1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this log

Discussion in 'Virus & Other Malware Removal' started by [email protected], Sep 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mwood@tdn.to

    [email protected] Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    8
    I have a trojan attached to my internet home page. Also, an icon on my desktop that won't go away. The following is my hijack this log. I will appreciate any help. This happened once before and some of you told me about hijack this and spybot. They worked.


    Logfile of HijackThis v1.98.1
    Scan saved at 11:41:17 PM, on 9/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
    C:\WINDOWS\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\twink64.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\program files\180solutions\msbb.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Wood\Application Data\peac.exe
    C:\WINDOWS\System32\hoo.exe
    C:\WINDOWS\apinu32.exe
    C:\WINDOWS\sysrn.exe
    C:\WINDOWS\System32\usb.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\WebSiteViewer\124503.dlr
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wood\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\atlqy.dll
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [sysrn.exe] C:\WINDOWS\sysrn.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Mhle] C:\Documents and Settings\Wood\Application Data\peac.exe
    O4 - HKCU\..\Run: [Dewn] C:\WINDOWS\System32\hoo.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7ff22322f046:375a82d108ec2e9d584f880889783bc3
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2EAA83A8-11CF-4B42-A46A-7A6F218DFB25}: NameServer = 209.244.0.3 209.244.0.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2EAA83A8-11CF-4B42-A46A-7A6F218DFB25}: NameServer = 209.244.0.3 209.244.0.4
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
     
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Go to your Control Panel>Add/Remove and uninstall the following ...IST-Bar, Bargin Buddy, 180 solutions, Web3000, N-Case, MediaTickets, Internet Optimizer.

    Check for the newer version (1.98.2)of HijkackThis by using Config>Misc Tools>"check for online update" button. If the server is busy or just down you can download it from zerosrealm.

    After reboot post an updated (ver 1.98.2) HijackThis log back to this thread.
     
  3. mwood@tdn.to

    [email protected] Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    8
    Hey thanks for the reply and the advice. Ok, first I went to control panel>add/remove and I checked for the files you listed. I did not find them. I even checked under properties for each one and i did not find anything that sounded like them. Now, I tried control panel>add/remove uninstall last night, and I did remove a couple of things. So, maybe I removed those last night??? Not sure.

    I also went into to my "C" drive and noticed one of the sites that has attached itself to my desktop, and so it was also in my "C" drive. Whenever I right click on the icon it has created on the desktop, it tells me that, even if i delete the shortcut, the site will remain and so it tells me that I must go to control panel and add/remove. That was how I first tried the add/remove last night. And so the icon keeps re-appearing on my desktop. So, then when i found this site in my "C" drive, I deleted it. But, it is back now. There are also a couple of other files in my "C" drive that look suspicious, but I can't tell if they are trojans/worms or not.

    And, everytime I connect to the internet, and click on internet explorer, I get a home page that I do not want. I go into Tools>internet options and choose a new home page, but it over rides me and keeps going back the unwanted page. In the Home page address bar it says: "about:blank" and the page is the microsoft search page.

    I did download the 1.98.2 version of Hijack This, ran the scan and I have included the log file from that scan below. So, thanks again for the help, and i will await your reply on what my next move should be. I had this problem once before and the folks there at tech guy had me use hijack this, spybot and cws shredder and that all took care of the problem. Thanks again, Mark Wood

    Logfile of HijackThis v1.98.2
    Scan saved at 12:40:19 PM, on 9/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
    C:\WINDOWS\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\apinu32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\twink64.exe
    C:\WINDOWS\sysrn.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Wood\Application Data\peac.exe
    C:\WINDOWS\System32\hoo.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\usb.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wood\Local Settings\Temp\Temporary Directory 1 for Hijack This 1.98.2.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=C:\Program Files\Windows Media Player\wmplayer.exe
    O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\atlqy.dll
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [sysrn.exe] C:\WINDOWS\sysrn.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Mhle] C:\Documents and Settings\Wood\Application Data\peac.exe
    O4 - HKCU\..\Run: [Dewn] C:\WINDOWS\System32\hoo.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7ff22322f046:375a82d108ec2e9d584f880889783bc3
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2EAA83A8-11CF-4B42-A46A-7A6F218DFB25}: NameServer = 209.244.0.3 209.244.0.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2EAA83A8-11CF-4B42-A46A-7A6F218DFB25}: NameServer = 209.244.0.3 209.244.0.4
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
     
  4. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    I'll need a list of your running services:
    Please download Getservices from HERE.

    It is best to run the getservice.bat immediately after a reboot.

    Extract the file to your c:\ drive.( it will NOT work if oyu run it from the zip) Then navigate to c:\getservices folder and double-click on the getservices.bat file. Notepad will open. Just copy & paste the contents of that file back to this thread as a reply.

    Also make a new HJT log and copy it back with your reply if you have rebooted since posting the last one.

    If possible do not reboot or log off after running the getservice.bat and HJT log; at least until I can get a response posted; every time you reboot some components can morph/change; thus the fix won't work.
     
  5. mwood@tdn.to

    [email protected] Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    8
    I am sending this in two parts because it is evidently too long to send in one part. I will also send the new HJT log in a separate reply to thread. Thanks, Mark

    PsService v1.1 - local and remote services viewer/controller
    Copyright (C) 2001-2003 Mark Russinovich
    Sysinternals - www.sysinternals.com

    SERVICE_NAME: Alerter
    Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Alerter
    DEPENDENCIES : LanmanWorkstation
    SERVICE_START_NAME: NT AUTHORITY\LocalService

    SERVICE_NAME: ALG
    Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Application Layer Gateway Service
    DEPENDENCIES :
    SERVICE_START_NAME: NT AUTHORITY\LocalService

    SERVICE_NAME: AppMgmt
    Provides software installation services such as Assign, Publish, and Remove.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Application Management
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: AudioSrv
    Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : AudioGroup
    TAG : 0
    DISPLAY_NAME : Windows Audio
    DEPENDENCIES : PlugPlay
    : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: BITS
    Uses idle network bandwidth to transfer data.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Background Intelligent Transfer Service
    DEPENDENCIES : LanmanWorkstation
    : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Browser
    Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Computer Browser
    DEPENDENCIES : LanmanWorkstation
    : LanmanServer
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: CiSvc
    Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
    TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Indexing Service
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: ClipSrv
    Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : ClipBook
    DEPENDENCIES : NetDDE
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: COMSysApp
    Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : COM+ System Application
    DEPENDENCIES : rpcss
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 30 seconds
    FAILURE_ACTIONS : Restart DELAY: 1000 seconds
    : Restart DELAY: 5000 seconds
    : None DELAY: 1000 seconds

    SERVICE_NAME: CryptSvc
    Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Cryptographic Services
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Dhcp
    Manages network configuration by registering and updating IP addresses and DNS names.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : TDI
    TAG : 0
    DISPLAY_NAME : DHCP Client
    DEPENDENCIES : Tcpip
    : Afd
    : NetBT
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: dmadmin
    Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Logical Disk Manager Administrative Service
    DEPENDENCIES : RpcSs
    : PlugPlay
    : DmServer
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: dmserver
    Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Logical Disk Manager
    DEPENDENCIES : RpcSs
    : PlugPlay
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Dnscache
    Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
    LOAD_ORDER_GROUP : TDI
    TAG : 0
    DISPLAY_NAME : DNS Client
    DEPENDENCIES : Tcpip
    SERVICE_START_NAME: NT AUTHORITY\NetworkService

    SERVICE_NAME: ERSvc
    Allows error reporting for services and applictions running in non-standard environments.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 4 DISABLED
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Error Reporting Service
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Eventlog
    Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
    LOAD_ORDER_GROUP : Event log
    TAG : 0
    DISPLAY_NAME : Event Log
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: EventSystem
    Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : Network
    TAG : 0
    DISPLAY_NAME : COM+ Event System
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: FastUserSwitchingCompatibility
    Provides management for applications that require assistance in a multiple user environment.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Fast User Switching Compatibility
    DEPENDENCIES : TermService
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Fax
    Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\fxssvc.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Fax
    DEPENDENCIES : TapiSrv
    : RpcSs
    : PlugPlay
    : Spooler
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: helpsvc
    Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Help and Support
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 86400 seconds
    FAILURE_ACTIONS : Restart DELAY: 100 seconds
    : Restart DELAY: 100 seconds
    : None DELAY: 100 seconds

    SERVICE_NAME: HidServ
    Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 4 DISABLED
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Human Interface Device Access
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: ImapiService
    Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : IMAPI CD-Burning COM Service
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: InoRPC
    (null)
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : "C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe"
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : eTrust Antivirus RPC Server
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: InoRT
    (null)
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : "C:\Program Files\CA\eTrust\Antivirus\InoRT.exe"
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : eTrust Antivirus Realtime Server
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: InoTask
    (null)
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : "C:\Program Files\CA\eTrust\Antivirus\InoTask.exe"
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : eTrust Antivirus Job Server
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: lanmanserver
    Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Server
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: lanmanworkstation
    Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : NetworkProvider
    TAG : 0
    DISPLAY_NAME : Workstation
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: LmHosts
    Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
    LOAD_ORDER_GROUP : TDI
    TAG : 0
    DISPLAY_NAME : TCP/IP NetBIOS Helper
    DEPENDENCIES : NetBT
    : Afd
    SERVICE_START_NAME: NT AUTHORITY\LocalService

    SERVICE_NAME: LogWatch
    (null)
    TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\LogWatNT.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Event Log Watch
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: MDM
    Manages local and remote debugging for Visual Studio debuggers
    TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Machine Debug Manager
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Messenger
    Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Messenger
    DEPENDENCIES : LanmanWorkstation
    : NetBIOS
    : PlugPlay
    : RpcSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: mnmsrvc
    Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : NetMeeting Remote Desktop Sharing
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: MSDTC
    Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
    LOAD_ORDER_GROUP : MS Transactions
    TAG : 0
    DISPLAY_NAME : Distributed Transaction Coordinator
    DEPENDENCIES : RPCSS
    : SamSS
    SERVICE_START_NAME: NT AUTHORITY\NetworkService

    SERVICE_NAME: MSIServer
    Installs, repairs and removes software according to instructions contained in .MSI files.
    TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Windows Installer
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem
     
  6. mwood@tdn.to

    [email protected] Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    8
    Here is part two of the getservice file.

    SERVICE_NAME: NetDDE
    Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
    LOAD_ORDER_GROUP : NetDDEGroup
    TAG : 0
    DISPLAY_NAME : Network DDE
    DEPENDENCIES : NetDDEDSDM
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: NetDDEdsdm
    Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Network DDE DSDM
    DEPENDENCIES :
    : EGrLocalSystem
    : Network DDE DSDM
    : etwork DDE
    : workService
    : Distributed Transaction Coordinator
    : ion
    : 1\CA\Coml
    : 
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Netlogon
    Supports pass-through authentication of account logon events for computers in a domain.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
    LOAD_ORDER_GROUP : RemoteValidation
    TAG : 0
    DISPLAY_NAME : Net Logon
    DEPENDENCIES : LanmanWorkstation
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Netman
    Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
    TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Network Connections
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Nla
    Collects and stores network configuration and location information, and notifies applications when this information changes.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Network Location Awareness (NLA)
    DEPENDENCIES : Tcpip
    : Afd
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: NtLmSsp
    Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : NT LM Security Support Provider
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: NtmsSvc
    (null)
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Removable Storage
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: O?’ŽrtñåȲ$Ó
    (null)
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\apinu32.exe /s
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Workstation NetLogon Service
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Pctspk
    (null)
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\pctspk.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : PCTEL Speaker Phone
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: PlugPlay
    Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
    LOAD_ORDER_GROUP : PlugPlay
    TAG : 0
    DISPLAY_NAME : Plug and Play
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Pml Driver HPZ12
    (null)
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\HPZipm12.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Pml Driver HPZ12
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: PolicyAgent
    Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : IPSEC Services
    DEPENDENCIES : RPCSS
    : Tcpip
    : IPSec
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: ProtectedStorage
    Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
    TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Protected Storage
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: RasAuto
    Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Remote Access Auto Connection Manager
    DEPENDENCIES : RasMan
    : Tapisrv
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: RasMan
    Creates a network connection.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Remote Access Connection Manager
    DEPENDENCIES : Tapisrv
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: RDSessMgr
    Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Remote Desktop Help Session Manager
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: RemoteAccess
    Offers routing services to businesses in local area and wide area network environments.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 4 DISABLED
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Routing and Remote Access
    DEPENDENCIES : RpcSS
    : +NetBIOSGroup
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: RemoteRegistry
    Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Remote Registry
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: NT AUTHORITY\LocalService
    FAIL_RESET_PERIOD : 0 seconds
    FAILURE_ACTIONS : Restart DELAY: 1000 seconds

    SERVICE_NAME: RpcLocator
    Manages the RPC name service database.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Remote Procedure Call (RPC) Locator
    DEPENDENCIES : LanmanWorkstation
    SERVICE_START_NAME: NT AUTHORITY\NetworkService

    SERVICE_NAME: RpcSs
    Provides the endpoint mapper and other miscellaneous RPC services.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
    LOAD_ORDER_GROUP : COM Infrastructure
    TAG : 0
    DISPLAY_NAME : Remote Procedure Call (RPC)
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 0 seconds
    FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

    SERVICE_NAME: RSVP
    Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : QoS RSVP
    DEPENDENCIES : TcpIp
    : Afd
    : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: SamSs
    Stores security information for local user accounts.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
    LOAD_ORDER_GROUP : LocalValidation
    TAG : 0
    DISPLAY_NAME : Security Accounts Manager
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: SCardDrv
    Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Smart Card Helper
    DEPENDENCIES : +Smart Card Reader
    SERVICE_START_NAME: NT AUTHORITY\LocalService

    SERVICE_NAME: SCardSvr
    Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Smart Card
    DEPENDENCIES : PlugPlay
    SERVICE_START_NAME: NT AUTHORITY\LocalService

    SERVICE_NAME: Schedule
    Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : SchedulerGroup
    TAG : 0
    DISPLAY_NAME : Task Scheduler
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: seclogon
    Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Secondary Logon
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: SENS
    Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : Network
    TAG : 0
    DISPLAY_NAME : System Event Notification
    DEPENDENCIES : EventSystem
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: SharedAccess
    Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
    DEPENDENCIES : Netman
    : NLA
    : RasMan
    : ALG
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: ShellHWDetection
    (null)
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : ShellSvcGroup
    TAG : 0
    DISPLAY_NAME : Shell Hardware Detection
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Spooler
    Loads files to memory for later printing.
    TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
    LOAD_ORDER_GROUP : SpoolerGroup
    TAG : 0
    DISPLAY_NAME : Print Spooler
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 86400 seconds
    FAILURE_ACTIONS : Restart DELAY: 60000 seconds
    : Restart DELAY: 60000 seconds
    : None DELAY: 0 seconds

    SERVICE_NAME: srservice
    Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : System Restore Service
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: SSDPSRV
    Enables discovery of UPnP devices on your home network.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : SSDP Discovery Service
    DEPENDENCIES :
    SERVICE_START_NAME: NT AUTHORITY\LocalService

    SERVICE_NAME: stisvc
    Provides image acquisition services for scanners and cameras.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Windows Image Acquisition (WIA)
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: SwPrv
    Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{101E498B-977E-4121-99EE-B25CDA36545A}
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : MS Software Shadow Copy Provider
    DEPENDENCIES : rpcss
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: SysmonLog
    Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Performance Logs and Alerts
    DEPENDENCIES :
    SERVICE_START_NAME: NT Authority\NetworkService

    SERVICE_NAME: TapiSrv
    Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Telephony
    DEPENDENCIES : PlugPlay
    : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: TermService
    Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Terminal Services
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Themes
    Provides user experience theme management.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : UIGroup
    TAG : 0
    DISPLAY_NAME : Themes
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 86400 seconds
    FAILURE_ACTIONS : Restart DELAY: 60000 seconds
    : Restart DELAY: 60000 seconds
    : None DELAY: 0 seconds

    SERVICE_NAME: TlntSvr
    Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 4 DISABLED
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Telnet
    DEPENDENCIES : RPCSS
    : TCPIP
    : NTLMSSP
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: TrkWks
    Maintains links between NTFS files within a computer or across computers in a network domain.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Distributed Link Tracking Client
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: uploadmgr
    Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Upload Manager
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 86400 seconds
    FAILURE_ACTIONS : Restart DELAY: 100 seconds
    : Restart DELAY: 100 seconds
    : None DELAY: 100 seconds

    SERVICE_NAME: upnphost
    Provides support to host Universal Plug and Play devices.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Universal Plug and Play Device Host
    DEPENDENCIES : SSDPSRV
    SERVICE_START_NAME: NT AUTHORITY\LocalService
    FAIL_RESET_PERIOD : -1 seconds
    FAILURE_ACTIONS : Restart DELAY: 0 seconds

    SERVICE_NAME: UPS
    Manages an uninterruptible power supply (UPS) connected to the computer.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Uninterruptible Power Supply
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: VSS
    Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Volume Shadow Copy
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: W32Time
    Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Windows Time
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: WebClient
    Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
    LOAD_ORDER_GROUP : NetworkProvider
    TAG : 0
    DISPLAY_NAME : WebClient
    DEPENDENCIES : MRxDAV
    SERVICE_START_NAME: NT AUTHORITY\LocalService

    SERVICE_NAME: winmgmt
    Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Windows Management Instrumentation
    DEPENDENCIES : RPCSS
    : Eventlog
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 86400 seconds
    FAILURE_ACTIONS : Restart DELAY: 60000 seconds
    : Restart DELAY: 60000 seconds

    SERVICE_NAME: WmdmPmSN
    Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Portable Media Serial Number Service
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: Wmi
    Provides systems management information to and from drivers.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: WmiApSrv
    Provides performance library information from WMI HiPerf providers.
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : WMI Performance Adapter
    DEPENDENCIES : RPCSS
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: wuauserv
    Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 4 DISABLED
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Automatic Updates
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem

    SERVICE_NAME: WZCSVC
    Provides automatic configuration for the 802.11 adapters
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP : TDI
    TAG : 0
    DISPLAY_NAME : Wireless Zero Configuration
    DEPENDENCIES : RpcSs
    : Ndisuio
    SERVICE_START_NAME: LocalSystem
     
  7. mwood@tdn.to

    [email protected] Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    8
    Logfile of HijackThis v1.98.1
    Scan saved at 11:18:45 PM, on 9/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
    C:\WINDOWS\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\apinu32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\twink64.exe
    C:\WINDOWS\sysrn.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Wood\Application Data\peac.exe
    C:\WINDOWS\System32\hoo.exe
    C:\Program Files\WebSiteViewer\124503.dlr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wood\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\System32\usb.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\atlqy.dll
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [sysrn.exe] C:\WINDOWS\sysrn.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Mhle] C:\Documents and Settings\Wood\Application Data\peac.exe
    O4 - HKCU\..\Run: [Dewn] C:\WINDOWS\System32\hoo.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.windupdates.com
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7ff22322f046:375a82d108ec2e9d584f880889783bc3
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2EAA83A8-11CF-4B42-A46A-7A6F218DFB25}: NameServer = 209.244.0.3 209.244.0.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2EAA83A8-11CF-4B42-A46A-7A6F218DFB25}: NameServer = 209.244.0.3 209.244.0.4
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
     
  8. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    You really must print out these directions because you will have to be offline during the fix. Do NOT open IE after you boot to safemode until you reboot to normal mode when the fix is complete. If at any time you run into a problem with the current step, just continue on with the next step. Make a note of it (the problem) for your reply.

    Make sure you are set to Show Hidden Files and Folders

    Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip Once it is downloaded extract it to
    c:\aboutbuster. We will use that program later in this process. The tool has been repaired so that you will no longer get the error you were getting before.

    Reboot to safe mode (instructions) and follow these steps:

    Step 1:

    Click on start>control panel>administrative programs>services. Look for a service called Workstation NetLogon Service. Double click on the that service and click stop. Next set startup to disabled. Please note the name and path of the file listed in 'Path to executable'. This filename must be deleted below.

    Step 2:

    Press control+alt+-del to open task manager and end the follow processes if available:
    C:\WINDOWS\apinu32.exe
    C:\WINDOWS\sysrn.exe
    C:\Documents and Settings\Wood\Application Data\peac.exe
    C:\WINDOWS\System32\hoo.exe
    C:\Program Files\WebSiteViewer\124503.dlr
    C:\WINDOWS\System32\usb.exe <-------IF you have a USB drive this may be legit....(although I doubt it from it's location), See if you can glean any info by Rt. Click file and choose properties.

    Step 3:
    I now need you to delete the following files:
    C:\WINDOWS\apinu32.exe /
    C:\WINDOWS\kpwyp.dll
    C:\WINDOWS\atlqy.dll
    C:\WINDOWS\sysrn.exe
    C:\Documents and Settings\Wood\Application Data\peac.exe
    C:\WINDOWS\System32\hoo.exe
    Go to Start>Run>type %temp% (include the %)>enter>delete all files and folders that come up.
    There will be a couple of files in the temp folder that will not delete. It's normal and expected.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

    Step 4:
    Now close all programs and windows and run hijackthis.
    Put a check mark next to each of these entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpwyp.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\atlqy.dll
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [sysrn.exe] C:\WINDOWS\sysrn.exe
    O4 - HKCU\..\Run: [Mhle] C:\Documents and Settings\Wood\Application Data\peac.exe
    O4 - HKCU\..\Run: [Dewn] C:\WINDOWS\System32\hoo.exe
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.windupdates.com
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...84f880889783bc3
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

    and press the fix checked.

    Step 5:

    In the next step we are going to remove a service that gets installed by this malware.

    Go to Start>Run and type regedit.

    Press enter.

    Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service

    If Workstation NetLogon Service exists (it may not), right click on it and choose delete from the menu.

    Now navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

    If LEGACY_Workstation NetLogon Service exists (it may not). then right click on it and choose delete from the menu.

    If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritable permissions" and press copy. Then click on everyone and put a check mark in "full control". Then press apply and ok and attempt to delete the key again.


    Step 6:

    This is the step where we will use About:Buster that you had downloaded previously.

    Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button>Start button>OK button,and lastly the Yes button. Now it will start scan computer. When it asks if you would like to do a second pass, allow it to do so.

    Step 7:

    Copy the contents of the Quote Box below to Notepad.
    Name the file as fix.reg
    Change the Save as Type to All Files
    Save this file on the desktop

    Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

    Step 8:
    Reboot your computer back to normal mode so that we can see if we need to restore some deleted files:
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
    • It is possible that the malware deleted your control.exe. Please check for the existence of this file by going to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.

    Step 9:

    Run the online antivirus scan at:

    http://housecall.antivirus.com/

    Step 10:

    (If you already have AdAwareSE 1.03 installed make SURE that it is updated with the latest ref-file; AND use the setting in the 'speech' below)
    Can you please download Ad-aware SE Personal 1.03 and install it.

    Before scanning with Ad-aware SE Free:
    Run a FULL adaware scan using the following configuration below
    • Update
      • Select Check for updates.
      • Then Connect and download SE1R7 02.09.2004 or latest.
    • Click Start
    • Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
    • It will list malware files and registry keys. Click Next.
    • Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
    • It will ask for verification of checked items. Choose OK.
    • Close Ad-Aware, Shut down and reboot your system.

    After reboot post new HJT log back to this thread.
     
  9. mwood@tdn.to

    [email protected] Thread Starter

    Joined:
    Aug 7, 2004
    Messages:
    8
    Hello jwbirdsong,

    Thanks for the reply and the advice. I have some questions regarding the latest instructions you sent me on September 8. I am a novice and want to make sure I understand.

    1. You say, "...you will have to work offline during the fix. Do not open IE after you boot to safe mode until you reboot to normal mode when the fix is complete."

    a. please explain further about not using IE. Does this mean that I work online to get all the information that you talk about in your instructions? I have to work online and use IE, in order to access certain info, but then, once I have all the information, and am ready to actually follow the steps for fixing the problem, I will be doing all of that offline?

    b. I am unfamiliar with the following terms: 'boot' 'reboot' 'safemode' normal mode'.

    2. You say, "Make sure are set to Show Hidden files and folders". Please explain how I make sure that I am set to do this?

    Thanks, [email protected]
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    [email protected]

    I have merged your new thread with your original thread. Please make all posts regarding this matter in this thread.
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    What you need to do now is rescan with Hijack This and post a fresh log. The reason you must rescan with Hijack This each time is because with this hijack the entries in Hijack This may change depending on what you have done with the computer since your last post. I will be wasting my time and yours if I tell you what to remove with HJT if the entries change between posts.


    Also I want you delete the old getservice list that you posted before and run the getservice.bat file again to create a new one. This time I want you to save the getservice.txt file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post. The reason I want to see a new getservice list is because the name of the service installed by this hijacker has been known to change. It probably hasn't in your case, but I want to be sure.

    After you post the next Hijack This log and the getservice list, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274016

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice