file. Then press the number 1 when its done it will open a notepad.

Then do the same thing for options 1 and 2. Paste all three logs in here as a reply and let me look it over. This is the last thing I can think of.

#15 ihatehijacks

ihatehijacks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 23 November 2004 - 03:39 PM

I downloaded the program and run option 1 and 2 (this gives me only 2 logs, you were refering to 3 logs?)

log 1
------

Module information for 'Explorer.exe'
MODULE BASE SIZE PATH
Explorer.exe 400000 245760 C:\WINNT\Explorer.exe 5.00.2920.0000 Windows Explorer
ntdll.dll 77f80000 495616 C:\WINNT\System32\ntdll.dll 5.00.2163.1 NT Layer DLL
ADVAPI32.DLL 77db0000 368640 C:\WINNT\system32\ADVAPI32.DLL 5.00.2191.1 Advanced Windows 32 Base API
KERNEL32.DLL 77e80000 745472 C:\WINNT\system32\KERNEL32.DLL 5.00.2191.1 Windows NT BASE API Client DLL
RPCRT4.DLL 77d40000 454656 C:\WINNT\system32\RPCRT4.DLL 5.00.2193.1 Remote Procedure Call Runtime
GDI32.DLL 77f40000 245760 C:\WINNT\system32\GDI32.DLL 5.00.2180.1 GDI Client DLL
USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2180.1 Windows 2000 USER API Client DLL
SHLWAPI.DLL 77c70000 303104 C:\WINNT\system32\SHLWAPI.DLL 5.00.2920.0000 Shell Light-weight Utility Library
COMCTL32.DLL 77b50000 565248 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
SHELL32.dll 775a0000 2359296 C:\WINNT\system32\SHELL32.dll 5.00.2920.0000 Windows Shell Common Dll
OLE32.DLL 77a50000 1003520 C:\WINNT\system32\OLE32.DLL 5.00.2181.1 Microsoft OLE for Windows
CLBCATQ.DLL 77cc0000 524288 C:\WINNT\System32\CLBCATQ.DLL 1999.9.3422.14
OLEAUT32.DLL 779b0000 610304 C:\WINNT\system32\OLEAUT32.DLL 2.40.4512
MSVCRT.DLL 78000000 286720 C:\WINNT\system32\MSVCRT.DLL 6.10.8637.0 Microsoft ® C Runtime Library
SHDOCVW.DLL 76c80000 1114112 C:\WINNT\System32\SHDOCVW.DLL 5.00.2920.0000 Shell Doc Object and Control Library
browseui.dll 76e10000 819200 C:\WINNT\System32\browseui.dll 5.00.2920.0000 Shell Browser UI Library
USERENV.DLL 77c10000 380928 C:\WINNT\System32\USERENV.DLL 5.00.2185.1 Userenv
URLMON.DLL 76b90000 450560 C:\WINNT\system32\URLMON.DLL 5.00.2920.0000 OLE32 Extensions for Win32
VERSION.DLL 77820000 28672 C:\WINNT\system32\VERSION.DLL 5.00.2134.1 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL
mlang.dll 75d50000 532480 C:\WINNT\System32\mlang.dll 5.00.2920.0000 Multi Language Support DLL
mshtml.dll 75af0000 2371584 C:\WINNT\System32\mshtml.dll 5.00.2920.0000 Microsoft ® HTML Viewer
WININET.DLL 76c00000 475136 C:\WINNT\system32\WININET.DLL 5.00.2920.0000 Internet Extensions for Win32
RASAPI32.DLL 774e0000 204800 C:\WINNT\System32\RASAPI32.DLL 5.00.2188.1 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\System32\RASMAN.DLL 5.00.2188.1 Remote Access Connection Manager
WS2_32.DLL 75030000 81920 C:\WINNT\System32\WS2_32.DLL 5.00.2134.1 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\System32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
TAPI32.DLL 77530000 139264 C:\WINNT\System32\TAPI32.DLL 5.00.2182.1 Microsoft® Windows™ Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\System32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
sensapi.dll 75ab0000 20480 C:\WINNT\System32\sensapi.dll 5.00.2163.1 SENS Connectivity API DLL
NETSHELL.dll 76f20000 479232 C:\WINNT\system32\NETSHELL.dll 5.00.2176.1 Network Connections Shell
webcheck.dll 76680000 266240 C:\WINNT\System32\webcheck.dll 5.00.2920.0000 Web Site Monitor
stobject.dll 766d0000 98304 C:\WINNT\System32\stobject.dll 5.00.2144.1 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\System32\BATMETER.DLL 5.00.2920.0000 Battery Meter Helper DLL
SETUPAPI.DLL 77890000 577536 C:\WINNT\System32\SETUPAPI.DLL 5.00.2183.1 Windows Setup API
POWRPROF.DLL 766f0000 28672 C:\WINNT\System32\POWRPROF.DLL 5.00.2920.0000 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\System32\WINMM.DLL 5.00.2161.1 MCI API DLL
MSI.DLL 770f0000 2084864 C:\WINNT\System32\MSI.DLL 2.0.2600.2 Windows Installer
netapi32.dll 75170000 323584 C:\WINNT\System32\netapi32.dll 5.00.2194.1 Net Win32 API DLL
SECUR32.DLL 77be0000 61440 C:\WINNT\System32\SECUR32.DLL 5.00.2154.1 Security Support Provider Interface
NETRAP.DLL 751c0000 24576 C:\WINNT\System32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.DLL 75150000 61440 C:\WINNT\System32\SAMLIB.DLL 5.00.2160.1 SAM Library DLL
WLDAP32.DLL 77950000 167936 C:\WINNT\system32\WLDAP32.DLL 5.00.2168.1 Win32 LDAP API DLL
DNSAPI.DLL 77980000 147456 C:\WINNT\System32\DNSAPI.DLL 5.00.2181.1 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\System32\WSOCK32.DLL 5.00.2152.1 Windows Socket 32-Bit DLL
cscui.dll 77850000 245760 C:\WINNT\System32\cscui.dll 5.00.2172.1 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\System32\CSCDLL.DLL 5.00.2189.1 Offline Network Agent
LINKINFO.DLL 76710000 36864 C:\WINNT\System32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking
ntshrui.dll 76fa0000 61440 C:\WINNT\System32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 73728 C:\WINNT\System32\ATL.DLL 3.00.8449 ATL Module for Windows NT (Unicode)
wdmaud.drv 77560000 36864 C:\WINNT\System32\wdmaud.drv 5.00.2147.1 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\System32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\System32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
mydocs.dll 76df0000 69632 C:\WINNT\System32\mydocs.dll 5.00.2920.0000 My Documents Folder UI
shdoclc.dll 76d90000 339968 C:\WINNT\System32\shdoclc.dll 5.00.2920.0000 Shell Doc Object and Control Library
MPR.DLL 75090000 65536 C:\WINNT\system32\MPR.DLL 5.00.2146.1 Multiple Provider Router DLL
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2157.1 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2134.1 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
MSLS31.DLL 75ac0000 163840 C:\WINNT\System32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
IMM32.DLL 75e60000 106496 C:\WINNT\System32\IMM32.DLL 5.00.2180.1 Windows 2000 IMM32 API Client DLL
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2134.1 Microsoft Video for Windows DLL
AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2134.1 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider
browselc.dll 76ee0000 45056 C:\WINNT\System32\browselc.dll 5.00.2920.0000 Shell Browser UI Library
CRYPT32.dll 77440000 491520 C:\WINNT\System32\CRYPT32.dll 5.131.2173.1 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\System32\MSASN1.DLL 5.00.2134.1 ASN.1 Runtime APIs
WINTRUST.dll 76930000 176128 C:\WINNT\System32\WINTRUST.dll 5.131.2143.1 Microsoft Trust Verification APIs
IMAGEHLP.dll 77920000 139264 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.1 Windows NT Image Helper
msadp32.acm 75d40000 24576 C:\WINNT\System32\msadp32.acm 5.00.2134.1 Microsoft ADPCM CODEC for MSACM
USP10.DLL 66650000 344064 C:\WINNT\System32\USP10.DLL 1.0325.2180.1 Uniscribe Unicode script processor
wzshlext.dll 10000000 45056 C:\PROGRA~1\WinZip\wzshlext.dll
CRTDLL.dll 74fa0000 159744 C:\WINNT\System32\CRTDLL.dll 4.00 Microsoft C Runtime Library
WZCAB2.DLL 40000000 36864 C:\PROGRA~1\WINZIP\WZCAB2.DLL 2, 0, 0, 0 WinZip CAB Detection and Extractor
SDHelper.dll 3450000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 695e0000 167936 C:\WINNT\System32\olepro32.dll 5.0.4512
webvw.dll 658f0000 1130496 C:\WINNT\System32\webvw.dll 5.00.2920.0000 Shell WebView Content & Control Library


log 2
------

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 Internet Explorer
ntdll.dll 77f80000 495616 C:\WINNT\System32\ntdll.dll 5.00.2163.1 NT Layer DLL
msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll 6.10.8637.0 Microsoft ® C Runtime Library
KERNEL32.dll 77e80000 745472 C:\WINNT\system32\KERNEL32.dll 5.00.2191.1 Windows NT BASE API Client DLL
USER32.dll 77e10000 413696 C:\WINNT\system32\USER32.dll 5.00.2180.1 Windows 2000 USER API Client DLL
GDI32.DLL 77f40000 245760 C:\WINNT\system32\GDI32.DLL 5.00.2180.1 GDI Client DLL
SHLWAPI.dll 77c70000 303104 C:\WINNT\system32\SHLWAPI.dll 5.00.2920.0000 Shell Light-weight Utility Library
ADVAPI32.DLL 77db0000 368640 C:\WINNT\system32\ADVAPI32.DLL 5.00.2191.1 Advanced Windows 32 Base API
RPCRT4.DLL 77d40000 454656 C:\WINNT\system32\RPCRT4.DLL 5.00.2193.1 Remote Procedure Call Runtime
SHDOCVW.dll 76c80000 1114112 C:\WINNT\System32\SHDOCVW.dll 5.00.2920.0000 Shell Doc Object and Control Library
COMCTL32.DLL 77b50000 565248 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
SHELL32.DLL 775a0000 2359296 C:\WINNT\system32\SHELL32.DLL 5.00.2920.0000 Windows Shell Common Dll
ole32.dll 77a50000 1003520 C:\WINNT\system32\ole32.dll 5.00.2181.1 Microsoft OLE for Windows
BROWSEUI.dll 76e10000 819200 C:\WINNT\System32\BROWSEUI.dll 5.00.2920.0000 Shell Browser UI Library
CLBCATQ.DLL 77cc0000 524288 C:\WINNT\System32\CLBCATQ.DLL 1999.9.3422.14
OLEAUT32.DLL 779b0000 610304 C:\WINNT\system32\OLEAUT32.DLL 2.40.4512
browselc.dll 76ee0000 45056 C:\WINNT\System32\browselc.dll 5.00.2920.0000 Shell Browser UI Library
WININET.DLL 76c00000 475136 C:\WINNT\system32\WININET.DLL 5.00.2920.0000 Internet Extensions for Win32
cscui.dll 77850000 245760 C:\WINNT\System32\cscui.dll 5.00.2172.1 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\System32\CSCDLL.DLL 5.00.2189.1 Offline Network Agent




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users