Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log -- Home page changed to Home Search


  • Please log in to reply
15 replies to this topic

#1 icetea

icetea

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 06 November 2004 - 04:55 PM

Hello guys,

My home page was hijacked. It is always changed to Home Search(URL displaying "about: blank") and a lots ads pop out. I tried every thing to fix it but failed.

The following is the log of HijackThis, thank you for your help in advance.

Logfile of HijackThis v1.98.2
Scan saved at 4:32:26 PM, on 11/6/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\addxu32.dll:ifckf
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ipkv32.exe
C:\Program Files\Navnt\navapw32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bbviz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bbviz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\bbviz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bbviz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bbviz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bbviz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bbviz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {DD628CAC-5521-53A0-B511-FD483C169D76} - C:\WINNT\system32\ipkv32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [winyz.exe] C:\WINNT\system32\winyz.exe
O4 - HKLM\..\Run: [ogdkajpmmj] C:\WINNT\System32\npkjvc.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [windb32.exe] C:\WINNT\system32\windb32.exe
O4 - HKLM\..\Run: [sysxg.exe] C:\WINNT\system32\sysxg.exe
O4 - HKLM\..\Run: [ipvs.exe] C:\WINNT\system32\ipvs.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [ipkv32.exe] C:\WINNT\system32\ipkv32.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.3.0\HbInst.exe /Upgrade
O4 - HKCU\..\Run: [Paro] C:\Documents and Settings\Yan Li\Application Data\umh?.exe
O4 - HKCU\..\Run: [Upiztufo] C:\WINNT\System32\w?nlogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ra.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{19845770-851B-45B9-91F0-6A0DE2ACD2A2}: NameServer = 10.241.64.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E737FCF-ED6A-43CB-A7BE-72B039AC2266}: NameServer = 100.100.20.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32B8563-B1A0-4886-A5D7-8B01D1833E18}: NameServer = 10.241.64.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:47 AM

Posted 07 November 2004 - 03:26 PM

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue to help you as the infections could reoccur. Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing. When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.

Install Service Pack 4 and all critical updates.

After the installation of the last update make sure you REBOOT the computer, run HijackThis again and post a new log please.

Download this: Getservices.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.

The trojan mutates on every reboot.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 icetea

icetea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 15 November 2004 - 11:37 AM

Hi, cryo,

Thank you very very much for your help!

As your suggest, I installed Service Pach 4 and all critical updates from www.windowupdate.com. Then after reboot, I ran HijackThis and got the following new log:

*********************************
Logfile of HijackThis v1.98.2
Scan saved at 11:13:42 AM, on 11/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\DirectX.log:cajpg
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
C:\WINNT\javalx.exe
C:\Program Files\Hotbar\bin\4.5.3.0\HbInst.exe
C:\WINNT\System32\w?nlogon.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {262481AF-5393-435C-E410-67344733C8A1} - C:\WINNT\system32\apiht32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [winyz.exe] C:\WINNT\system32\winyz.exe
O4 - HKLM\..\Run: [ogdkajpmmj] C:\WINNT\System32\npkjvc.exe
O4 - HKLM\..\Run: [windb32.exe] C:\WINNT\system32\windb32.exe
O4 - HKLM\..\Run: [sysxg.exe] C:\WINNT\system32\sysxg.exe
O4 - HKLM\..\Run: [ipvs.exe] C:\WINNT\system32\ipvs.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [javalx.exe] C:\WINNT\javalx.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.3.0\HbInst.exe /Upgrade
O4 - HKCU\..\Run: [Paro] C:\Documents and Settings\Yan Li\Application Data\umh?.exe
O4 - HKCU\..\Run: [Upiztufo] C:\WINNT\System32\w?nlogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwga.ops.placeware.com/etc/place/...quicksilver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{19845770-851B-45B9-91F0-6A0DE2ACD2A2}: NameServer = 10.241.64.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E737FCF-ED6A-43CB-A7BE-72B039AC2266}: NameServer = 100.100.20.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32B8563-B1A0-4886-A5D7-8B01D1833E18}: NameServer = 10.241.64.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG

************************************


Then I ran getservices.bat on my C drive. The following is the contents of that notepad:
============================

PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k BITSgroup
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : LanmanWorkstation
: Rpcss
: SENS
: Wmi
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Administrative service for disk management requests
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Logical Disk Manager Watchdog Service
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Provides automatic distribution of events to subscribing COM components.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Helps you send and receive faxes
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\faxsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fax Service
DEPENDENCIES : TapiSrv
: RpcSs
: PlugPlay
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Provides RPC support and file, print, and named pipe sharing.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Provides network connections and communications.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper Service
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Allows authorized people to remotely access your Windows desktop using NetMeeting.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\MsiExec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NAV Alert
Norton AntiVirus alert service.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Navnt\alertsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NAV Alert
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NAV Auto-Protect
Norton AntiVirus Auto-Protect service.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Navnt\navapsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NAV Auto-Protect
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for dynamic data exchange (DDE).
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages shared dynamic data exchange and is used by Network DDE
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: ted Transaction Coordinator
: trative Service
: `
: 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Norton Program Scheduler
Norton Program Scheduler service.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Navnt\npssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Norton Program Scheduler
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
Manages removable media, drives, and libraries.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: O?rtȲ$
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\DirectX.log:cajpg /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Security Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Manages device installation and configuration and notifies programs of device changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Policy Agent
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Allows remote registry manipulation.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\regsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost -k rpcss
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\rsvp.exe -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SBService
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ScriptBlocking Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Provides support for legacy smart card readers attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
Enables a program to run at a designated time.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\MSTask.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : RunAs Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Connection Sharing
DEPENDENCIES : RasMan
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Configures performance logs and alerts.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TlntSvr
Allows a remote user to log on to the system and run console programs using the command line.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\tlntsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telnet
DEPENDENCIES : RpcSs
: TcpIp
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Sends notifications of files moving between NTFS volumes in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UtilMan
Starts and configures accessibility tools from one window
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\UtilMan.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Utility Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Visual Studio Analyzer RPC bridge
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Visual Studio Analyzer RPC bridge
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Sets the computer clock.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WinMgmt
Provides system management information.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\WBEM\WinMgmt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\Services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k wugroup
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides authenticated network access control using IEEE 802.1x for wired and wireless Ethernet networks.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Configuration
DEPENDENCIES : RpcSs
: Ndisuio
: ProtectedStorage
: WMI
SERVICE_START_NAME: LocalSystem

=======================================

cryo, hope you can help me figure them out. I greatly appreciate your help.


icetea

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:47 AM

Posted 15 November 2004 - 02:04 PM

Hi

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

This is very important ! Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (Steps 1 - 8)

Please make sure that you can view all hidden files:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Please download About:Buster from here: About:Buster 4.0 Download. Once it is downloaded extract all the files to
c:\aboutbuster. We will use that program later in this process. Don't use it yet.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Step 1:

Go to Start -> Run and type Services.msc, then press the OK button. Look for a service called Network Security Service. Double click on that service and press the Stop button, and then set the Startup type to Disabled. Press OK, and close all the windows.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

winyz.exe
npkjvc.exe
windb32.exe
sysxg.exe
ipvs.exe
javalx.exe


This is very important ! Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (Steps 1 - 8)

Step 3:
Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tspaa.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {262481AF-5393-435C-E410-67344733C8A1} - C:\WINNT\system32\apiht32.dll

O4 - HKLM\..\Run: [winyz.exe] C:\WINNT\system32\winyz.exe
O4 - HKLM\..\Run: [ogdkajpmmj] C:\WINNT\System32\npkjvc.exe
O4 - HKLM\..\Run: [windb32.exe] C:\WINNT\system32\windb32.exe
O4 - HKLM\..\Run: [sysxg.exe] C:\WINNT\system32\sysxg.exe
O4 - HKLM\..\Run: [ipvs.exe] C:\WINNT\system32\ipvs.exe
O4 - HKLM\..\Run: [javalx.exe] C:\WINNT\javalx.exe
O4 - HKCU\..\Run: [Paro] C:\Documents and Settings\Yan Li\Application Data\umh?.exe
O4 - HKCU\..\Run: [Upiztufo] C:\WINNT\System32\w?nlogon.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


Step 4:
Reboot your computer into Safe Mode.

I now need you to delete the following files:
C:\WINNT\system32\tspaa.dll <-- this file
C:\WINNT\system32\apiht32.dll <-- this file
C:\WINNT\system32\winyz.exe <-- this file
C:\WINNT\System32\npkjvc.exe <-- this file
C:\WINNT\system32\windb32.exe <-- this file
C:\WINNT\system32\sysxg.exe <-- this file
C:\WINNT\system32\ipvs.exe <-- this file
C:\WINNT\javalx.exe <-- this file
C:\Documents and Settings\Yan Li\Application Data\umh?.exe <-- this file

C:\WINNT\System32\w?nlogon.exe <-- this file Please read the note below
Note: You will see two files wuth the same name in the C:\WINNT\System32\ folder: winlogon.exe. One is bad and one is legitimate. Right click on each file and select Properties. In the General tab the legitimate file has this Description: Windows NT Logon Application. Do not delete this file. The other one is bad. Delete it.

Delete this folder:
C:\Program Files\Ebates_MoeMoneyMaker\ <-- this folder

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. if it is, uncheck it and try again.

Step 5:

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Run AdAware, press the Start button, uncheck Scan for negligible risk entries, select Perform full system scan and press Next. Let AdAware remove anything it finds.

Step 8:

Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Step 9:
Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:
  • This infection deletes the windows file, shell.dll.
    If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system32
    %windir%\system
  • Download the Hoster from here. Press Restore Original Hosts and press OK. Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start -> Run -> type regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll and press the OK button
Step 10:

Please check Internet Explorer settings:
Open Internet Explorer - > Tools -> Internet Options ... -> click the Security tab -> click Internet icon -> press the Custom Level ,,, button.
Under ActiveX controls and plug-ins tick:
- Download signed ActiveX controls - Prompt
- Download unsigned ActiveX controls Disable
- Initialize and script ActiveX controls not marked as safe Disable
- Run ActiveX controls and plug-ins Enabled
- Script ActiveX controls marked safe for scripting Prompt

Run an online antivirus scan at:
http://housecall.antivirus.com/
Please make sure that AutoClean is checked.

Reboot and post a new HJT log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 icetea

icetea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 15 November 2004 - 04:16 PM

Now I've finished the step 3 and just started the step 4 you mentioned in last reply. By following the step 4, I rebooted my laptop into Safe Mode, but the PROBLEM is I cannot log into my account by Safe Mode. I was told only the administrator of my company can log into Safe Mode since the laptop is my company's property.

So my question is can I follow the step 4 to continue the rest cleanup by reboot my laptop into NORMAL MODE?

Thank you very much,

icetea

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:47 AM

Posted 15 November 2004 - 05:25 PM

can I follow the step 4 to continue the rest cleanup by reboot my laptop into NORMAL MODE

Try it.

If the trojan mutates you need to post a new log and a new GetServices log. And of course you need your admin :thumbsup:.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 icetea

icetea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 15 November 2004 - 07:24 PM

Hi,

I really appreciate your help. The solution you provided is very helpful.

I continued the step 4 by reboot into NORMAL MODE. But I only found and deleted C:\WINNT\system32\tspaa.dll <-- this file
I didn't find other 9 files listed in the step 4. Seems the trojan mutated.
For the folder C:\Program Files\Ebates_MoeMoneyMaker\ <-- this folder, I've deleted it by guess 2 months ago. :thumbsup:

Now I completed step 5. But during step 6, when I ran aboutbuster.exe, I got a window pop out message:
"The feature you are trying to use is on a CD-ROM or other removable disk that is not available.
Insert the 'Office 2000 product' disk and click OK. "
. Seems there is a problem about the Microsoft Office 2000 installed on my laptop, right? Next I'm going to fix it.

So, I guess I have to post a new HijackThis log and a new getServices log here. :trumpet: The spy ware(about:blank) bothered me for about 2 months. I know a lot people suffer from it too. Really hate it!! :flowers: Hope I can get rid of it ASAP.

Thanks again for your help!

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:47 AM

Posted 15 November 2004 - 07:40 PM

Seems there is a problem about the Microsoft Office 2000 installed on my laptop, right? Next I'm going to fix it.

I'm not sure about this. Maybe About:Buster has a bug. I don't know.

Yes post a new HJT log.

Use this script please. Delete the other one (GetServices.exe):
Follow this link to download ServiceFilter: ServiceFilter download
or this link:
Service Filter download 2

Unzip the content to a folder, such as c:\ServiceFilter.

Navigate to c:\ServiceFilter folder and (double)click the ServiceFilter.vbs file.

If you have a script blocking program you will get a warning asking if you want to allow ServiceFilter.vbs to run. Allow the script to run.

Note: The script DOES NOT find bad services, it simply filters out what is known to be ok.

Follow the instructions on the screen and WordPad will open.

In WordPad click
Edit menu --> Select All
then
Edit menu --> Copy


Right click in the message area and click on the paste option to paste the log into the post.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 icetea

icetea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 16 November 2004 - 10:20 AM

Hi,

Last night I finally finished all 10 steps you mentioned. Seems the trojan mutated. As I said in my reply I only deleted one file in step 4. So by the end I still got about:blank and pop out ads on my home page.

So as you suggest, this morning I ran HijackThis again and also ran ServiceFilter. Please find above two logs in the following:

*****************************
HijackThis Log
*****************************
Logfile of HijackThis v1.98.2
Scan saved at 9:57:23 AM, on 11/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\DirectX.log:cajpg
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
C:\WINNT\system32\d3wj32.exe
C:\Program Files\Hotbar\bin\4.5.3.0\HbInst.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Hotbar\bin\4.5.3.0\HbSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uvyyq.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uvyyq.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AC3BFD4F-F0E1-52F9-5C5F-E73A0F3F2AAC} - C:\WINNT\system32\ipww.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [d3wj32.exe] C:\WINNT\system32\d3wj32.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.3.0\HbInst.exe /Upgrade
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwga.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{19845770-851B-45B9-91F0-6A0DE2ACD2A2}: NameServer = 10.241.64.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E737FCF-ED6A-43CB-A7BE-72B039AC2266}: NameServer = 100.100.20.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32B8563-B1A0-4886-A5D7-8B01D1833E18}: NameServer = 10.241.64.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
*******************************************************************

=====================
=====================
ServiceFilter Log
=====================
=====================
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Nov 16, 2004 10:04:56 AM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: NAV Alert
Display Name: NAV Alert
Start Mode: Manual
Start Name: LocalSystem
Description: NAV ...
Service Type: Own Process
Path: c:\progra~1\navnt\alertsvc.exe
State: Running
Process ID: 892
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: NAV Auto-Protect
Display Name: NAV Auto-Protect
Start Mode: Auto
Start Name: LocalSystem
Description: NAV ...
Service Type: Own Process
Path: c:\progra~1\navnt\navapsvc.exe
State: Running
Process ID: 516
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: Norton Program Scheduler
Display Name: Norton Program Scheduler
Start Mode: Auto
Start Name: LocalSystem
Description: Norton Program ...
Service Type: Own Process
Path: c:\progra~1\navnt\npssvc.exe
State: Running
Process ID: 632
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 4
Service Name: O?rtȲ$
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: Network Security Service ...
Service Type: Share Process
Path: c:\winnt\directx.log:cajpg /s
State: Running
Process ID: 660
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #5
Service Name: SBService
Display Name: ScriptBlocking Service
Start Mode: Auto
Start Name: LocalSystem
Description: ScriptBlocking ...
Service Type: Own Process
Path: c:\program files\common files\symantec shared\script blocking\sbserv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: Visual Studio Analyzer RPC bridge
Display Name: Visual Studio Analyzer RPC bridge
Start Mode: Manual
Start Name: LocalSystem
Description: Visual Studio Analyzer RPC ...
Service Type: Own Process
Path: c:\program files\microsoft visual studio\common\tools\vs-ent98\vanalyzr\varpc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 61 Win32 services on this machine.
6 were unrecognized.

Script Execution Time: 23.01172 seconds.
=========================================

Greatly appreciate your help!!

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:47 AM

Posted 16 November 2004 - 12:07 PM

Hi :thumbsup:

Please download and install the missing file:
http://www.javacoolsoftware.net/downloads/...ngfilesetup.exe

Please uninstall Hotbar from Add\Remove Programs.

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

This is very important ! Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (Steps 1 - 8)

Please make sure that you can view all hidden files:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Please download About:Buster from here: About:Buster 4.0 Download. Once it is downloaded extract all the files to
c:\aboutbuster. We will use that program later in this process. Don't use it yet.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?'rtȲ$]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Step 1:

Go to Start -> Run and type Services.msc, then press the OK button. Look for a service called Network Security Service (NSS). Double click on that service and press the Stop button, and then set the Startup type to Disabled. Press OK, and close all the windows.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

DirectX.log
d3wj32.exe


This is very important ! Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (Steps 1 - 8)

Step 3:
Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uvyyq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uvyyq.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uvyyq.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {AC3BFD4F-F0E1-52F9-5C5F-E73A0F3F2AAC} - C:\WINNT\system32\ipww.dll

O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.3.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [d3wj32.exe] C:\WINNT\system32\d3wj32.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.3.0\HbInst.exe /Upgrade


Step 4:
Reboot your computer into Safe Mode.

I now need you to delete the following files:
C:\WINNT\uvyyq.dll <-- this file
C:\WINNT\system32\ipww.dll <-- this file

Delete this folder:
C:\Program Files\Hotbar\ <-- this folder

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. if it is, uncheck it and try again.

Step 5:

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Run AdAware, press the Start button, uncheck Scan for negligible risk entries, select Perform full system scan and press Next. Let AdAware remove anything it finds.

Step 8:

Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Step 9:
Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:
  • This infection deletes the windows file, shell.dll.
    If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system32
    %windir%\system
  • Download the Hoster from here. Press Restore Original Hosts and press OK. Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start -> Run -> type regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll and press the OK button
Step 10:

Please check Internet Explorer settings:
Open Internet Explorer - > Tools -> Internet Options ... -> click the Security tab -> click Internet icon -> press the Custom Level ,,, button.
Under ActiveX controls and plug-ins tick:
- Download signed ActiveX controls - Prompt
- Download unsigned ActiveX controls Disable
- Initialize and script ActiveX controls not marked as safe Disable
- Run ActiveX controls and plug-ins Enabled
- Script ActiveX controls marked safe for scripting Prompt

Run an online antivirus scan at:
http://housecall.antivirus.com/
Please make sure that AutoClean is checked.

Reboot and post a new HJT log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 icetea

icetea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 16 November 2004 - 03:15 PM

Hi :flowers:

I've just finished all steps you listed. Haha.. So far there is no "about:blank" and ads anymore.

Fist of all, thank you very much for your help. The time and effort you put in are highly appreciated!

Second, before paste my new HijackThis log, I have one question for you: During step 3 (run HijackThis), after pressed "Scan", I accidentally ticked All boxes and pressed "Fix Checked" for all of them. Is that OK? If not, how can I fix it? :thumbsup:


Third, here is the new HijackThis log:
**************************************
Logfile of HijackThis v1.98.2
Scan saved at 2:56:11 PM, on 11/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
******************************************************************

Thanks again!

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:47 AM

Posted 16 November 2004 - 03:18 PM

:thumbsup:

Start HijackThis, click Config...
Go to Backup
And restore all the entries present...
Reboot and now fix only those entries listend by me.

REBOOT and post a new log please.

Edited by cryo, 16 November 2004 - 03:20 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 icetea

icetea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 16 November 2004 - 04:10 PM

:thumbsup:

Thank you very much for your quick reply!!

As you suggested, I restored all the good entries that I fixed today. After reboot, I got the following new HijackThis log:

*************************************
Logfile of HijackThis v1.98.2
Scan saved at 4:03:01 PM, on 11/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwga.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{19845770-851B-45B9-91F0-6A0DE2ACD2A2}: NameServer = 10.241.64.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E737FCF-ED6A-43CB-A7BE-72B039AC2266}: NameServer = 100.100.20.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32B8563-B1A0-4886-A5D7-8B01D1833E18}: NameServer = 10.241.64.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SCGTEAM.ORG
******************************************************************

Thanks!!

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:47 AM

Posted 16 November 2004 - 04:15 PM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 icetea

icetea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 16 November 2004 - 07:07 PM

:thumbsup:

I'm so happy today since you helped me fix the "about:blank" problem that I suffered from it for about two months. Thank you so so much!!

I still have one question for you. Now everything is fine except one thing: I'm not sure if it's ok or not:

-----Now whenever I open the webpage such as www.yahoo.com or hotmail.com, there always pops out a message window titiled "Internet Explorer", the content of it is " A script is accessing some software ( an ActivX control) on this page which has been marked safe for scripting. Do you want to allow this?"

-----Also, whenever I open cnn.com web page, I also got this kind of message titled "Microsoft Internet Explorer", the content is " You current security settings prohibit running ActiveX control on this page. As a result, the page may not display correctly"

Since above messages pop out very often, my question is, I have to click OK button every time it pops out in order to proceed? It's annoying. How can I fix it?

Thanks again for your help!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users