• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jgar5427

Malware prevents opening antivirus software

25 posts in this topic

My first time here. I did read the FQAs as instructed. Neither Ad-Aware nor Spybot could fix problem.

Problem: Malware will stop launch of anitivirus sw, specifically Norton Antivirus and Grisoft AVG6. Additionally, it will disable the Firewall option from Windows XP Security. Using CWShredder provides partial success, only after this utility is excuted then I can open the antivirus software listed above plus I can turn on (enable) the Firewall option. This only works until the PC is rebooted.

 

I have enclosed the log generated from StartupList:

-----------------------------------------------------------------------------------------------

StartupList report, 10/14/2004, 1:22:33 PM

StartupList version: 1.52

Started from : C:\DOCUME~1\JAIMEA~1.JGA\LOCALS~1\Temp\Temporary Directory 2 for startuplist.zip\StartupList.EXE

Detected: Windows XP SP2 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\surfmonkey\smproxy.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

----------------------------------------------------------------------------------------------

I also have the log from HijackThis. I will submitted if needed.

 

Thanks for your assistance

Share this post


Link to post
Share on other sites
Go ahead and post the HijackThis log.

 

-- LB

133365[/snapback]

 

HERE IT IS:

Logfile of HijackThis v1.98.2

Scan saved at 2:22:29 PM, on 10/14/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\surfmonkey\smproxy.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\DOCUME~1\JAIMEA~1.JGA\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

Share this post


Link to post
Share on other sites

First thing to do is create a new folder called C:\HJT and move HijackThis to it. Otherwise, HijackThis (and all backups created by it) will be lost if the temp folder is cleaned out.

 

I'm checking with the experts to see what needs to be done next.

 

-- LB

Share this post


Link to post
Share on other sites

LB, thanks so much for your help. Regarding the creation of folder HJT in C: that is the first thing I did when I downloaded HighjackThis. The zipped file is stored in C:\HJT\hijackthis.zip. The log file is also under C:\HJT\Log File 101404_1.

I have no clue why the Log File 101404_1 file shows C:\DOCUME~1\JAIMEA~1.JGA\LOCALS~1\Temp\. When I checked this directory the Temp folder was empty?! (I do have the "Show hidden files and folders" option enabled)

 

Jaime

Share this post


Link to post
Share on other sites

LB, here is the new HijackThis log file:

Logfile of HijackThis v1.98.2

Scan saved at 3:30:24 PM, on 10/14/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\surfmonkey\smproxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\HJT\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

Share this post


Link to post
Share on other sites
LB, thanks so much for your help. Regarding the creation of folder HJT in C: that is the first thing I did when I downloaded HighjackThis. The zipped file is stored in C:\HJT\hijackthis.zip. The log file is also under C:\HJT\Log File 101404_1.

I have no clue why the Log File 101404_1 file shows C:\DOCUME~1\JAIMEA~1.JGA\LOCALS~1\Temp\. When I checked this directory the Temp folder was empty?! (I do have the "Show hidden files and folders" option enabled)

 

Jaime

133484[/snapback]

 

Did you run it directly from the zip file? If so, then you should unzip HijackThis to C:\HJT.

 

-- LB

Share this post


Link to post
Share on other sites
LB, thanks so much for your help. Regarding the creation of folder HJT in C: that is the first thing I did when I downloaded HighjackThis. The zipped file is stored in C:\HJT\hijackthis.zip. The log file is also under C:\HJT\Log File 101404_1.

I have no clue why the Log File 101404_1 file shows C:\DOCUME~1\JAIMEA~1.JGA\LOCALS~1\Temp\. When I checked this directory the Temp folder was empty?! (I do have the "Show hidden files and folders" option enabled)

 

Jaime

133484[/snapback]

 

Did you run it directly from the zip file? If so, then you should unzip HijackThis to C:\HJT.

 

-- LB

133507[/snapback]

 

LB, I did exactly that, unzipped the file then run the unzipped file. I completed that before your responded and attchaed the log file to the previous reply.

 

Jaime

Share this post


Link to post
Share on other sites

LB, I am sorry my bad. I have been subnitting my replies without using the ADD Repply button.

 

So to answer your questions. Yes, I did unzipped HijackThis under C:\HJT and ran the unzipped file. I have also enclosed the new HijackThis logfile, it is named Log file 101404_2.

-----------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.2

Scan saved at 3:30:24 PM, on 10/14/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\surfmonkey\smproxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\HJT\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

----------------------------------------------------------------------------------------------

 

I am not familiar with the following files:

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\ctfmon.exe

 

Thanks for your patience

 

Jaime

Share this post


Link to post
Share on other sites
I am not familiar with the following files:

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\ctfmon.exe

 

Thanks for your patience

 

Jaime

133526[/snapback]

 

Both of those are legit.

 

Did you put something called Math Player in? I noticed these lines:

 

O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll

 

I couldn't find anything to indicate if these are legit or not.

 

-- LB

Share this post


Link to post
Share on other sites

LB,

Yes, I did download a sw utility from a math site for my son. But we hardly use it, I wouldn't mind removing it. I will remove it and get back to you.

 

--Jaime

Share this post


Link to post
Share on other sites

LB,

 

I deleted the Math player, the problem continues (cannot open antivirus software) I scan my PC again, here is the most recent HijackThis log:

 

Logfile of HijackThis v1.98.2

Scan saved at 5:06:40 PM, on 10/14/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\surfmonkey\smproxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\svchost.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

 

--Jaime

Share this post


Link to post
Share on other sites

Download A2 Anti-Trojan from here and run it.

 

Have any of the anti-virus programs found anything recently? You might want to run a full scan and do an online scan (when they are running).

 

-- LB

Share this post


Link to post
Share on other sites

Hey LB,

Here is the latest:

-Spybot, CWShredder, HijackThis and a squared have no problem being launched.

-Running CWShredder defeats the malware temporarily so I can run AVG6 and Norton Antivirus.

-AVG6 Shield detects a Trojan, winxpert.sys in C:\WINDOWS but I don't see it there. I had eliminated this file two days ago though.

-Spybot detects a DSO Exploit where 5 files are affected in the HKEY_USERS directory. All of them are related to ..\Current Version\Internet Settings\Zones\0\, these five registry keys are set to 1004!=W=3. Spybot will fix them but they are loaded back after each reboot.

-a squared detecs no malware at all.

 

I also noticed that after running CWShredder then executing Norton Antivirus and AVG6 simultaneously, AVG scaning will stop and the program will be closed without any entry from my part. Attempts to lauch the program failed, until I re-run CWShredder again.

 

I gotta tell you this piece of malware is something else.

 

Your feedback is appreciated!

--Jaime

Share this post


Link to post
Share on other sites

What is CWShredder finding?

 

About the DSO exploits being found by Spybot, ignore them. It's a known bug in Spybot.

 

As for winxpert.sys, are you sure that's the right filename? I ran it through google, but got no hits.

 

Running more than one anti-virus program at the same time is not a good idea. Only run one at a time. I also notice you appear to have AVG6 and Norton both running at startup. Choose one and disable the other.

 

Reboot and post a new log. I saw something that wasn't in the previous logs:

 

C:\WINDOWS\svchost.exe - not a legit file.

 

I didn't see any indication of this file in the O4 section of your log.

 

-- LB

Share this post


Link to post
Share on other sites

Hey LB,

You hit the nail right on the head. It is C:\WINDOWS\svchost.exe which is causing this problem. I can cleaned it with CWShredder but it comes back after reboot. I don't know how to get rid of it. I tried running CWShredder to clean it then disabling the System Restore, rebooting and it shows up again. I wonder if I need to clean it in Safe Mode.

 

--Jaime

Share this post


Link to post
Share on other sites

Change settings to show hidden files by doing the following:

 

Open My Computer.

 

* Select the View menu and click Folder Options.

 

* Select the View Tab.

 

* In the Hidden files section select Show all files.

 

Click OK

 

Reboot into safe mode by restarting the computer, then repeatedly tapping F8 until you hit a menu. Choose Safe Mode from the menu.

 

Once there, delete the following file:

 

C:\WINDOWS\svchost.exe -> see note below.

 

Important note: Make sure you delete that one and not the one in C:\WINDOWS\system32 (the one in there is legit).

 

Finally, reboot and see if the AV programs work. Then post a new log.

 

-- LB

Share this post


Link to post
Share on other sites

Dear LB:

Sorry I did not get back to you sooner but I was out town over the weekend. Well, here is my response. My PC is infected with the worm svchost.exe. This worm or a strain of it hides in the folder C:\WINDOWS, NOT C:\WINDOWS\System32\.

 

CWShredder cleans up the worm without identifying it, but only until the PC is rebooted. Spvbot fails to detect this worm and instead indicates it has find a DSO exploit, which, you explained, it is a defect/bug of this sw. Then I used a free download called XsoftSpy 3.45; this is the only sw I have used so far to detect this worm. I followed your instructions using safe mode to delete the C:\WINODWS\svschost.exe file but it comes back after every reboot.

 

Two interesting things to point out are: after deleting \WINDOWS\svchost.exe and re-starting the PC again, the HijackThis log shows the \WINDOWS\scvchost .exe process coming back. So attempting to delete this worm using Safe Mode or scanning C:\ with HijackThis has no effect on defeating the worm.

 

The second observation is that this worm is that it shows up most of the time after C:\WINDOWS\EXPLORER.EXE. I thought the excutable file was to be residing in folder C:\Program Files\Internet Explorer, not C:\WINDOWS.

 

I have enclosed the latest HijackThis log after rebooting the PC

------------------------------------------------------------------------------

Logfile of HijackThis v1.98.2

Scan saved at 12:23:43 PM, on 10/19/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\svchost.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\msdtc.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\surfmonkey\SMProxy.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\HJT\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

 

Your feeback is appreciated

--Jaime

Share this post


Link to post
Share on other sites

C:\WINDOWS\EXPLORER.EXE is Windows Explorer (which is what you use to view the contents of the hard drive). You were probably thinking of Internet Explorer, which is C:\Program Files\Internet Explorer\iexplore.exe

 

Please download GetService.zip

Extract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.

getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here. From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work

 

-- LB

Share this post


Link to post
Share on other sites

LB, here is the file you requested

----------------------------------------------------------------------------------------------

PsService v1.1 - local and remote services viewer/controller

Copyright © 2001-2003 Mark Russinovich

Sysinternals - www.sysinternals.com

 

SERVICE_NAME: Alerter

Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Alerter

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: ALG

Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Application Layer Gateway Service

DEPENDENCIES :

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: AppMgmt

Provides software installation services such as Assign, Publish, and Remove.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Application Management

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Ati HotKey Poller

(null)

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\Ati2evxx.exe

LOAD_ORDER_GROUP : Event log

TAG : 0

DISPLAY_NAME : Ati HotKey Poller

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ATI Smart

(null)

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\ati2sgag.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : ATI Smart

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: AudioSrv

Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : AudioGroup

TAG : 0

DISPLAY_NAME : Windows Audio

DEPENDENCIES : PlugPlay

: RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: BITS

Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Background Intelligent Transfer Service

DEPENDENCIES : Rpcss

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

 

SERVICE_NAME: Browser

Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Computer Browser

DEPENDENCIES : LanmanWorkstation

: LanmanServer

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: cisvc

Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\cisvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Indexing Service

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ClipSrv

Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : ClipBook

DEPENDENCIES : NetDDE

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: COMSysApp

Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : COM+ System Application

DEPENDENCIES : rpcss

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 30 seconds

FAILURE_ACTIONS : Restart DELAY: 1000 seconds

: Restart DELAY: 5000 seconds

: None DELAY: 1000 seconds

 

SERVICE_NAME: CryptSvc

Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Cryptographic Services

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: DcomLaunch

Provides launch functionality for DCOM services.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch

LOAD_ORDER_GROUP : Event Log

TAG : 0

DISPLAY_NAME : DCOM Server Process Launcher

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

 

SERVICE_NAME: DefWatch

(null)

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : DefWatch

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Dhcp

Manages network configuration by registering and updating IP addresses and DNS names.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DHCP Client

DEPENDENCIES : Tcpip

: Afd

: NetBT

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: dmadmin

Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Logical Disk Manager Administrative Service

DEPENDENCIES : RpcSs

: PlugPlay

: DmServer

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: dmserver

Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Logical Disk Manager

DEPENDENCIES : RpcSs

: PlugPlay

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Dnscache

Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tcpip

SERVICE_START_NAME: NT AUTHORITY\NetworkService

 

SERVICE_NAME: ERSvc

Allows error reporting for services and applictions running in non-standard environments.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Error Reporting Service

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Eventlog

Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe

LOAD_ORDER_GROUP : Event log

TAG : 0

DISPLAY_NAME : Event Log

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: EventSystem

Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : Network

TAG : 0

DISPLAY_NAME : COM+ Event System

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: FastUserSwitchingCompatibility

Provides management for applications that require assistance in a multiple user environment.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Fast User Switching Compatibility

DEPENDENCIES : TermService

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Fax

Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\fxssvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Fax

DEPENDENCIES : TapiSrv

: RpcSs

: PlugPlay

: Spooler

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: helpsvc

Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Help and Support

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 100 seconds

: Restart DELAY: 100 seconds

: None DELAY: 100 seconds

 

SERVICE_NAME: HidServ

Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Human Interface Device Access

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: HTTPFilter

This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : HTTP SSL

DEPENDENCIES : HTTP

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: IISADMIN

Allows administration of Web and FTP services through the Internet Information Services snap-in

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\inetsrv\inetinfo.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IIS Admin

DEPENDENCIES : RPCSS

: SamSS

SERVICE_START_NAME: LocalSystem

COMMAND : isreset.exe" /fail=%1%

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Run command DELAY: 1 seconds

: Run command DELAY: 1 seconds

: Run command DELAY: 1 seconds

 

SERVICE_NAME: ImapiService

Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IMAPI CD-Burning COM Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: lanmanserver

Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Server

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: lanmanworkstation

Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : NetworkProvider

TAG : 0

DISPLAY_NAME : Workstation

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: LmHosts

Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : TCP/IP NetBIOS Helper

DEPENDENCIES : NetBT

: Afd

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: MDM

Supports local and remote debugging for Visual Studio and script debuggers. If this service is stopped, the debuggers will not function properly.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Machine Debug Manager

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Messenger

Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Messenger

DEPENDENCIES : LanmanWorkstation

: NetBIOS

: PlugPlay

: RpcSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: mnmsrvc

Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : NetMeeting Remote Desktop Sharing

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: MSDTC

Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe

LOAD_ORDER_GROUP : MS Transactions

TAG : 0

DISPLAY_NAME : Distributed Transaction Coordinator

DEPENDENCIES : RPCSS

: SamSS

SERVICE_START_NAME: NT AUTHORITY\NetworkService

 

SERVICE_NAME: MSIServer

Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Installer

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: MSMQ

Provides a communications infrastructure for distributed, asynchronous messaging applications.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\mqsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Message Queuing

DEPENDENCIES : MQAC

: RMCAST

: LanmanServer

: NtLmSsp

: RPCSS

: MSDTC

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: MSMQTriggers

Associates the arrival of incoming messages at a queue with functionality in a COM component or a stand-alone executable program.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\mqtgsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Message Queuing Triggers

DEPENDENCIES : MSMQ

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NetDDE

Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe

LOAD_ORDER_GROUP : NetDDEGroup

TAG : 0

DISPLAY_NAME : Network DDE

DEPENDENCIES : NetDDEDSDM

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NetDDEdsdm

Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network DDE DSDM

DEPENDENCIES :

: EGrLocalSystem

: Network DDE DSDM

: etwork DDE

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Netlogon

Supports pass-through authentication of account logon events for computers in a domain.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe

LOAD_ORDER_GROUP : RemoteValidation

TAG : 0

DISPLAY_NAME : Net Logon

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Netman

Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Connections

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Nla

Collects and stores network configuration and location information, and notifies applications when this information changes.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Location Awareness (NLA)

DEPENDENCIES : Tcpip

: Afd

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Norton AntiVirus Server

(null)

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Symantec AntiVirus Client

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NtLmSsp

Provides security to remote procedure call (RPC) programs that use transports other than named pipes.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : NT LM Security Support Provider

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NtmsSvc

(null)

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Removable Storage

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: PlugPlay

Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe

LOAD_ORDER_GROUP : PlugPlay

TAG : 0

DISPLAY_NAME : Plug and Play

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: PolicyAgent

Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IPSEC Services

DEPENDENCIES : RPCSS

: Tcpip

: IPSec

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ProtectedStorage

Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Protected Storage

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RasAuto

Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Access Auto Connection Manager

DEPENDENCIES : RasMan

: Tapisrv

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RasMan

Creates a network connection.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Access Connection Manager

DEPENDENCIES : Tapisrv

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RDSessMgr

Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Desktop Help Session Manager

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RemoteAccess

Offers routing services to businesses in local area and wide area network environments.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Routing and Remote Access

DEPENDENCIES : RpcSS

: +NetBIOSGroup

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RemoteRegistry

Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Registry

DEPENDENCIES : RPCSS

SERVICE_START_NAME: NT AUTHORITY\LocalService

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Restart DELAY: 1000 seconds

 

SERVICE_NAME: RpcLocator

Manages the RPC name service database.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC) Locator

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: NT AUTHORITY\NetworkService

 

SERVICE_NAME: RpcSs

Provides the endpoint mapper and other miscellaneous RPC services.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss

LOAD_ORDER_GROUP : COM Infrastructure

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC)

DEPENDENCIES :

SERVICE_START_NAME: NT Authority\NetworkService

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

 

SERVICE_NAME: RSVP

Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : QoS RSVP

DEPENDENCIES : TcpIp

: Afd

: RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SamSs

Stores security information for local user accounts.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe

LOAD_ORDER_GROUP : LocalValidation

TAG : 0

DISPLAY_NAME : Security Accounts Manager

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SCardSvr

Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe

LOAD_ORDER_GROUP : SmartCardGroup

TAG : 0

DISPLAY_NAME : Smart Card

DEPENDENCIES : PlugPlay

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: Schedule

Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : SchedulerGroup

TAG : 0

DISPLAY_NAME : Task Scheduler

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: seclogon

Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Secondary Logon

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SENS

Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : Network

TAG : 0

DISPLAY_NAME : System Event Notification

DEPENDENCIES : EventSystem

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SharedAccess

Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)

DEPENDENCIES : Netman

: WinMgmt

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ShellHWDetection

(null)

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : ShellSvcGroup

TAG : 0

DISPLAY_NAME : Shell Hardware Detection

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SMTPSVC

Transports electronic mail across the network

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\inetsrv\inetinfo.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Simple Mail Transfer Protocol (SMTP)

DEPENDENCIES : IISADMIN

: Eventlog

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SNMP

Includes agents that monitor the activity in network devices and report to the network console workstation.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\snmp.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : SNMP Service

DEPENDENCIES : EventLog

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SNMPTRAP

Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on this computer.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\snmptrap.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : SNMP Trap Service

DEPENDENCIES : EventLog

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: spkrmon

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : spkrmon

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Spooler

Loads files to memory for later printing.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe

LOAD_ORDER_GROUP : SpoolerGroup

TAG : 0

DISPLAY_NAME : Print Spooler

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

: None DELAY: 0 seconds

 

SERVICE_NAME: srservice

Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : System Restore Service

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SSDPSRV

Enables discovery of UPnP devices on your home network.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : SSDP Discovery Service

DEPENDENCIES : HTTP

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: stisvc

Provides image acquisition services for scanners and cameras.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Image Acquisition (WIA)

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SwPrv

Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{37DD52B3-BD92-4976-8390-92CC41E7A4A4}

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : MS Software Shadow Copy Provider

DEPENDENCIES : rpcss

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SysmonLog

Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Performance Logs and Alerts

DEPENDENCIES :

SERVICE_START_NAME: NT Authority\NetworkService

 

SERVICE_NAME: TapiSrv

Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Telephony

DEPENDENCIES : PlugPlay

: RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: TermService

Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Terminal Services

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Themes

Provides user experience theme management.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : UIGroup

TAG : 0

DISPLAY_NAME : Themes

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

: None DELAY: 0 seconds

 

SERVICE_NAME: TlntSvr

Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Telnet

DEPENDENCIES : RPCSS

: TCPIP

: NTLMSSP

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: TrkWks

Maintains links between NTFS files within a computer or across computers in a network domain.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Distributed Link Tracking Client

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: UMWdf

Enables Windows user mode drivers.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\wdfmgr.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows User Mode Driver Framework

DEPENDENCIES : RpcSs

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: upnphost

Provides support to host Universal Plug and Play devices.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Universal Plug and Play Device Host

DEPENDENCIES : SSDPSRV

: HTTP

SERVICE_START_NAME: NT AUTHORITY\LocalService

FAIL_RESET_PERIOD : -1 seconds

FAILURE_ACTIONS : Restart DELAY: 0 seconds

 

SERVICE_NAME: UPS

Manages an uninterruptible power supply (UPS) connected to the computer.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Uninterruptible Power Supply

DEPENDENCIES :

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: VSS

Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Volume Shadow Copy

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: W32Time

Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

 

 

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Time

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 5 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

 

SERVICE_NAME: W3SVC

Provides Web connectivity and administration through the Internet Information Services snap-in

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\inetsrv\inetinfo.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : World Wide Web Publishing

DEPENDENCIES : IISADMIN

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: WebClient

Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService

LOAD_ORDER_GROUP : NetworkProvider

TAG : 0

DISPLAY_NAME : WebClient

DEPENDENCIES : MRxDAV

SERVICE_START_NAME: NT AUTHORITY\LocalService

 

SERVICE_NAME: winmgmt

Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Management Instrumentation

DEPENDENCIES : RPCSS

: Eventlog

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

 

SERVICE_NAME: WmdmPmSN

Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Portable Media Serial Number Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Wmi

Provides systems management information to and from drivers.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Management Instrumentation Driver Extensions

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: WmiApSrv

Provides performance library information from WMI HiPerf providers.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : WMI Performance Adapter

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: wscsvc

Monitors system security settings and configurations.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Security Center

DEPENDENCIES : RpcSs

: winmgmt

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: wuauserv

Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Automatic Updates

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: WZCSVC

Provides automatic configuration for the 802.11 adapters

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : Wireless Zero Configuration

DEPENDENCIES : RpcSs

: Ndisuio

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: xmlprov

Manages XML configuration files on a domain basis for automatic network provisioning.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Provisioning Service

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

-----------------------------------------------------------------------------------------------

 

--Jaime

Share this post


Link to post
Share on other sites
Then I used a free download  called XsoftSpy 3.45; this is the only sw I have used so far to detect this worm. I followed your instructions using safe mode to delete the C:\WINODWS\svschost.exe file but it comes back after every reboot.

137781[/snapback]

 

I think it's called XoftSpy, in which case you should uninstall it. It's a rogue program. See this article.

 

As to why that file won't go away, I'm waiting for an answer from the experts.

 

-- LB

Share this post


Link to post
Share on other sites

Hello LB,

I did remove XoftSpy. Thanks for the heads up. I have enclosed my latest HJT log

-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.2

Scan saved at 2:41:04 AM, on 10/22/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\svchost.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\surfmonkey\smproxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\a2\a2guard.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\HJT\hijackthis\HijackThis.exe

C:\WINDOWS\System32\msdtc.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Adorons Easy Security - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - C:\Program Files\Enigma Software Group\Adorons Easy Security\ETB.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

---------------------------------------------------------------------------------------------

Regards,

--Jaime

Share this post


Link to post
Share on other sites

Download rkdetector from here. Unzip it to the root directory. Run it from the command prompt (Start -> All Programs -> Accessories). It will create a log. Post that log here.

 

-- LB

Share this post


Link to post
Share on other sites

Closed due to no more activity.

Glad we could help. :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0