adware.mainsearch - how do you get rid of it?

Question

jadeo0 0 Newbie Poster

19 Years Ago

Hi!
A few months ago, my computer was infected with the adware.mainsearch virus and it's been resetting my homepage to about.blank. I ran my computer on safe mode, located the file, and manually deleted it but after an hour the adware is back on my computer. If anybody could give me some help, that'd be great.

Logfile of HijackThis v1.97.7
Scan saved at 10:39:04 PM, on 9/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FirstClass\Fcc32.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3W6AC5GM\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {45F348CB-4454-4C23-88A3-EA7C8E0C2D47} - C:\WINNT\system32\lebmmc.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.6918402778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx

windows-virus

4 Contributors
13 Replies
253 Views
1 Week Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

All 13 Replies

deonnanicole 5 Posting Whiz in Training

19 Years Ago

While you are waiting for a reply, you might want to update your HijackThis to version 1.98.2. Also, if you haven't done so, try scanning with Adaware and Spybot Search and Destroy and let them fix anything they find. Then be sure to save hijack this in it own permanent folder, rescan, and post your fresh log. :)

crunchie 990 Most Valuable Poster

19 Years Ago

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {45F348CB-4454-4C23-88A3-EA7C8E0C2D47} - C:\WINNT\system32\lebmmc.dll (file missing)

Download and install [APM](http://www.diamondcs.com.au/index.php?page=apm

Close all windows except HijackThis and fix the lines above.

In the upper window of APM select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log
Select Unload DLL and click OK on the prompts that follow. lebmmc.dll

Reboot and scan with AdAware to remove the txt and html protocol association.

Download & install Adaware
& update it before scanning.
In settings under 'scanning,' have it set to

'scan within archives,' 
'scan active processes,'
'scan registry,'
'deepscan registry' 
'scan my IE Favourites for banned URL's,'
'scan my host's file.'

In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'

Also in 'tweaks' under 'cleaning engine' set it to 'Always try to unload Modules before deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Post another log after rebooting.

Edited 11 Years Ago by TrustyTony because: fixed formating

crunchie 990 Most Valuable Poster

19 Years Ago

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Can you please download this file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad into this post.

Post a new hijackthis log too.

dlh6213 27 Posting Maven

19 Years Ago

As Deonna mentioned earlier, you should update hijackthis before you post a new log. You can use either the Update feature in hijackthis, or from here:
http://www.softpedia.com/progDownload/x-Download-5034.html

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

jadeo0 0 Newbie Poster · Answer 1 · 2004-09-18T08:41:30+00:00

I tried that, and everything was clear, but when I tried to reset my IE settings, it started all over again and I'm back at square one.

Another problem was that I couldn't find the .dll in the explorer.exe...so I deleted it off the Logfile in HJT.
This was the logfile before it happened:

Logfile of HijackThis v1.97.7
Scan saved at 10:42:30 PM, on 9/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DZL6APYS\HijackThis[1].exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.6918402778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx

This is what the logfile looks like now, after I deleted the R1/R0 stuff.

Logfile of HijackThis v1.97.7
Scan saved at 10:55:19 PM, on 9/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DZL6APYS\HijackThis[1].exe
C:\APM\apm.exe

O2 - BHO: (no name) - {8BFB2988-39CA-445C-B3D3-D8DCCCBB94C7} - C:\WINNT\system32\jimcd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.6918402778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx

I can't find jimcd.dll anywhere in APM.

jadeo0 0 Newbie Poster · Answer 2 · 2004-09-19T03:38:47+00:00

Thanks.

PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Alerter
    DEPENDENCIES      : LanmanWorkstation
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Apache
Apache/2.0.39 (Win32) PHP/4.2.2
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : "C:\FoxServ\Apache\bin\Apache.exe" -k runservice
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Apache
    DEPENDENCIES      : Tcpip
              : Afd
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Application Management
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AvgServ
(null)
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : AVG6 Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k BITSgroup
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Background Intelligent Transfer Service
    DEPENDENCIES      : LanmanWorkstation
              : Rpcss
              : SENS
              : Wmi
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Computer Browser
    DEPENDENCIES      : LanmanWorkstation
              : LanmanServer
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccEvtMgr
Symantec Event Manager
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    LOAD_ORDER_GROUP  : Symantec Services
    TAG       : 0
    DISPLAY_NAME      : Symantec Event Manager
    DEPENDENCIES      : RPCSS
              : ccSetMgr
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccPwdSvc
Symantec Password Validation Service
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Symantec Password Validation
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccSetMgr
Symantec Settings Manager
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    LOAD_ORDER_GROUP  : Symantec Services
    TAG       : 0
    DISPLAY_NAME      : Symantec Settings Manager
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
(null)
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\cisvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Indexing Service
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\clipsrv.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : ClipBook
    DEPENDENCIES      : NetDDE
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : DHCP Client
    DEPENDENCIES      : Tcpip
              : Afd
              : NetBT
              : SYMTDI
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Administrative service for disk management requests
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\dmadmin.exe /com
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Logical Disk Manager Administrative Service
    DEPENDENCIES      : RpcSs
              : PlugPlay
              : DmServer
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Logical Disk Manager Watchdog Service
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Logical Disk Manager
    DEPENDENCIES      : RpcSs
              : PlugPlay
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : DNS Client
    DEPENDENCIES      : Tcpip
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Logs event messages issued by programs and Windows.  Event Log reports contain information that can be useful in diagnosing problems.  Reports are viewed in Event Viewer.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : Event log
    TAG       : 0
    DISPLAY_NAME      : Event Log
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Provides automatic distribution of events to subscribing COM components.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : Network
    TAG       : 0
    DISPLAY_NAME      : COM+ Event System
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Helps you send and receive faxes
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\faxsvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Fax Service
    DEPENDENCIES      : TapiSrv
              : RpcSs
              : PlugPlay
              : Spooler
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Provides RPC support and file, print, and named pipe sharing.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Server
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Provides network connections and communications.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : NetworkProvider
    TAG       : 0
    DISPLAY_NAME      : Workstation
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : TCP/IP NetBIOS Helper Service
    DEPENDENCIES      : NetBT
              : Afd
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Messenger
    DEPENDENCIES      : LanmanWorkstation
              : NetBIOS
              : RpcSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Allows authorized people to remotely access your Windows desktop using NetMeeting.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\mnmsrvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : NetMeeting Remote Desktop Sharing
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\msdtc.exe
    LOAD_ORDER_GROUP  : MS Transactions
    TAG       : 0
    DISPLAY_NAME      : Distributed Transaction Coordinator
    DEPENDENCIES      : RPCSS
              : SamSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\MsiExec.exe /V
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Installer
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MySql
(null)
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:/FoxServ/mysql/bin/mysqld-nt.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : MySql
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: navapsvc
Handles Norton AntiVirus Auto-Protect events.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : "C:\Program Files\Norton AntiVirus\navapsvc.exe"
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Norton AntiVirus Auto Protect Service
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for dynamic data exchange (DDE).
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\netdde.exe
    LOAD_ORDER_GROUP  : NetDDEGroup
    TAG       : 0
    DISPLAY_NAME      : Network DDE
    DEPENDENCIES      : NetDDEDSDM
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages shared dynamic data exchange and is used by Network DDE
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\netdde.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Network DDE DSDM
    DEPENDENCIES      : 
              : EGrLocalSystem
              : Network DDE DSDM
              : etwork DDE
              : on AntiVirus Auto Protect Service
              : e Service
              : \
              : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\lsass.exe
    LOAD_ORDER_GROUP  : RemoteValidation
    TAG       : 0
    DISPLAY_NAME      : Net Logon
    DEPENDENCIES      : LanmanWorkstation
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Network Connections
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetMDSB
(null)
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\Program Files\Sony\Net MD Simple Burner\NetMDSB.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Net MD Simple Burner Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\lsass.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : NT LM Security Support Provider
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
Manages removable media, drives, and libraries.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Removable Storage
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Office Source Engine
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Manages device installation and configuration and notifies programs of device changes.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : PlugPlay
    TAG       : 0
    DISPLAY_NAME      : Plug and Play
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\lsass.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : IPSEC Policy Agent
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Protected Storage
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Access Auto Connection Manager
    DEPENDENCIES      : RasMan
              : Tapisrv
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Access Connection Manager
    DEPENDENCIES      : Tapisrv
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 4  DISABLED
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Routing and Remote Access
    DEPENDENCIES      : RpcSS
              : +NetBIOSGroup
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Allows remote registry manipulation.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\regsvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Registry Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 0 seconds
    FAILURE_ACTIONS   : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\locator.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Procedure Call (RPC) Locator
    DEPENDENCIES      : LanmanWorkstation
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost -k rpcss
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Procedure Call (RPC)
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\rsvp.exe -s
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : QoS RSVP
    DEPENDENCIES      : TcpIp
              : Afd
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\lsass.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Security Accounts Manager
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SAVScan
Handles Norton AntiVirus Auto-Protect Archive Scanning
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\Program Files\Norton AntiVirus\SAVScan.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : SAVScan
    DEPENDENCIES      : SAVRT
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SBService
(null)
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : ScriptBlocking Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Provides support for legacy smart card readers attached to the computer.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\System32\SCardSvr.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Smart Card Helper
    DEPENDENCIES      : +Smart Card Reader
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\System32\SCardSvr.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Smart Card
    DEPENDENCIES      : PlugPlay
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
Enables a program to run at a designated time.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\MSTask.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Task Scheduler
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : RunAs Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : Network
    TAG       : 0
    DISPLAY_NAME      : System Event Notification
    DEPENDENCIES      : EventSystem
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Internet Connection Sharing
    DEPENDENCIES      : RasMan
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\spoolsv.exe
    LOAD_ORDER_GROUP  : SpoolerGroup
    TAG       : 0
    DISPLAY_NAME      : Print Spooler
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Symantec Core LC
Symantec Core LC
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Symantec Core LC
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SymWSC
Symantec WMI Service
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : SymWMI Service
    DEPENDENCIES      : winmgmt
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Configures performance logs and alerts.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\smlogsvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Performance Logs and Alerts
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Telephony
    DEPENDENCIES      : PlugPlay
              : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TlntSvr
Allows a remote user to log on to the system and run console programs using the command line.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\tlntsvr.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Telnet
    DEPENDENCIES      : RpcSs
              : TcpIp
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Sends notifications of files moving between NTFS volumes in a network domain.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Distributed Link Tracking Client
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\ups.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Uninterruptible Power Supply
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: usprserv
(null)
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : User Privilege Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UtilMan
Starts and configures accessibility tools from one window 
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\UtilMan.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Utility Manager
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Vitndusk
(null)
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : 
    LOAD_ORDER_GROUP  : Video Init
    TAG       : 1
    DISPLAY_NAME      : Vitndusk
    DEPENDENCIES      : 
    SERVICE_START_NAME: 

SERVICE_NAME: W32Time
Sets the computer clock.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Time
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WinMgmt
Provides system management information.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\System32\WBEM\WinMgmt.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Management Instrumentation
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 86400 seconds
    FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
              : Restart DELAY: 60000 seconds

SERVICE_NAME: WMDM PMSP Service
(null)
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\MsPMSPSv.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : WMDM PMSP Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Portable Media Serial Number Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\Services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Management Instrumentation Driver Extensions
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k wugroup
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Automatic Updates
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides authenticated network access control using IEEE 802.1x for wired and wireless Ethernet networks.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : Wireless Configuration
    DEPENDENCIES      : RpcSs
              : Ndisuio
              : ProtectedStorage
              : WMI
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: x10nets
(null)
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\DOCUME~1\ALLUSE~1\APPLIC~1\SNAPST~1\PERSON~1\Plugins\x10nets.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : X10 Device Network Service
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

and...

Logfile of HijackThis v1.98.2
Scan saved at 5:40:59 PM, on 9/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\FirstClass\Fcc32.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8BFB2988-39CA-445C-B3D3-D8DCCCBB94C7} - C:\WINNT\system32\jimcd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - {4EC34BA7-EFA4-4BC7-9FD4-4C32B2274A69} - C:\WINNT\system32\jimcd.dll
O18 - Filter: text/plain - {4EC34BA7-EFA4-4BC7-9FD4-4C32B2274A69} - C:\WINNT\system32\jimcd.dll

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2004-09-19T16:49:26+00:00

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Start Adaware & update it's reference file, but do not run it yet.

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8BFB2988-39CA-445C-B3D3-D8DCCCBB94C7} - C:\WINNT\system32\jimcd.dll

O18 - Filter: text/html - {4EC34BA7-EFA4-4BC7-9FD4-4C32B2274A69} - C:\WINNT\system32\jimcd.dll
O18 - Filter: text/plain - {4EC34BA7-EFA4-4BC7-9FD4-4C32B2274A69} - C:\WINNT\system32\jimcd.dll

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode. Rescan with HJT & post that log please. Make sure there are no instances of Internet Explorer running.

jadeo0 0 Newbie Poster · Answer 4 · 2004-09-20T08:45:52+00:00

I hope this is the last time I'll need to post this. Thanks for all your help.
But if it comes, back again, should I post here again?

Logfile of HijackThis v1.98.2
Scan saved at 10:44:41 PM, on 9/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2004-09-20T16:22:28+00:00

Wowsers :eek: that shortened it up a bit :cheesy: . Looks good to me. Think positive.
Check the link in my Sig for how you got infected & make the appropriate changes.

jadeo0 0 Newbie Poster · Answer 6 · 2004-09-22T22:33:20+00:00

Ahhhhhhh...it came back! Again! I have SpywareBlaster and SpywareGuard up now, and it's keeping it at bay, but the program is still "attacking" me. Geez...well, I'm back again too! Right now, I don't see any solution besides my never using IE again. Oh, and how do you get CCAPP running if it was disabled? Thanks!

Here's the HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 12:35:07 PM, on 9/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\FirstClass\Fcc32.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - {D9A30676-72EE-42A0-BA94-D1F62695AF5D} - C:\WINNT\system32\mhbbbb.dll
O18 - Filter: text/plain - {D9A30676-72EE-42A0-BA94-D1F62695AF5D} - C:\WINNT\system32\mhbbbb.dll

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2004-09-23T16:13:25+00:00

Reboot into safe mode following the instructions here & close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O18 - Filter: text/html - {D9A30676-72EE-42A0-BA94-D1F62695AF5D} - C:\WINNT\system32\mhbbbb.dll
O18 - Filter: text/plain - {D9A30676-72EE-42A0-BA94-D1F62695AF5D} - C:\WINNT\system32\mhbbbb.dll

Delete C:\WINNT\system32\mhbbbb.dll-file manually.

Run about:buster as above. Delete the contents of this folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Reboot & see how you go again :).

jadeo0 0 Newbie Poster · Answer 8 · 2004-09-24T08:35:58+00:00

Err, this is getting so annoying! It worked for a few hours, but then, like always, it came back.

Logfile of HijackThis v1.98.2
Scan saved at 10:38:02 PM, on 9/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\FirstClass\Fcc32.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - {CC359580-744E-43FB-822E-1D200EF115FB} - C:\WINNT\system32\bbjopj.dll
O18 - Filter: text/plain - {CC359580-744E-43FB-822E-1D200EF115FB} - C:\WINNT\system32\bbjopj.dll

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2004-09-24T16:51:21+00:00

Try this for me. Download CWShredder from here but do not run it yet.

Reboot into safe mode following the instructions here & close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

O18 - Filter: text/html - {CC359580-744E-43FB-822E-1D200EF115FB} - C:\WINNT\system32\bbjopj.dll
O18 - Filter: text/plain - {CC359580-744E-43FB-822E-1D200EF115FB} - C:\WINNT\system32\bbjopj.dll

Run about:buster as above. Reboot into safe mode again and run CWShredder. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Internet Explorer, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

adware.mainsearch - how do you get rid of it?

Recommended Answers Collapse Answers

All 13 Replies

Recommended Answers