Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Homepage Automatically Changed To Www.9991.com And Pop-up Problem


  • This topic is locked This topic is locked
23 replies to this topic

#1 Winnie_lai

Winnie_lai

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 31 May 2006 - 02:23 PM

Hi, my IE homepage will automatically change to www.9991.com, and there would be unwanted pop-ups from time to time all to some chinese website.
I have Symatec Antivirus and I've scan the computer with Adware, Spybot, MCafee Stinger, and Hijack as recommended, but problem still exisits.
Here is the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:12:27 PM, on 5/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\acs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
c:\Program Files\Novadigm\radexecd.exe
c:\Program Files\Novadigm\radsched.exe
c:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\SYMANT~2\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\HP\IDA\IDA.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\HP\IDA\IDASched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Agilent\adci\adcist.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Omnipod\POD35\omnipod35.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avagotech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://be.agilent.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Agilent Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.ftc.avagotech.net:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.it.agilent.com;be.agilent.com;victor*.europe.agilent.com;erp*.corporate.agilent.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MacroMediapd - {B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} - C:\WINNT\system32\microapmddt.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\CoolWebsite\QuickLink.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\HP\IDA\IDA.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [adcius.exe] c:\agilent\adci\adcius.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKLM\..\Run: [LAAM] c:\agilent\bin\runit c:\Agilent\bin\s_user.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDAT\Update.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [adcist.exe] c:\Agilent\adci\adcist.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 实用网址导航 - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\CoolWebsite\QuickLink.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://be.agilent.com
O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://avagotech.interwise.com/spgv4/Engli...ystemchecks.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhc.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} (GlobalSpec Engineering Toolbar) - http://www.globalspec.com/engineering-toolbar/gspec.cab
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - http://avagotech.interwise.com/spgv4/appli...ebInstaller.cab
O16 - DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} (ImpPKCS12 Class) - https://digitalbadge.it.agilent.com/vsimport.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate.webex.com/client/v_mywe...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.11.0.242,10.10.32.242
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.11.0.242,10.10.32.242
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - c:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - c:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - c:\Program Files\Novadigm\Radstgms.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~2\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINNT\System32\Vmover.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:39 PM

Posted 01 June 2006 - 08:20 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

These are tricky because a rootkit hides the infection. I will need to gather some more information from your computer.

Open notepad and copy and paste this text in it:
cd\
cd WINNT\system32\drivers
DIR  /s /o:d > drivers.txt
start drivers.txt
cls
exit

Save this as drivers.bat , choose to save it as *all files and place it on your desktop.
Doubleclick on drivers.bat. A log should open up almost immediately. Copy this text and paste it here.


=============


Please download this file.
http://www.bleepingcomputer.com/files/spyware/getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A log will open up. Please paste the contents of that notepad into this post.


=============


Now let's get rid of some of the malware that we can see.
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.


Reboot your computer and post a new hijackthis log and the log from Ewido along with the other two logs requested.

Edited by Buckeye_Sam, 01 June 2006 - 08:22 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 01 June 2006 - 09:37 AM

HI Sam,

Here's the log from GetService you looked for.
By the way, I use a VPN on my computer, if it makes anything different.

PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: ACS
Gives access to single sign on and a mechanism to communicate with the supplicant for security negotiation.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\system32\acs.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Atheros Configuration Service
DEPENDENCIES : rpcSs
: MDC8021X
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASP.NET State Service
DEPENDENCIES :
SERVICE_START_NAME: .\ASPNET

SERVICE_NAME: Ati HotKey Poller
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\Ati2evxx.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Ati HotKey Poller
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k BITSgroup
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : LanmanWorkstation
: Rpcss
: SENS
: Wmi
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccEvtMgr
Event propagation and logging service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec Event Manager
DEPENDENCIES : RPCSS
: ccSetMgr
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccPwdSvc
User account management service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Symantec Password Validation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccSetMgr
Settings storage and management service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec Settings Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
(null)
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CVPND
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cisco Systems, Inc. VPN Service
DEPENDENCIES : TCPIP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DefWatch
Monitors and maintains virus definitions.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Symantec AntiVirus\DefWatch.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Symantec AntiVirus Definition Watcher
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Administrative service for disk management requests
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Logical Disk Manager Watchdog Service
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Provides automatic distribution of events to subscribing COM components.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Helps you send and receive faxes
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\faxsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fax Service
DEPENDENCIES : TapiSrv
: RpcSs
: PlugPlay
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HidServ
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\hidserv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HID Input Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Irmon
Supports infrared devices installed on the computer and detects other devices that are in range.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Infrared Monitor
DEPENDENCIES : irda
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Provides RPC support and file, print, and named pipe sharing.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Provides network connections and communications.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper Service
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: magaService
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Sygate\SSA\maga\maga.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lan Discover Agent
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Mercha2
提供网络基本安全机制,为通过拨号网络连接的家庭网络中所有计算机提供基本保护服务。
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\SYSTEM32\RUNDLL32.EXE C:\WINNT\SYSTEM32\WBEM\IRJIT.DLL,Export 1087
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Protect Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Allows authorized people to remotely access your Windows desktop using NetMeeting.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\MsiExec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for dynamic data exchange (DDE).
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages shared dynamic data exchange and is used by Network DDE
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: ted Transaction Coordinator
: tect Service
: ce
: x
: 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
Manages removable media, drives, and libraries.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: OracleOraHome81ClientCache
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Oracle\Ora81\BIN\ONRSD.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OracleOraHome81ClientCache
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Office Source Engine
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Patterns
启用 HTTP 安全通讯管理服务,保护 Windows 的网络程序安全运行。无法终止此服务。
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP Secure Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PictureTaker
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\PCTKRNT.SYS
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : PictureTaker
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Manages device installation and configuration and notifies programs of device changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Policy Agent
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: radexecd
Radia Notify Daemon
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : c:\Program Files\Novadigm\radexecd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Radia Notify Daemon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: radsched
Radia Scheduler Daemon
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : c:\Program Files\Novadigm\radsched.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Radia Scheduler Daemon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Radstgms
Radia MSI Redirector
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : c:\Program Files\Novadigm\Radstgms.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Radia MSI Redirector
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Allows remote registry manipulation.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\regsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost -k rpcss
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\rsvp.exe -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SAVRoam
Symantec AntiVirus Roaming Service
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\SYMANT~2\SavRoam.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SAVRoam
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Provides support for legacy smart card readers attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
Enables a program to run at a designated time.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\MSTask.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : RunAs Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Connection Sharing
DEPENDENCIES : RasMan
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SmcService
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Sygate\SSA\smc.exe
LOAD_ORDER_GROUP : NDIS
TAG : 0
DISPLAY_NAME : Sygate Security Agent
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SNDSrvc
Symantec Network Drivers Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec Network Drivers Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SPBBCSvc
Symantec SPBBC
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec SPBBCSvc
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Symantec AntiVirus
Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Symantec AntiVirus
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 10000 seconds
: Restart DELAY: 10000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: SysmonLog
Configures performance logs and alerts.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Tech
网络通讯路由服务,提供临时的网络路由和服务地址的快速解析功能。无法终止此服务。
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Route Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TlntSvr
Allows a remote user to log on to the system and run console programs using the command line.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\tlntsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telnet
DEPENDENCIES : RpcSs
: TcpIp
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Sends notifications of files moving between NTFS volumes in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UtilMan
Starts and configures accessibility tools from one window
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\UtilMan.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Utility Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Vmover.exe
Resource updating agent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\Vmover.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Quest Resource Updating Agent
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Sets the computer clock.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WinMgmt
Provides system management information.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\WBEM\WinMgmt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\Services.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k wugroup
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides authenticated network access control using IEEE 802.1x for wired and wireless Ethernet networks.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Configuration
DEPENDENCIES : RpcSs
: Ndisuio
: ProtectedStorage
: WMI
SERVICE_START_NAME: LocalSystem

#4 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 01 June 2006 - 10:41 AM

Here's the log from drivers.bat.
NOTE: I did this after Ewido as I forgot this step before.

Volume in drive C has no label.
Volume Serial Number is 440C-C31A

Directory of C:\WINNT\system32\drivers

09/24/1999 10:18p 41,744 alifir.sys
09/25/1999 01:35p 8,016 wmiacpi.sys
09/25/1999 01:35p 2,896 audstub.sys
09/25/1999 01:36p 5,008 MSPCLOCK.sys
09/25/1999 01:36p 6,640 MSKSSRV.sys
09/25/1999 01:36p 4,816 MSPQM.sys
09/30/1999 06:26p 35,600 nscirda.sys
10/04/1999 03:03p 13,904 hidusb.sys
10/04/1999 03:04p 13,744 kbdhid.sys
10/28/1999 06:24p 51,152 DMusic.sys
12/07/1999 03:00p 12,016 ws2ifsl.sys
12/07/1999 03:00p 4,240 wmilib.sys
12/07/1999 03:00p 35,024 rawwan.sys
12/07/1999 03:00p 57,904 atmarpc.sys
12/07/1999 03:00p 33,456 netbios.sys
12/07/1999 03:00p 8,016 rasacd.sys
12/07/1999 03:00p 13,968 vga.sys
12/07/1999 03:00p 40,432 ndproxy.sys
12/07/1999 03:00p 16,880 raspti.sys
12/07/1999 03:00p 6,032 rootmdm.sys
12/07/1999 03:00p 59,280 vdmindvd.sys
12/07/1999 03:00p 4,080 beep.sys
12/07/1999 03:00p 19,088 cdaudio.sys
12/07/1999 03:00p 105,840 streams.sys
12/07/1999 03:00p 21,712 rca.sys
12/07/1999 03:00p 22,000 tsbvcap.sys
12/07/1999 03:00p 6,512 parvdm.sys
12/07/1999 03:00p 88,816 lvcam.sys
12/07/1999 03:00p 272,496 cinemst2.sys
12/07/1999 03:00p 12,880 class2.sys
12/07/1999 03:00p 14,832 smclib.sys
12/07/1999 03:00p 17,424 lvsound.sys
12/07/1999 03:00p 58,480 nwlnkspx.sys
12/07/1999 03:00p 35,344 nwlnkfwd.sys
12/07/1999 03:00p 12,560 nwlnkflt.sys
12/07/1999 03:00p 15,120 usbintel.sys
12/07/1999 03:00p 2,800 null.sys
12/07/1999 03:00p 37,040 npfs.sys
12/07/1999 03:00p 9,680 netdtect.sys
12/07/1999 03:00p 21,328 msfs.sys
12/07/1999 03:00p 79,120 lvcodek.sys
12/07/1999 03:00p 623 gmreadme.txt
12/07/1999 03:00p 3,440,660 gm.dls
12/07/1999 03:00p 102,160 nbf.sys
12/07/1999 03:00p 52,048 tosdvd.sys
12/07/1999 03:00p 34,416 ipfltdrv.sys
12/07/1999 03:00p 19,984 ipinip.sys
12/07/1999 03:00p 10,064 dxapi.sys
12/07/1999 03:00p 3,728 swenum.sys
12/07/1999 03:00p 12,368 fsvga.sys
12/07/1999 03:00p 4,240 mnmdd.sys
12/07/1999 03:00p 23,888 usbcamd.sys
12/17/2001 08:24a 2,619 sensupgd.sys
05/13/2002 06:02a 123,152 e100bnt5.sys
07/01/2002 07:06a 52,818 MSWNDS50.sys
07/22/2002 03:05p 33,616 fips.sys
08/30/2002 01:04p 23,570 atisgkaf.SYS
10/07/2002 03:00a 11,951 prpc.sys
10/11/2002 06:49p 9,049 eacfilt.sys
10/28/2002 05:26p 3,744 smsens.sys
12/09/2002 08:29p 5,441 mbxfilt.sys
01/21/2003 08:04p 5,221 EABUSB.SYS
01/21/2003 08:05p 7,081 EABFILTR.SYS
02/17/2003 02:25a 104,946 b57w2k.sys
02/21/2003 02:16a 244,367 o2mmb.sys
03/13/2003 11:34p 100,224 aeaudio.sys
03/18/2003 07:00p 542,976 smwdm.sys
03/26/2003 11:17a 363,927 cdudf.sys
03/26/2003 11:17a 144,250 pwd_2K.sys
03/26/2003 11:17a 30,662 Mmc_2k.sys
03/26/2003 11:17a 25,930 Dvd_2k.sys
03/26/2003 11:18a 227,298 udfreadr.sys
03/26/2003 11:20a 23,436 cdralw2k.sys
03/26/2003 11:20a 58,128 cdr4_2K.sys
04/23/2003 10:52a 20,752 usbd.sys
04/28/2003 10:41a 138,768 usbport.sys
05/08/2003 10:22a 24,912 openhci.sys
05/13/2003 12:47p 19,728 usbehci.sys
05/23/2003 01:36a 273,072 SynTP.sys
05/30/2003 09:01p 1,170,464 AGRSM.sys
06/04/2003 03:11p 514,320 ntfs.sys
06/19/2003 12:05p 46,992 i8042prt.sys
06/19/2003 12:05p 11,632 mouhid.sys
06/19/2003 12:05p 21,776 mouclass.sys
06/19/2003 01:05p 21,872 usbprint.sys
06/19/2003 03:05p 113,744 ks.sys
06/19/2003 03:05p 115,504 ftdisk.sys
06/19/2003 03:05p 7,600 fs_rec.sys
06/19/2003 03:05p 19,312 flpydisk.sys
06/19/2003 03:05p 29,168 modem.sys
06/19/2003 03:05p 24,752 hidclass.sys
06/19/2003 03:05p 23,056 hidparse.sys
06/19/2003 03:05p 17,840 asyncmac.sys
06/19/2003 03:05p 26,256 fdc.sys
06/19/2003 03:05p 67,120 ipnat.sys
06/19/2003 03:05p 34,704 msgpc.sys
06/19/2003 03:05p 20,208 msircomm.sys
06/19/2003 03:05p 120,240 AFD.SYS
06/19/2003 03:05p 48,496 atmlane.sys
06/19/2003 03:05p 11,536 acpiec.sys
06/19/2003 03:05p 57,264 mf.sys
06/19/2003 03:05p 148,304 kmixer.sys
06/19/2003 03:05p 86,672 atapi.sys
06/19/2003 03:05p 24,528 kbdclass.sys
06/19/2003 03:05p 46,992 isapnp.sys
06/19/2003 03:05p 11,984 ndisuio.sys
06/19/2003 03:05p 93,360 ndiswan.sys
06/19/2003 03:05p 137,936 dmio.sys
06/19/2003 03:05p 57,296 irda.sys
06/19/2003 03:05p 56,112 DLC.SYS
06/19/2003 03:05p 7,728 diskperf.sys
06/19/2003 03:05p 37,552 nmnt.sys
06/19/2003 03:05p 14,288 diskdump.sys
06/19/2003 03:05p 163,120 acpi.sys
06/19/2003 03:05p 64,304 ipsec.sys
06/19/2003 03:05p 30,768 DISK.SYS
06/19/2003 03:05p 140,496 fastfat.sys
06/19/2003 03:05p 27,440 efs.sys
06/19/2003 03:05p 91,408 NWLNKIPX.SYS
06/19/2003 03:05p 65,520 nwlnknb.sys
06/19/2003 03:05p 9,264 compbatt.sys
06/19/2003 03:05p 161,072 nwrdr.sys
06/19/2003 03:05p 9,904 CmBatt.sys
06/19/2003 03:05p 34,832 classpnp.sys
06/19/2003 03:05p 7,312 dmload.sys
06/19/2003 03:05p 60,208 parallel.sys
06/19/2003 03:05p 25,104 parport.sys
06/19/2003 03:05p 11,792 partmgr.sys
06/19/2003 03:05p 27,984 cdrom.sys
06/19/2003 03:05p 59,312 pci.sys
06/19/2003 03:05p 3,088 pciide.sys
06/19/2003 03:05p 22,064 pciidex.sys
06/19/2003 03:05p 109,584 pcmcia.sys
06/19/2003 03:05p 148,208 portcls.sys
06/19/2003 03:05p 9,200 ndistapi.sys
06/19/2003 03:05p 60,496 psched.sys
06/19/2003 03:05p 17,680 ptilink.sys
06/19/2003 03:05p 369,104 dmboot.sys
06/19/2003 03:05p 61,680 cdfs.sys
06/19/2003 03:05p 7,184 battc.sys
06/19/2003 03:05p 331,088 atmuni.sys
06/19/2003 03:05p 19,920 rasirda.sys
06/19/2003 03:05p 52,112 rasl2tp.sys
06/19/2003 03:05p 48,464 raspptp.sys
06/19/2003 03:05p 10,288 irenum.sys
06/19/2003 03:05p 19,952 irsir.sys
06/19/2003 03:05p 170,928 ndis.sys
06/19/2003 03:05p 62,672 udfs.sys
06/19/2003 03:05p 35,344 redbook.sys
06/19/2003 03:05p 53,552 swmidi.sys
06/19/2003 03:05p 74,192 SCSIPORT.SYS
06/19/2003 03:05p 10,928 tape.sys
06/19/2003 03:05p 14,160 serenum.sys
06/19/2003 03:05p 62,736 serial.sys
06/19/2003 03:05p 10,384 sfloppy.sys
06/19/2003 03:05p 148,400 sfmatalk.sys
06/19/2003 03:05p 49,776 usbhub20.sys
06/19/2003 03:05p 16,240 tdi.sys
06/19/2003 03:05p 21,552 USBSTOR.SYS
06/19/2003 03:05p 22,064 sonydcam.sys
06/19/2003 03:05p 42,000 stream.sys
06/19/2003 03:05p 173,232 UPDATE.SYS
06/19/2003 03:05p 47,568 sysaudio.sys
06/19/2003 03:05p 32,272 wanarp.sys
06/19/2003 03:05p 50,640 videoprt.sys
06/19/2003 03:05p 40,176 usbhub.sys
06/19/2003 03:05p 73,872 wdmaud.sys
07/16/2003 12:44p 163,600 netbt.sys
09/20/2003 08:32p 71,888 ksecdd.sys
10/09/2003 05:11p <DIR> etc
10/09/2003 05:11p <DIR> disdn
02/10/2004 03:47p 30,160 mountmgr.sys
04/05/2004 08:51p 379,968 ar5211.sys
05/15/2004 06:29p 701,952 ati2mtag.sys
06/17/2004 12:02a 700,800 MN520-51.sys
08/10/2004 05:51p 59,984 Teefer.sys
08/10/2004 05:53p 21,075 wpsdrvnt.sys
08/10/2004 06:05p 14,240 wg4n.sys
08/10/2004 06:05p 14,240 wg5n.sys
08/10/2004 06:05p 14,240 wg3n.sys
08/10/2004 06:05p 14,240 wg6n.sys
09/25/2004 12:36a 173,056 odysseyIM4.sys
09/25/2004 06:25p 15,781 mdc8021x.sys
11/03/2004 12:07p 146,888 dne2000.sys
12/02/2004 09:07a 89,328 mup.sys
12/02/2004 11:37p 170,512 rdbss.sys
01/20/2005 03:25a 413,104 mrxsmb.sys
02/24/2005 06:20p 359,552 BCMWL5.SYS
02/26/2005 07:05p 336,560 tcpip.sys
04/12/2005 10:45a 20,736 radiamsi.sys
04/22/2005 11:53a 1,133 SymRedir.inf
04/22/2005 11:53a 20 SymRedir.cat
04/22/2005 12:02p 11,512 symdns.sys
04/22/2005 12:02p 173,208 symfw.sys
04/22/2005 12:02p 47,192 symndis.sys
04/22/2005 12:02p 36,984 symids.sys
04/22/2005 12:03p 17,976 symredrv.sys
04/22/2005 12:03p 267,192 symtdi.sys
05/03/2005 01:10a 238,928 SRV.SYS
05/13/2005 07:50p 123,488 SYMEVENT.SYS
05/17/2005 04:51a 5,315 CVirtA.sys
06/10/2005 07:58p 298,571 CVPNDRVA.sys
10/26/2005 11:34a 51,392 atnt40k.sys
04/26/2006 06:56p 11,392 pxscrmbl.sys
06/01/2006 11:26a <DIR> ..
06/01/2006 11:26a <DIR> .
06/01/2006 11:29a 0 drivers.txt
203 File(s) 19,589,192 bytes

Directory of C:\WINNT\system32\drivers\disdn

10/09/2003 05:11p <DIR> ..
10/09/2003 05:11p <DIR> .
0 File(s) 0 bytes

Directory of C:\WINNT\system32\drivers\etc

12/07/1999 03:00p 407 networks
12/07/1999 03:00p 7,116 services
12/07/1999 03:00p 3,683 lmhosts.sam
12/07/1999 03:00p 799 protocol
10/09/2003 05:11p <DIR> ..
10/09/2003 05:11p <DIR> .
05/25/2006 01:35p 351 hosts
5 File(s) 12,356 bytes

Total Files Listed:
208 File(s) 19,601,548 bytes
8 Dir(s) 20,739,204,608 bytes free


Here is scan report from Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:25:11 AM, 6/1/2006
+ Report-Checksum: 9AC4B8DD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8CCDD47-38E4-4CD2-B7FA-3B4B690F74BD} -> Adware.Generic : Cleaned with backup
[1412] C:\WINNT\system32\msapi32.dll -> Not-A-Virus.Downloader.Win32.Agent.h : Cleaned with backup
[1068] C:\WINNT\system32\microapmddt.dll -> Adware.AdMedia : Cleaned with backup
C:\Documents and Settings\wingnlai\Cookies\wingnlai@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\wingnlai\Cookies\wingnlai@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Cookies\wingnlai@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temp\01lh0900_1.6_setup.exe -> Adware.AdMedia : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temp\caishow_2051.exe/DIYNETSetupUni.exe -> Adware.Dm : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temp\DIYNETSetupUni.exe -> Adware.Dm : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temp\xpCD.tmp.exe -> Adware.AdMedia : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temporary Internet Files\LGCDPH4L\218\cf.scr -> Downloader.Small.dsn : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temporary Internet Files\LGCDPH4L\224\cf.scr -> Downloader.Small.dsn : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temporary Internet Files\LGCDPH4L\257\cf.scr -> Downloader.Small.dsn : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temporary Internet Files\LGCDPH4L\258\cf.scr -> Downloader.Small.dsn : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temporary Internet Files\LGCDPH4L\260\cf.scr -> Downloader.Small.dsn : Cleaned with backup
C:\Documents and Settings\wingnlai.AVAGOTECH\Local Settings\Temporary Internet Files\LGCDPH4L\263\cf.scr -> Downloader.Small.dsn : Cleaned with backup
C:\Program Files\CoolWebsite\QuickLink.dll -> Adware.AdHelper : Cleaned with backup
C:\WINNT\security\templates\agilentws.inf -> Backdoor.SdBot.ry : Cleaned with backup
C:\WINNT\system32\ext\DTDL.dll -> Not-A-Virus.Downloader.Win32.Agent.i : Cleaned with backup
C:\WINNT\system32\ext\DTSM.dll -> Adware.AdMedia : Cleaned with backup
C:\WINNT\system32\microapmddt.dll -> Adware.AdMedia : Cleaned with backup
C:\WINNT\system32\msapi32.dll -> Not-A-Virus.Downloader.Win32.Agent.h : Cleaned with backup


::Report End

#5 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 01 June 2006 - 10:44 AM

Here is the most recent hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:41:15 AM, on 6/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\acs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
c:\Program Files\Novadigm\radexecd.exe
c:\Program Files\Novadigm\radsched.exe
c:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\SYMANT~2\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\HP\IDA\IDA.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\HP\IDA\IDASched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Agilent\adci\adcist.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avagotech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://be.agilent.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Agilent Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.ftc.avagotech.net:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.it.agilent.com;be.agilent.com;victor*.europe.agilent.com;erp*.corporate.agilent.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\HP\IDA\IDA.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [adcius.exe] c:\agilent\adci\adcius.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKLM\..\Run: [LAAM] c:\agilent\bin\runit c:\Agilent\bin\s_user.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDAT\Update.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [adcist.exe] c:\Agilent\adci\adcist.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 实用网址导航 - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://be.agilent.com
O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://avagotech.interwise.com/spgv4/Engli...ystemchecks.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhc.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} (GlobalSpec Engineering Toolbar) - http://www.globalspec.com/engineering-toolbar/gspec.cab
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - http://avagotech.interwise.com/spgv4/appli...ebInstaller.cab
O16 - DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} (ImpPKCS12 Class) - https://digitalbadge.it.agilent.com/vsimport.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate.webex.com/client/v_mywe...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.11.0.242,10.10.32.242
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.11.0.242,10.10.32.242
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - c:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - c:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - c:\Program Files\Novadigm\Radstgms.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~2\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINNT\System32\Vmover.exe

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:39 PM

Posted 01 June 2006 - 03:22 PM

Bad services listed below for ease of review:

SERVICE_NAME: Mercha2
提供网络基本安全机制,为通过拨号网络连接的家庭网络中所有计算
机提供基本保护服务。
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\SYSTEM32\RUNDLL32.EXE C:\WINNT\SYSTEM32\WBEM\IRJIT.DLL,Export 1087
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Protect Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Patterns
启用 HTTP 安全通讯管理服务,保护 Windows 的网络程序安全运行。无法终止此服务。
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP Secure Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Tech
网络通讯路由服务,提供临时的网络路由和服务地址的快速解析功能
。无法终止此服务。
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Route Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem



Now that we know what we're dealing with, let's get rid of it.


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDAT\Update.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: 实用网址导航 - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)



==========


Remove malicious services
  • Click Start -> Run -> (type) services.msc
  • Scroll down and find the service called Internet Protect Service
    • When you find it, double-click on it to open up Properties.
    • Click the Stop button(if available)
    • Change the Startup Type to Disabled.
    • Now hit Apply and then Ok.
    Take those same steps with HTTP Secure Manager and Remote Route Service

  • Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
  • Copy and paste these(one at a time) into the text box and click OK.

    Mercha2
    Patterns
    Tech


  • Close Hijackthis.
==============


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

%system%\spted.dll
%system%\wbem\irjit.dll
%system%\nt.sys
%system%\wbem\ocmor.dat

Folders to delete:

C:\Program Files\coolwebsite
C:\Program Files\Common Files\UPDAT



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger抯 actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 01 June 2006 - 09:29 PM

HI,

I carried out most of your instructions succuessfuly, except for the following step:

Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste these(one at a time) into the text box and click OK.
Mercha2
Patterns
Tech

For all three times, I received the message: "The service you entered is system-critical! It can't be deleted".

Also, upon window start up, a RUNDLL diglog appears with error message: "Error loading C:\WINNT\system32\msapi32.dll The specified module could not be found"
This message actually came up after I carried out your instructions from yesterday.
I'm not sure if it is related to this rootkit problem.

Here is the avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\agwhsnxo

*******************

Script file located at: \??\C:\WINNT\system32\ubheatai.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file %system%\spted.dll for deletion
Deletion of file %system%\spted.dll failed!

Could not process line:
%system%\spted.dll
Status: 0xc000003a



Could not open file %system%\wbem\irjit.dll for deletion
Deletion of file %system%\wbem\irjit.dll failed!

Could not process line:
%system%\wbem\irjit.dll
Status: 0xc000003a



Could not open file %system%\nt.sys for deletion
Deletion of file %system%\nt.sys failed!

Could not process line:
%system%\nt.sys
Status: 0xc000003a



Could not open file %system%\wbem\ocmor.dat for deletion
Deletion of file %system%\wbem\ocmor.dat failed!

Could not process line:
%system%\wbem\ocmor.dat
Status: 0xc000003a

Folder C:\Program Files\coolwebsite deleted successfully.
Folder C:\Program Files\Common Files\UPDAT deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



And here is a fresh hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 10:26:18 PM, on 6/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\acs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
c:\Program Files\Novadigm\radexecd.exe
c:\Program Files\Novadigm\radsched.exe
c:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\SYMANT~2\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\HP\IDA\IDA.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\HP\IDA\IDASched.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Agilent\adci\adcist.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avagotech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://be.agilent.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Agilent Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.ftc.avagotech.net:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.it.agilent.com;be.agilent.com;victor*.europe.agilent.com;erp*.corporate.agilent.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\HP\IDA\IDA.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [adcius.exe] c:\agilent\adci\adcius.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKLM\..\Run: [LAAM] c:\agilent\bin\runit c:\Agilent\bin\s_user.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKCU\..\Run: [adcist.exe] c:\Agilent\adci\adcist.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://be.agilent.com
O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://avagotech.interwise.com/spgv4/Engli...ystemchecks.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhc.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} (GlobalSpec Engineering Toolbar) - http://www.globalspec.com/engineering-toolbar/gspec.cab
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - http://avagotech.interwise.com/spgv4/appli...ebInstaller.cab
O16 - DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} (ImpPKCS12 Class) - https://digitalbadge.it.agilent.com/vsimport.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate.webex.com/client/v_mywe...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.10.0.242,10.10.32.242
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.10.0.242,10.10.32.242
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - c:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - c:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - c:\Program Files\Novadigm\Radstgms.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~2\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINNT\System32\Vmover.exe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:39 PM

Posted 02 June 2006 - 07:48 AM

Run this one through Avenger just like you did before.

Files to delete:

C:\WINNT\system32\spted.dll
C:\WINNT\system32\wbem\irjit.dll
C:\WINNT\system32\nt.sys
C:\WINNT\system32\wbem\ocmor.dat


Once Avenger finishes and your computer reboots, try to delete those services again with Hijackthis.
Post a new log from Avenger and a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 02 June 2006 - 12:16 PM

Hi,

I run avenger. Below is the log.
For hi-jack, I still cannot do the "Delete an NT service", I still get the same error message: "The service you entered is a system-critical! It can't be deleted"

I still get the error message when I start windows: "Error loading C:\WINNT\system32\msapi32.dll. The specified module could not be found"


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vpvfktrm

*******************

Script file located at: \??\C:\Documents and Settings\esplvixa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\spted.dll deleted successfully.
File C:\WINNT\system32\wbem\irjit.dll deleted successfully.
File C:\WINNT\system32\nt.sys deleted successfully.
File C:\WINNT\system32\wbem\ocmor.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:20 PM, on 6/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\acs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
c:\Program Files\Novadigm\radexecd.exe
c:\Program Files\Novadigm\radsched.exe
c:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\SYMANT~2\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\HP\IDA\IDA.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\HP\IDA\IDASched.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Agilent\adci\adcist.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avagotech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://be.agilent.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Agilent Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.ftc.avagotech.net:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.it.agilent.com;be.agilent.com;victor*.europe.agilent.com;erp*.corporate.agilent.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINNT\DOWNLO~1\gspec.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\HP\IDA\IDA.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [adcius.exe] c:\agilent\adci\adcius.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKLM\..\Run: [LAAM] c:\agilent\bin\runit c:\Agilent\bin\s_user.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKCU\..\Run: [adcist.exe] c:\Agilent\adci\adcist.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://be.agilent.com
O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://avagotech.interwise.com/spgv4/Engli...ystemchecks.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhc.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} (GlobalSpec Engineering Toolbar) - http://www.globalspec.com/engineering-toolbar/gspec.cab
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - http://avagotech.interwise.com/spgv4/appli...ebInstaller.cab
O16 - DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} (ImpPKCS12 Class) - https://digitalbadge.it.agilent.com/vsimport.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate.webex.com/client/v_mywe...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.11.0.242,10.10.32.242
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: Domain = ftc.avagotech.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{29D498F3-06F5-4B46-A0FE-798C78E685CB}: NameServer = 10.11.0.242,10.10.32.242
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ftc.avagotech.net,cos.agilent.com,scs.agilent.com,soco.agilent.com,sjs.agilent.com,agilent.com,usa.agilent.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - c:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - c:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - c:\Program Files\Novadigm\Radstgms.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~2\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINNT\System32\Vmover.exe

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:39 PM

Posted 02 June 2006 - 09:35 PM

Click Start -> Run and type in these commands hit enter after each one.

sc stop Mercha2

sc delete Mercha2

sc stop Patterns

sc delete Patterns

sc stop Tech

sc delete Tech



Let me know how that goes.
How's your homepage now? Any other problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 02 June 2006 - 10:59 PM

Hi,
I received a message as "cannot find the file 'sc' (or one of it components). Make sure the path and filename are correct and that all required libraries are available."

As for the homepage and pop up problems, so far it appears to be gone.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:39 PM

Posted 03 June 2006 - 04:57 PM

Click Start -> Run -> cmd

In the box that comes up type in this command and hit enter.

sc delete Mercha2

Let me know what it says.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 03 June 2006 - 11:31 PM

Hi, it says " 'sc' is not recognized as an internal or external command, operable or batch file"

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:39 PM

Posted 04 June 2006 - 02:23 PM

Download the SC - Service Controller Query Tool for Windows 2000

http://www.dynawell.com/support/Reskit/download/w2ksc.asp

Unzip the file and copy sc.exe into C:\WINNT\system32


Once you have done that, run those commands once again and let me know what you get.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Winnie_lai

Winnie_lai
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 04 June 2006 - 09:10 PM

Hi,
It works with message "[SC] Delete Service Success".
So I deleted Mercha2, Pattern, Tech.

I restarted the computer, but I still see the RUNDLL dialog "Error loading C:\WINNT\system32\msapi32.dll. The specified module could not be found"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users