• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
elendil524

HELP! Symantec Email Proxy Pop Ups

11 posts in this topic

Hi everyone, I'd really appreciate any help someone could give me with this. My sister downloaded a file from an email from a friend, and now her computer is going crazy. The worm she downloaded keeps trying to send out spam, but symantec is blocking it. As a result, about a hundred symantec blocking messages keep flooding the screen and stopping me from doing anything. Scans in safe mode with updated versions of Spybot, Adaware, and NAV have not resolved this issue. My hijackthis log is below.

 

Thanks in advance,

Ryan

_______________________________________________________________________

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 12:55:05 AM, on 6/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\Fonts\aolsw.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\hww.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Susie\Desktop\HiJackThis_v2.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [fnjpyujewjpp] C:\WINDOWS\system32\fnjpyujewjpp.exe

O4 - HKLM\..\Run: [azfw] C:\WINDOWS\system32\azfw.exe

O4 - HKLM\..\Run: [wlfyanbtoqu] C:\WINDOWS\system32\wlfyanbtoqu.exe

O4 - HKLM\..\Run: [jyh] C:\WINDOWS\system32\jyh.exe

O4 - HKLM\..\Run: [zozweccsdh] C:\WINDOWS\system32\zozweccsdh.exe

O4 - HKLM\..\Run: [jxt] C:\WINDOWS\system32\jxt.exe

O4 - HKLM\..\Run: [lrbd] C:\WINDOWS\system32\lrbd.exe

O4 - HKLM\..\Run: [z] C:\WINDOWS\system32\z.exe

O4 - HKLM\..\Run: [fzrmnectyd] C:\WINDOWS\system32\fzrmnectyd.exe

O4 - HKLM\..\Run: [mzn] C:\WINDOWS\system32\mzn.exe

O4 - HKLM\..\Run: [picaknkhjeay] C:\WINDOWS\system32\picaknkhjeay.exe

O4 - HKLM\..\Run: [azldgg] C:\WINDOWS\system32\azldgg.exe

O4 - HKLM\..\Run: [hww] C:\WINDOWS\system32\hww.exe

O4 - HKLM\..\RunServices: [azfw] C:\WINDOWS\system32\azfw.exe

O4 - HKLM\..\RunServices: [jyh] C:\WINDOWS\system32\jyh.exe

O4 - HKLM\..\RunServices: [wlfyanbtoqu] C:\WINDOWS\system32\wlfyanbtoqu.exe

O4 - HKLM\..\RunServices: [fnjpyujewjpp] C:\WINDOWS\system32\fnjpyujewjpp.exe

O4 - HKLM\..\RunServices: [zozweccsdh] C:\WINDOWS\system32\zozweccsdh.exe

O4 - HKLM\..\RunServices: [jxt] C:\WINDOWS\system32\jxt.exe

O4 - HKLM\..\RunServices: [lrbd] C:\WINDOWS\system32\lrbd.exe

O4 - HKLM\..\RunServices: [z] C:\WINDOWS\system32\z.exe

O4 - HKLM\..\RunServices: [fzrmnectyd] C:\WINDOWS\system32\fzrmnectyd.exe

O4 - HKLM\..\RunServices: [mzn] C:\WINDOWS\system32\mzn.exe

O4 - HKLM\..\RunServices: [picaknkhjeay] C:\WINDOWS\system32\picaknkhjeay.exe

O4 - HKLM\..\RunServices: [azldgg] C:\WINDOWS\system32\azldgg.exe

O4 - HKLM\..\RunServices: [hww] C:\WINDOWS\system32\hww.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: LUMIX Simple Viewer.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157417768218

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.pitt.edu/dana-cached/setup/J...perSetupSP1.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: AOL Spy Watch (SPY_Watch-AOL) - Unknown owner - C:\WINDOWS\Fonts\aolsw.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Print Spooler Service (ykooa9tyuay6er) - Unknown owner - C:\WINDOWS\system32\azldgg.exe

 

--

End of file - 9817 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Next:

 

1. Download this file - ComboFix

2. Double click combofix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

jedi

Share this post


Link to post
Share on other sites

Hi jedi,

Thanks so much for the help.... As of right now, the Symantec Proxy message is still popping up. You'll notice from the log that I ran combofix in safemode too. I didn't know if you wanted me to do that or not, but that was the only way to do the scan without about a million popups freezing up my system.

 

 

Here are the logs that you asked me to post

 

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2;Probably BACKDOOR.Trojan;Incurable.Moved.;

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.3.30.1;Probably BACKDOOR.Trojan;Incurable.Moved.;

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;

popup[1].htm;C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\L4C3L1OH;Trojan.Click.1394;Deleted.;

A0033892.exe;C:\System Volume Information\_restore{4EE438DF-C284-4BE9-9D50-FDC101C42457}\RP396;Probably BACKDOOR.Trojan;Incurable.Moved.;

popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Moved.;

 

ComboFix 07-06-13.3 - C:\Documents and Settings\Susie\Desktop\ComboFix.exe

"Administrator" - 2007-06-16 14:39:24 - Service Pack 2 NTFS [sAFE MODE]

 

 

((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))

 

 

2007-06-16 14:14 144,384 --a------ C:\aol.exe

2007-06-16 11:14 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-16 11:12 99,328 --a------ C:\WINDOWS\system32\hxuzfqridtn.exe

2007-06-15 14:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb

2007-06-14 23:02 136,192 --a------ C:\WINDOWS\system32\qzfvfvdu.exe

2007-06-14 17:36 31,744 --a------ C:\WINDOWS\system32\drivers\wceusbsh.sys

2007-06-13 21:52 136,192 --a------ C:\WINDOWS\system32\jnxjgvofrtbj.exe

2007-06-10 17:18 91,136 --a------ C:\WINDOWS\system32\uxrfwty.exe

2007-06-09 01:07 <DIR> d-------- C:\HJT

2007-06-09 00:41 <DIR> d-------- C:\WINDOWS\pss

2007-06-09 00:21 95,232 --a------ C:\WINDOWS\system32\hww.exe

2007-06-08 17:28 99,328 --a------ C:\WINDOWS\system32\azldgg.exe

2007-06-08 16:49 99,328 --a------ C:\WINDOWS\system32\picaknkhjeay.exe

2007-06-07 20:29 99,328 --a------ C:\aim5.exe

2007-06-07 20:25 91,136 --a------ C:\WINDOWS\system32\yqeejifwxt.exe

2007-06-07 17:25 99,328 --a------ C:\WINDOWS\system32\us.exe

2007-06-07 17:24 91,136 --a------ C:\WINDOWS\system32\iklxuhde.exe

2007-06-07 13:46 95,232 --a------ C:\WINDOWS\system32\cxahfj.exe

2007-06-07 13:25 95,232 --a------ C:\WINDOWS\system32\aetqy.exe

2007-06-06 23:28 99,328 --a------ C:\WINDOWS\system32\edwuvwnoxhnx.exe

2007-06-06 17:01 91,136 --a------ C:\WINDOWS\system32\dmiwibab.exe

2007-06-06 16:32 95,232 --a------ C:\WINDOWS\system32\hxnbthxriwfw.exe

2007-06-06 15:32 99,328 --a------ C:\WINDOWS\system32\fmzgw.exe

2007-06-06 14:54 65,462 --a------ C:\dosload.exe

2007-06-06 14:45 70,656 --a------ C:\WINDOWS\system32\gygwopsezpht.exe

2007-06-05 16:55 62,464 --a------ C:\WINDOWS\system32\tre.exe

2007-06-05 16:50 62,464 --a------ C:\WINDOWS\system32\lxfac.exe

2007-06-05 12:03 62,464 --a------ C:\WINDOWS\system32\mamsjkwfrn.exe

2007-06-05 11:58 66,560 --a------ C:\WINDOWS\system32\nvsryq.exe

2007-06-05 11:56 66,560 --a------ C:\WINDOWS\system32\mzn.exe

2007-06-04 22:21 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\acccore

2007-06-04 22:20 <DIR> d-------- C:\Program Files\AIM6

2007-06-04 19:48 66,560 --a------ C:\WINDOWS\system32\fprorczvbx.exe

2007-06-04 17:34 66,560 --a------ C:\WINDOWS\system32\lxzxjvf.exe

2007-06-04 17:34 66,560 --a------ C:\WINDOWS\system32\jpwb.exe

2007-06-04 17:31 66,560 --a------ C:\WINDOWS\system32\sgkr.exe

2007-06-04 17:25 66,560 --a------ C:\WINDOWS\system32\pofjy.exe

2007-06-04 17:22 66,560 --a------ C:\WINDOWS\system32\ypw.exe

2007-06-04 17:19 66,560 --a------ C:\WINDOWS\system32\yxdkthwjy.exe

2007-06-04 17:13 66,560 --a------ C:\WINDOWS\system32\ahagnrjce.exe

2007-06-04 17:02 66,560 --a------ C:\WINDOWS\system32\tctms.exe

2007-06-04 13:33 66,560 --a------ C:\WINDOWS\system32\fzrmnectyd.exe

2007-06-03 15:51 66,560 --a------ C:\WINDOWS\system32\heglavghvkx.exe

2007-06-02 15:31 66,560 --a------ C:\WINDOWS\system32\mjpdclyalvfo.exe

2007-06-02 15:20 66,560 --a------ C:\WINDOWS\system32\ajbgfirr.exe

2007-06-01 23:27 62,464 --a------ C:\WINDOWS\system32\hodimoppuvas.exe

2007-05-31 18:12 66,560 --a------ C:\WINDOWS\system32\lrbd.exe

2007-05-31 17:51 66,560 --a------ C:\WINDOWS\system32\jxt.exe

2007-05-31 17:50 66,560 --a------ C:\WINDOWS\system32\wxgix.exe

2007-05-31 17:49 66,560 --a------ C:\WINDOWS\system32\ys.exe

2007-05-30 22:18 66,560 --a------ C:\WINDOWS\system32\zozweccsdh.exe

2007-05-30 20:09 66,560 --a------ C:\WINDOWS\system32\rcuuideuwj.exe

2007-05-30 17:53 66,560 --a------ C:\WINDOWS\system32\jyh.exe

2007-05-30 10:30 66,560 --a------ C:\WINDOWS\system32\wlfyanbtoqu.exe

2007-05-29 16:35 66,560 --a------ C:\WINDOWS\system32\azfw.exe

2007-05-29 14:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft

2007-05-29 14:20 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-05-29 14:00 66,560 --a------ C:\WINDOWS\system32\fnjpyujewjpp.exe

2007-05-29 12:16 <DIR> d-------- C:\DOCUME~1\Vince\APPLIC~1\Lavasoft

2007-05-28 17:51 66,560 --a------ C:\WINDOWS\system32\lajommayrpmy.exe

2007-05-18 18:53 <DIR> d-------- C:\DOCUME~1\Susie\APPLIC~1\Skype

2007-05-18 18:52 <DIR> d-------- C:\Program Files\Skype

2007-05-18 18:52 <DIR> d-------- C:\Program Files\Common Files\Skype

2007-05-18 18:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-16 15:12:50 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-05 02:20:54 -------- d-----w C:\Program Files\Viewpoint

2007-06-05 02:20:22 -------- d-----w C:\Program Files\Common Files\AOL

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-10 04:07:16 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys

2007-05-10 04:07:15 -------- d-----w C:\Program Files\DVDFab Platinum 3

2007-05-10 04:03:05 -------- d-----w C:\Program Files\DVD Decrypter

2007-05-04 05:10:15 -------- d-----w C:\Program Files\Windows Media Connect 2

2007-04-28 22:21:11 -------- d-----w C:\Program Files\Movie Maker

2007-04-28 22:21:10 -------- d-----w C:\Program Files\Microsoft Works

2007-04-28 22:21:08 -------- d-----w C:\Program Files\Messenger

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-22 02:27:51 -------- d-----w C:\Program Files\MFInstall

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 00:09]

{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 10:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]

"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-09-04 19:49]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]

"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 20:34]

"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 17:52]

"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 00:41]

"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00]

"CTHelper"="CTHELPER.EXE" [2005-12-08 12:06 C:\WINDOWS\CTHELPER.EXE]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-09 02:34]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"azfw"=C:\WINDOWS\system32\azfw.exe

"jyh"=C:\WINDOWS\system32\jyh.exe

"wlfyanbtoqu"=C:\WINDOWS\system32\wlfyanbtoqu.exe

"fnjpyujewjpp"=C:\WINDOWS\system32\fnjpyujewjpp.exe

"zozweccsdh"=C:\WINDOWS\system32\zozweccsdh.exe

"jxt"=C:\WINDOWS\system32\jxt.exe

"lrbd"=C:\WINDOWS\system32\lrbd.exe

"z"=C:\WINDOWS\system32\z.exe

"fzrmnectyd"=C:\WINDOWS\system32\fzrmnectyd.exe

"mzn"=C:\WINDOWS\system32\mzn.exe

"picaknkhjeay"=C:\WINDOWS\system32\picaknkhjeay.exe

"azldgg"=C:\WINDOWS\system32\azldgg.exe

"hww"=C:\WINDOWS\system32\hww.exe

"cxahfj"=C:\WINDOWS\system32\cxahfj.exe

"uxrfwty"=C:\WINDOWS\system32\uxrfwty.exe

"jnxjgvofrtbj"=C:\WINDOWS\system32\jnxjgvofrtbj.exe

"qzfvfvdu"=C:\WINDOWS\system32\qzfvfvdu.exe

"hxuzfqridtn"=C:\WINDOWS\system32\hxuzfqridtn.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

 

*Newly Created Service* - Y6II3HEE4I

 

Contents of the 'Scheduled Tasks' folder

2007-06-11 17:20:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-09 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job

2007-06-16 15:13:12 C:\WINDOWS\tasks\Symantec NetDetect.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-16 14:42:17

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-16 14:43:09

C:\ComboFix-quarantined-files.txt ... 2007-06-16 14:42

C:\ComboFix2.txt ... 2007-06-16 11:23

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi again,

 

Please run Notepad and paste the following text into a new file, do not include the word ‘quote’:

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"azfw"=-

"jyh"=-

"wlfyanbtoqu"=-

"fnjpyujewjpp"=-

"zozweccsdh"=-

"jxt"=-

"lrbd"=-

"z"=-

"fzrmnectyd"=-

"mzn"=-

"picaknkhjeay"=-

"azldgg"=-

"hww"=-

"cxahfj"=-

"uxrfwty"=-

"jnxjgvofrtbj"=-

"qzfvfvdu"=-

"hxuzfqridtn"=-

 

 

 

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

 

Next:

 

Unzip this file to your desktop:

 

Double -click on delete.bat and post the report that opens.

Note: this file was made for elendil524's PC, if you are not elendil524 it will not help you, and may damage your PC

 

Next:

 

Download getservices from http://www.bleepingcomputer.com/files/spyw...getservices.zip

 

To use this script, extract the zip file to your C: drive. Once it is extracted you will find a directory on your C: drive called getservice. Inside the C:\getservice directory will be a file called getservice.bat . Simply double-click on the getservice.bat file and when it is completed a notepad will open with a lot of information. Copy and paste the information from the notepad and post it here as your reply.

 

Also post a fresh HiJackThis log.

 

jedi

Share this post


Link to post
Share on other sites

Hi Jedi, Thanks so much for the help. I think that last round might have done the trick!! Here are the log files you asked me to post....

 

DELETE OUTPUT

Delitor by wng_z3r0

 

Files to delete:

**************************

"C:\WINDOWS\system32\azfw.exe"

"C:\WINDOWS\system32\jyh.exe"

"C:\WINDOWS\system32\wlfyanbtoqu.exe"

"C:\WINDOWS\system32\fnjpyujewjpp.exe"

"C:\WINDOWS\system32\zozweccsdh.exe"

"C:\WINDOWS\system32\jxt.exe"

"C:\WINDOWS\system32\lrbd.exe"

"C:\WINDOWS\system32\z.exe"

"C:\WINDOWS\system32\fzrmnectyd.exe"

"C:\WINDOWS\system32\mzn.exe"

"C:\WINDOWS\system32\picaknkhjeay.exe"

"C:\WINDOWS\system32\azldgg.exe"

"C:\WINDOWS\system32\hww.exe"

"C:\WINDOWS\system32\cxahfj.exe"

"C:\WINDOWS\system32\uxrfwty.exe"

"C:\WINDOWS\system32\jnxjgvofrtbj.exe"

"C:\WINDOWS\system32\qzfvfvdu.exe"

"C:\WINDOWS\system32\hxuzfqridtn.exe"

"C:\WINDOWS\system32\fprorczvbx.exe"

"C:\WINDOWS\system32\lxzxjvf.exe"

"C:\WINDOWS\system32\jpwb.exe"

"C:\WINDOWS\system32\sgkr.exe"

"C:\WINDOWS\system32\pofjy.exe"

"C:\WINDOWS\system32\ypw.exe"

"C:\WINDOWS\system32\yxdkthwjy.exe"

"C:\WINDOWS\system32\ahagnrjce.exe"

"C:\WINDOWS\system32\tctms.exe"

"C:\WINDOWS\system32\fzrmnectyd.exe"

"C:\WINDOWS\system32\heglavghvkx.exe"

"C:\WINDOWS\system32\mjpdclyalvfo.exe"

"C:\WINDOWS\system32\ajbgfirr.exe"

"C:\WINDOWS\system32\hodimoppuvas.exe"

"C:\WINDOWS\system32\wxgix.exe"

"C:\WINDOWS\system32\ys.exe"

"C:\WINDOWS\system32\zozweccsdh.exe"

"C:\WINDOWS\system32\rcuuideuwj.exe"

"C:\WINDOWS\system32\yqeejifwxt.exe"

"C:\WINDOWS\system32\us.exe"

"C:\WINDOWS\system32\iklxuhde.exe"

"C:\WINDOWS\system32\aetqy.exe"

"C:\WINDOWS\system32\edwuvwnoxhnx.exe"

"C:\WINDOWS\system32\dmiwibab.exe"

"C:\WINDOWS\system32\hxnbthxriwfw.exe"

"C:\WINDOWS\system32\fmzgw.exe"

"C:\dosload.exe"

"C:\WINDOWS\system32\gygwopsezpht.exe"

"C:\WINDOWS\system32\tre.exe"

"C:\WINDOWS\system32\lxfac.exe"

"C:\WINDOWS\system32\mamsjkwfrn.exe"

"C:\WINDOWS\system32\nvsryq.exe"

 

END Files to delete:

**************************

 

 

 

Files remaining after deletion:

**************************

 

END of file:

**************************

 

 

 

 

 

GETSERVICE

 

PsService v1.1 - local and remote services viewer/controller

Copyright © 2001-2003 Mark Russinovich

Sysinternals - www.sysinternals.com

 

SERVICE_NAME: Alerter

Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Alerter

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: ALG

Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Application Layer Gateway Service

DEPENDENCIES :

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: AppMgmt

Provides software installation services such as Assign, Publish, and Remove.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Application Management

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: AudioSrv

Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : AudioGroup

TAG : 0

DISPLAY_NAME : Windows Audio

DEPENDENCIES : PlugPlay

: RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: BITS

Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Background Intelligent Transfer Service

DEPENDENCIES : Rpcss

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

 

SERVICE_NAME: Browser

Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Computer Browser

DEPENDENCIES : LanmanWorkstation

: LanmanServer

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ccEvtMgr

Event propagation and logging service

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

LOAD_ORDER_GROUP : Symantec Core Services

TAG : 0

DISPLAY_NAME : Symantec Event Manager

DEPENDENCIES : RPCSS

: ccSetMgr

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ccSetMgr

Settings storage and management service

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

LOAD_ORDER_GROUP : Symantec Core Services

TAG : 0

DISPLAY_NAME : Symantec Settings Manager

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: CiSvc

Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Indexing Service

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ClipSrv

Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : ClipBook

DEPENDENCIES : NetDDE

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: COMSysApp

Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : COM+ System Application

DEPENDENCIES : rpcss

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 30 seconds

FAILURE_ACTIONS : Restart DELAY: 1000 seconds

: Restart DELAY: 5000 seconds

: None DELAY: 1000 seconds

 

SERVICE_NAME: CryptSvc

Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Cryptographic Services

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: DcomLaunch

Provides launch functionality for DCOM services.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch

LOAD_ORDER_GROUP : Event Log

TAG : 0

DISPLAY_NAME : DCOM Server Process Launcher

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

 

SERVICE_NAME: DefWatch

Monitors and maintains virus definitions.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Symantec AntiVirus\DefWatch.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Symantec AntiVirus Definition Watcher

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Dhcp

Manages network configuration by registering and updating IP addresses and DNS names.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DHCP Client

DEPENDENCIES : Tcpip

: Afd

: NetBT

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: dmadmin

Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Logical Disk Manager Administrative Service

DEPENDENCIES : RpcSs

: PlugPlay

: DmServer

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: dmserver

Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Logical Disk Manager

DEPENDENCIES : RpcSs

: PlugPlay

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Dnscache

Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tcpip

SERVICE_START_NAME: NT AUTHORITY\NetworkService

 

SERVICE_NAME: ERSvc

Allows error reporting for services and applictions running in non-standard environments.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Error Reporting Service

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Eventlog

Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe

LOAD_ORDER_GROUP : Event log

TAG : 0

DISPLAY_NAME : Event Log

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: EventSystem

Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : Network

TAG : 0

DISPLAY_NAME : COM+ Event System

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: FastUserSwitchingCompatibility

Provides management for applications that require assistance in a multiple user environment.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Fast User Switching Compatibility

DEPENDENCIES : TermService

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: helpsvc

Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Help and Support

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 100 seconds

: Restart DELAY: 100 seconds

: None DELAY: 100 seconds

 

SERVICE_NAME: HidServ

Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Human Interface Device Access

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: HTTPFilter

This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : HTTP SSL

DEPENDENCIES : HTTP

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: IDriverT

Provides support for the Running Object Table for InstallShield Drivers

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : InstallDriver Table Manager

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ImapiService

Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IMAPI CD-Burning COM Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: iPod Service

iPod hardware management services

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\iPod\bin\iPodService.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : iPod Service

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: lanmanserver

Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Server

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: lanmanworkstation

Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : NetworkProvider

TAG : 0

DISPLAY_NAME : Workstation

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: LiveUpdate

LiveUpdate Core Engine

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : LiveUpdate

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: LmHosts

Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : TCP/IP NetBIOS Helper

DEPENDENCIES : NetBT

: Afd

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: Messenger

Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Messenger

DEPENDENCIES : LanmanWorkstation

: NetBIOS

: PlugPlay

: RpcSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: mnmsrvc

Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : NetMeeting Remote Desktop Sharing

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: MSDTC

Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe

LOAD_ORDER_GROUP : MS Transactions

TAG : 0

DISPLAY_NAME : Distributed Transaction Coordinator

DEPENDENCIES : RPCSS

: SamSS

SERVICE_START_NAME: NT AUTHORITY\NetworkService

 

SERVICE_NAME: MSIServer

Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Installer

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NetDDE

Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe

LOAD_ORDER_GROUP : NetDDEGroup

TAG : 0

DISPLAY_NAME : Network DDE

DEPENDENCIES : NetDDEDSDM

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NetDDEdsdm

Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network DDE DSDM

DEPENDENCIES :

: EGrLocalSystem

: Network DDE DSDM

: etwork DDE

: workService

: Distributed Transaction Coordinator

: ion

: r

: ager

: cz

:

: j

:

: H6

: H6

: ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

:

: u

: n

: a

: v

: a

: i

: l

: a

: b

: l

: e

: .

:

: I

: f

:

: t

: h

: i

: s

:

: s

: e

: r

: v

: i

: c

: e

:

: i

: s

:

: d

: i

: s

: a

: b

: l

: e

: d

: ,

:

: a

: n

: y

:

: s

: e

: r

: v

: i

: c

: e

: s

:

: t

: h

: a

: t

:

: e

: x

: p

: l

: i

: c

: i

: t

: l

: y

:

: d

: e

: p

: e

: n

: d

:

: o

: n

:

: i

: t

:

: w

: i

: l

: l

:

: f

: a

: i

: l

:

: t

: o

:

: s

: t

: a

: r

: t

: .

:

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Netlogon

Supports pass-through authentication of account logon events for computers in a domain.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe

LOAD_ORDER_GROUP : RemoteValidation

TAG : 0

DISPLAY_NAME : Net Logon

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Netman

Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Connections

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Nla

Collects and stores network configuration and location information, and notifies applications when this information changes.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Location Awareness (NLA)

DEPENDENCIES : Tcpip

: Afd

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NMSSvc

Intel® NIC Management Service

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\NMSSvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Intel® NMS

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NtLmSsp

Provides security to remote procedure call (RPC) programs that use transports other than named pipes.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : NT LM Security Support Provider

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NtmsSvc

(null)

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Removable Storage

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NVSvc

Provides system and desktop level support to the NVIDIA display driver

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\nvsvc32.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : NVIDIA Display Driver Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ose

Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Office Source Engine

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: PlugPlay

Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe

LOAD_ORDER_GROUP : PlugPlay

TAG : 0

DISPLAY_NAME : Plug and Play

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: PolicyAgent

Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IPSEC Services

DEPENDENCIES : RPCSS

: Tcpip

: IPSec

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ProtectedStorage

Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Protected Storage

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RasAuto

Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Access Auto Connection Manager

DEPENDENCIES : RasMan

: Tapisrv

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RasMan

Creates a network connection.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Access Connection Manager

DEPENDENCIES : Tapisrv

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RDSessMgr

Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Desktop Help Session Manager

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RemoteAccess

Offers routing services to businesses in local area and wide area network environments.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Routing and Remote Access

DEPENDENCIES : RpcSS

: +NetBIOSGroup

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RpcLocator

Manages the RPC name service database.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC) Locator

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: NT AUTHORITY\NetworkService

 

SERVICE_NAME: RpcSs

Provides the endpoint mapper and other miscellaneous RPC services.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss

LOAD_ORDER_GROUP : COM Infrastructure

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC)

DEPENDENCIES :

SERVICE_START_NAME: NT Authority\NetworkService

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

 

SERVICE_NAME: RSVP

Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : QoS RSVP

DEPENDENCIES : TcpIp

: Afd

: RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SamSs

Stores security information for local user accounts.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe

LOAD_ORDER_GROUP : LocalValidation

TAG : 0

DISPLAY_NAME : Security Accounts Manager

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SavRoam

Symantec AntiVirus Roaming Service

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Symantec AntiVirus\SavRoam.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : SAVRoam

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SCardSvr

Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe

LOAD_ORDER_GROUP : SmartCardGroup

TAG : 0

DISPLAY_NAME : Smart Card

DEPENDENCIES : PlugPlay

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: Schedule

Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : SchedulerGroup

TAG : 0

DISPLAY_NAME : Task Scheduler

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: seclogon

Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Secondary Logon

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SENS

Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : Network

TAG : 0

DISPLAY_NAME : System Event Notification

DEPENDENCIES : EventSystem

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SharedAccess

Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Internet Connection Sharing

DEPENDENCIES : RasMan

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ShellHWDetection

(null)

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : ShellSvcGroup

TAG : 0

DISPLAY_NAME : Shell Hardware Detection

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SimpTcp

Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\tcpsvcs.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Simple TCP/IP Services

DEPENDENCIES : AFD

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SNDSrvc

Symantec Network Drivers Service

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"

LOAD_ORDER_GROUP : Symantec Services

TAG : 0

DISPLAY_NAME : Symantec Network Drivers Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SPBBCSvc

Symantec SPBBC

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"

LOAD_ORDER_GROUP : Symantec Services

TAG : 0

DISPLAY_NAME : Symantec SPBBCSvc

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Spooler

Loads files to memory for later printing.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe

LOAD_ORDER_GROUP : SpoolerGroup

TAG : 0

DISPLAY_NAME : Print Spooler

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

: None DELAY: 0 seconds

 

SERVICE_NAME: SPY_Watch-AOL

Logs flagged incoming and outgoing connections for analysis and routinely scans PC for spyware programs.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\WINDOWS\Fonts\aolsw.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : AOL Spy Watch

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 10 seconds

FAILURE_ACTIONS : Restart DELAY: 3000 seconds

 

SERVICE_NAME: srservice

Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : System Restore Service

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SSDPSRV

Enables discovery of UPnP devices on your home network.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : SSDP Discovery Service

DEPENDENCIES : HTTP

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: stisvc

Provides image acquisition services for scanners and cameras.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Image Acquisition (WIA)

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SwPrv

Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{4963697F-14F1-457F-BD91-7099A0BF622F}

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : MS Software Shadow Copy Provider

DEPENDENCIES : rpcss

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Symantec AntiVirus

Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Symantec AntiVirus

DEPENDENCIES : ccSetMgr

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 10000 seconds

: Restart DELAY: 10000 seconds

: None DELAY: 0 seconds

 

SERVICE_NAME: SysmonLog

Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Performance Logs and Alerts

DEPENDENCIES :

SERVICE_START_NAME: NT Authority\NetworkService

 

SERVICE_NAME: TapiSrv

Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Telephony

DEPENDENCIES : PlugPlay

: RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: TermService

Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Terminal Services

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Themes

Provides user experience theme management.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : UIGroup

TAG : 0

DISPLAY_NAME : Themes

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

: None DELAY: 0 seconds

 

SERVICE_NAME: TrkWks

Maintains links between NTFS files within a computer or across computers in a network domain.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Distributed Link Tracking Client

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: upnphost

Provides support to host Universal Plug and Play devices.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Universal Plug and Play Device Host

DEPENDENCIES : SSDPSRV

: HTTP

SERVICE_START_NAME: NT AUTHORITY\LocalService

FAIL_RESET_PERIOD : -1 seconds

FAILURE_ACTIONS : Restart DELAY: 0 seconds

 

SERVICE_NAME: UPS

Manages an uninterruptible power supply (UPS) connected to the computer.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Uninterruptible Power Supply

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: VSS

Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Volume Shadow Copy

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: W32Time

Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

 

 

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Time

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 5 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

 

SERVICE_NAME: WebClient

Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP : NetworkProvider

TAG : 0

DISPLAY_NAME : WebClient

DEPENDENCIES : MRxDAV

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: winmgmt

Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Management Instrumentation

DEPENDENCIES : RPCSS

: Eventlog

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

 

SERVICE_NAME: WmdmPmSN

Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Portable Media Serial Number Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: WmiApSrv

Provides performance library information from WMI HiPerf providers.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : WMI Performance Adapter

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: WMPNetworkSvc

Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\Windows Media Player\WMPNetwk.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Media Player Network Sharing Service

DEPENDENCIES : upnphost

: http

: HTTPFilter

SERVICE_START_NAME: NT AUTHORITY\NetworkService

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Restart DELAY: 30000 seconds

: Restart DELAY: 30000 seconds

: None DELAY: 0 seconds

 

SERVICE_NAME: wscsvc

Monitors system security settings and configurations.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Security Center

DEPENDENCIES : RpcSs

: winmgmt

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: wuauserv

Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Automatic Updates

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: WudfSvc

Manages user-mode driver host processes

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

LOAD_ORDER_GROUP : PlugPlay

TAG : 0

DISPLAY_NAME : Windows Driver Foundation - User-mode Driver Framework

DEPENDENCIES : PlugPlay

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 900 seconds

FAILURE_ACTIONS : Restart DELAY: 120000 seconds

: Restart DELAY: 300000 seconds

: None DELAY: 0 seconds

 

SERVICE_NAME: WZCSVC

Provides automatic configuration for the 802.11 adapters

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : Wireless Zero Configuration

DEPENDENCIES : RpcSs

: Ndisuio

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: xmlprov

Manages XML configuration files on a domain basis for automatic network provisioning.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Provisioning Service

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: y6ii3hee4i

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\system32\gbfqsimjis.exe /service

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Print Spooler Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

 

 

 

 

 

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 2:34:38 PM, on 6/17/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\Fonts\aolsw.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\gbfqsimjis.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\HJT\HiJackThis_v2.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [M

Share this post


Link to post
Share on other sites

I Think I exceeded the Post Length... Here's the HiJackthis log again

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 2:34:38 PM, on 6/17/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\Fonts\aolsw.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\gbfqsimjis.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\HJT\HiJackThis_v2.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [vlnealtpp] C:\WINDOWS\system32\vlnealtpp.exe

O4 - HKLM\..\Run: [gbfqsimjis] C:\WINDOWS\system32\gbfqsimjis.exe

O4 - HKLM\..\Run: [mrxn] C:\WINDOWS\system32\mrxn.exe

O4 - HKLM\..\RunServices: [ozbxidyuhr] C:\WINDOWS\system32\ozbxidyuhr.exe

O4 - HKLM\..\RunServices: [yrbsbeu] C:\WINDOWS\system32\yrbsbeu.exe

O4 - HKLM\..\RunServices: [vlnealtpp] C:\WINDOWS\system32\vlnealtpp.exe

O4 - HKLM\..\RunServices: [gbfqsimjis] C:\WINDOWS\system32\gbfqsimjis.exe

O4 - HKLM\..\RunServices: [mrxn] C:\WINDOWS\system32\mrxn.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: LUMIX Simple Viewer.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157417768218

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.pitt.edu/dana-cached/setup/J...perSetupSP1.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: AOL Spy Watch (SPY_Watch-AOL) - Unknown owner - C:\WINDOWS\Fonts\aolsw.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Print Spooler Service (y6ii3hee4i) - Unknown owner - C:\WINDOWS\system32\gbfqsimjis.exe

 

--

End of file - 8409 bytes

Share this post


Link to post
Share on other sites

Hi again,

 

Please run Notepad and paste the following text in the Code box into a new file:

 

 
attrib -r -h -s C:\WINDOWS\system32\vlnealtpp.exe
del C:\WINDOWS\system32\vlnealtpp.exe
attrib -r -h -s C:\WINDOWS\system32\gbfqsimjis.exe
del C:\WINDOWS\system32\gbfqsimjis.exe
attrib -r -h -s C:\WINDOWS\system32\mrxn.exe
del C:\WINDOWS\system32\mrxn.exe
attrib -r -h -s C:\WINDOWS\system32\ozbxidyuhr.exe
del C:\WINDOWS\system32\ozbxidyuhr.exe
attrib -r -h -s C:\WINDOWS\system32\yrbsbeu.exe
del C:\WINDOWS\system32\yrbsbeu.exe
attrib -r -h -s C:\WINDOWS\system32\gbfqsimjis.exe
del C:\WINDOWS\system32\gbfqsimjis.exe
sc stop Print Spooler Service
sc delete Print Spooler Service

 

Save the file to the desktop as remove.bat and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on remove.bat.

 

next:

 

Please do the following:

Run a BitDefender Online scan Here and post the results.

 

Also post a fresh HiJackThis log.

 

jedi

Share this post


Link to post
Share on other sites

Hi Jedi

 

 

Here goes

 

 

Bit Defender Report

 

BitDefender Online Scanner

 

 

 

Scan report generated at: Sun, Jun 17, 2007 - 21:47:57

 

 

 

 

 

Scan path: A:\;C:\;D:\;E:\;F:\;

 

 

 

 

 

 

 

Statistics

 

Time

00:58:20

 

Files

150090

 

Folders

5366

 

Boot Sectors

2

 

Archives

14790

 

Packed Files

6746

 

 

 

 

Results

 

Identified Viruses

1

 

Infected Files

2

 

Suspect Files

0

 

Warnings

0

 

Disinfected

0

 

Deleted Files

2

 

 

 

 

Engines Info

 

Virus Definitions

514036

 

Engine build

AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

 

Scan plugins

14

 

Archive plugins

38

 

Unpack plugins

6

 

E-mail plugins

6

 

System plugins

1

 

 

 

 

Scan Settings

 

First Action

Disinfect

 

Second Action

Delete

 

Heuristics

Yes

 

Enable Warnings

Yes

 

Scanned Extensions

*;

 

Exclude Extensions

 

 

Scan Emails

Yes

 

Scan Archives

Yes

 

Scan Packed

Yes

 

Scan Files

Yes

 

Scan Boot

Yes

 

 

 

 

Scanned File

Status

 

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\popcaploader.dll

Infected with: Trojan.Downloader.Popcaploader.A

 

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\popcaploader.dll

Disinfection failed

 

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\popcaploader.dll

Deleted

 

C:\System Volume Information\_restore{4EE438DF-C284-4BE9-9D50-FDC101C42457}\RP412\A0045754.dll

Infected with: Trojan.Downloader.Popcaploader.A

 

C:\System Volume Information\_restore{4EE438DF-C284-4BE9-9D50-FDC101C42457}\RP412\A0045754.dll

Disinfection failed

 

C:\System Volume Information\_restore{4EE438DF-C284-4BE9-9D50-FDC101C42457}\RP412\A0045754.dll

Deleted

 

 

 

 

 

 

HiJackThis Log

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 1:03:55 AM, on 6/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\Fonts\aolsw.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\gbfqsimjis.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\HJT\HiJackThis_v2.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [vlnealtpp] C:\WINDOWS\system32\vlnealtpp.exe

O4 - HKLM\..\Run: [gbfqsimjis] C:\WINDOWS\system32\gbfqsimjis.exe

O4 - HKLM\..\Run: [mrxn] C:\WINDOWS\system32\mrxn.exe

O4 - HKLM\..\RunServices: [ozbxidyuhr] C:\WINDOWS\system32\ozbxidyuhr.exe

O4 - HKLM\..\RunServices: [yrbsbeu] C:\WINDOWS\system32\yrbsbeu.exe

O4 - HKLM\..\RunServices: [vlnealtpp] C:\WINDOWS\system32\vlnealtpp.exe

O4 - HKLM\..\RunServices: [gbfqsimjis] C:\WINDOWS\system32\gbfqsimjis.exe

O4 - HKLM\..\RunServices: [mrxn] C:\WINDOWS\system32\mrxn.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: LUMIX Simple Viewer.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157417768218

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.pitt.edu/dana-cached/setup/J...perSetupSP1.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: AOL Spy Watch (SPY_Watch-AOL) - Unknown owner - C:\WINDOWS\Fonts\aolsw.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Print Spooler Service (y6ii3hee4i) - Unknown owner - C:\WINDOWS\system32\gbfqsimjis.exe

 

--

End of file - 8699 bytes

Share this post


Link to post
Share on other sites

Hi again,

 

Scan with HiJackThis and put a check in the box next to the following items;

 

O4 - HKLM\..\Run: [vlnealtpp] C:\WINDOWS\system32\vlnealtpp.exe

O4 - HKLM\..\Run: [gbfqsimjis] C:\WINDOWS\system32\gbfqsimjis.exe

O4 - HKLM\..\Run: [mrxn] C:\WINDOWS\system32\mrxn.exe

O4 - HKLM\..\RunServices: [ozbxidyuhr] C:\WINDOWS\system32\ozbxidyuhr.exe

O4 - HKLM\..\RunServices: [yrbsbeu] C:\WINDOWS\system32\yrbsbeu.exe

O4 - HKLM\..\RunServices: [vlnealtpp] C:\WINDOWS\system32\vlnealtpp.exe

O4 - HKLM\..\RunServices: [gbfqsimjis] C:\WINDOWS\system32\gbfqsimjis.exe

O4 - HKLM\..\RunServices: [mrxn] C:\WINDOWS\system32\mrxn.exe

O23 - Service: Print Spooler Service (y6ii3hee4i) - Unknown owner - C:\WINDOWS\system32\gbfqsimjis.exe

 

Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

 

Restart.

 

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

 

jedi

Share this post


Link to post
Share on other sites

Since the issue appears to be resolved this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0