0

Hi there.

I have been attacked by the Home search thing and I have tried to install the "Hijach this". The scan result is this:

Logfile of HijackThis v1.99.0
Scan saved at 16:53:24, on 29-12-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ntcr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\ntms32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\TempVirusRemoval\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B3D73358-31BE-E57F-D1C6-0062ECF101F4} - C:\WINDOWS\sysre32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ntcr32.exe] C:\WINDOWS\system32\ntcr32.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\Troels\LOCALS~1\Temp\3.tmp.exe 2 10001
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098647918263
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

I must admit that I have no clue what I´m doing rigth now... Hope someone can help.

Troels

3
Contributors
30
Replies
31
Views
12 Years
Discussion Span
Last Post by Troels
0

Hi there. First of all you are running hijackthis from a temporary folder. The backups that hijackthis creates can be accidentally deleted when not in a permanent folder. Please do the following;

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Can you please download this file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad into this post.

Post another hijackthis log too please and place it at the top :).

0

You also need to go to Windows Update and get all the Critical Updates for your system. Hold off on SP2, however, until your system gets cleaned up.

0

I´m very greatful for the fast reply.

I´ll try to run the "getservices"-thingy now. The list will hopefully be on the the forum soon.

Troels

PS.: Happy newyear. -I guess some of you will be drunk soon....

0

PS.: Happy newyear. -I guess some of you will be drunk soon....

Not me :D. Haven't had a drink for years :). A happy New Year to you too.

0

Ok here goes (its a pretty long list..)

PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com


SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Alerter
DEPENDENCIES      : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Application Layer Gateway Service
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Application Management
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : ASP.NET State Service
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : AudioGroup
TAG       : 0
DISPLAY_NAME      : Windows Audio
DEPENDENCIES      : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: BITS
Uses idle network bandwidth to transfer data.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Background Intelligent Transfer Service
DEPENDENCIES      : Rpcss
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Computer Browser
DEPENDENCIES      : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\cisvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Indexing Service
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : ClipBook
DEPENDENCIES      : NetDDE
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : COM+ System Application
DEPENDENCIES      : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS   : Restart DELAY: 1000 seconds
: Restart   DELAY: 5000 seconds
: None  DELAY: 1000 seconds


SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Cryptographic Services
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : DHCP Client
DEPENDENCIES      : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Logical Disk Manager Administrative Service
DEPENDENCIES      : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Logical Disk Manager
DEPENDENCIES      : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : DNS Client
DEPENDENCIES      : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Error Reporting Service
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP  : Event log
TAG       : 0
DISPLAY_NAME      : Event Log
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : Network
TAG       : 0
DISPLAY_NAME      : COM+ Event System
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Fast User Switching Compatibility
DEPENDENCIES      : TermService
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Help and Support
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 100 seconds
: Restart   DELAY: 100 seconds
: None  DELAY: 100 seconds


SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 4  DISABLED
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Human Interface Device Access
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\imapi.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : IMAPI CD-Burning COM Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Server
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : NetworkProvider
TAG       : 0
DISPLAY_NAME      : Workstation
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : TCP/IP NetBIOS Helper
DEPENDENCIES      : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Messenger
DEPENDENCIES      : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : NetMeeting Remote Desktop Sharing
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP  : MS Transactions
TAG       : 0
DISPLAY_NAME      : Distributed Transaction Coordinator
DEPENDENCIES      : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\msiexec.exe /V
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Installer
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP  : NetDDEGroup
TAG       : 0
DISPLAY_NAME      : Network DDE
DEPENDENCIES      : NetDDEDSDM
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Network DDE DSDM
DEPENDENCIES      :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: ion
: onsole
: Ch
:
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP  : RemoteValidation
TAG       : 0
DISPLAY_NAME      : Net Logon
DEPENDENCIES      : LanmanWorkstation
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Network Connections
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Network Location Awareness (NLA)
DEPENDENCIES      : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : NT LM Security Support Provider
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NtmsSvc
(null)
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Removable Storage
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Office Source Engine
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PAVFIRES
(null)
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Panda Firewall Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PAVSRV
(null)
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Panda anti-virus service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP  : PlugPlay
TAG       : 0
DISPLAY_NAME      : Plug and Play
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : IPSEC Services
DEPENDENCIES      : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Protected Storage
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Access Auto Connection Manager
DEPENDENCIES      : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RasMan
Creates a network connection.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Access Connection Manager
DEPENDENCIES      : Tapisrv
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Desktop Help Session Manager
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 4  DISABLED
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Routing and Remote Access
DEPENDENCIES      : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Registry
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS   : Restart DELAY: 1000 seconds


SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\locator.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Procedure Call (RPC) Locator
DEPENDENCIES      : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP  : COM Infrastructure
TAG       : 0
DISPLAY_NAME      : Remote Procedure Call (RPC)
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS   : Reboot  DELAY: 60000 seconds


SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\rsvp.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : QoS RSVP
DEPENDENCIES      : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP  : LocalValidation
TAG       : 0
DISPLAY_NAME      : Security Accounts Manager
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Smart Card Helper
DEPENDENCIES      : +Smart Card Reader
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Smart Card
DEPENDENCIES      : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : SchedulerGroup
TAG       : 0
DISPLAY_NAME      : Task Scheduler
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Secondary Logon
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : Network
TAG       : 0
DISPLAY_NAME      : System Event Notification
DEPENDENCIES      : EventSystem
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
DEPENDENCIES      : Netman
: NLA
: RasMan
: ALG
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ShellHWDetection
(null)
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : ShellSvcGroup
TAG       : 0
DISPLAY_NAME      : Shell Hardware Detection
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP  : SpoolerGroup
TAG       : 0
DISPLAY_NAME      : Print Spooler
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
: Restart   DELAY: 60000 seconds
: None  DELAY: 0 seconds


SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : System Restore Service
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : SSDP Discovery Service
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Image Acquisition (WIA)
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{F5D5B145-2A4D-4835-A484-39279F25FE9F}
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : MS Software Shadow Copy Provider
DEPENDENCIES      : rpcss
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Performance Logs and Alerts
DEPENDENCIES      :
SERVICE_START_NAME: NT Authority\NetworkService


SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Telephony
DEPENDENCIES      : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Terminal Services
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Themes
Provides user experience theme management.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : UIGroup
TAG       : 0
DISPLAY_NAME      : Themes
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
: Restart   DELAY: 60000 seconds
: None  DELAY: 0 seconds


SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\tlntsvr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Telnet
DEPENDENCIES      : RPCSS
: TCPIP
: NTLMSSP
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Distributed Link Tracking Client
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: UMWdf
Enables Windows user mode drivers.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\wdfmgr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows User Mode Driver Framework
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: uploadmgr
Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Upload Manager
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 100 seconds
: Restart   DELAY: 100 seconds
: None  DELAY: 100 seconds


SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Universal Plug and Play Device Host
DEPENDENCIES      : SSDPSRV
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS   : Restart DELAY: 0 seconds


SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Uninterruptible Power Supply
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Volume Shadow Copy
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.



TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Time
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  : NetworkProvider
TAG       : 0
DISPLAY_NAME      : WebClient
DEPENDENCIES      : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Management Instrumentation
DEPENDENCIES      : RPCSS
: Eventlog
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
: Restart   DELAY: 60000 seconds


SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Portable Media Serial Number Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Management Instrumentation Driver Extensions
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : WMI Performance Adapter
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Automatic Updates
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : Wireless Zero Configuration
DEPENDENCIES      : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: %AF夶À¨
(null)
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\ntms32.exe /s
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Workstation NetLogon Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem

Hope it helps.

crunchie: glad to hear that you are not getting drunk.. -that way you can focus all you energi on my problem...

Troels

Edited by mike_2000_17: Fixed formatting

0

ok a new HJ-list.:
Logfile of HijackThis v1.99.0
Scan saved at 03:48:56, on 31-12-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ntcr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\ntms32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B3D73358-31BE-E57F-D1C6-0062ECF101F4} - C:\WINDOWS\sysre32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ntcr32.exe] C:\WINDOWS\system32\ntcr32.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\Troels\LOCALS~1\Temp\3.tmp.exe 2 10001
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098647918263
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntms32.exe

Hope that it dos not reveal anything thats to embarrassing....

And once again: i´m xtremly happy to receive this much help.

Troels

0

Focus........FOCUS

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process.

Reboot your computer into Safe Mode and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called Workstation NetLogon Service Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

ntcr32.exe
ntms32.exe

Step 3:
I now need you to delete the following files:

C:\WINDOWS\system32\ntcr32.exe
C:\WINDOWS\ntms32.exe
C:\WINDOWS\system32\eauwb.dll
C:\WINDOWS\sysre32.dll
C:\DOCUME~1\Troels\LOCALS~1\Temp\3.tmp.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eauwb.dll/sp.html#12345
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B3D73358-31BE-E57F-D1C6-0062ECF101F4} - C:\WINDOWS\sysre32.dll

O4 - HKLM\..\Run: [ntcr32.exe] C:\WINDOWS\system32\ntcr32.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\Troels\LOCALS~1\Temp\3.tmp.exe 2 10001

O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntms32.exe

Step 5:

In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service

If Workstation NetLogon Service exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 8:
Reboot your computer back to normal mode so that we can see if we need to restore some deleted files:

  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
  • Open IE, go to Tools>Internet Options>then click on the security tab, then click on custon label. Check the following settings:
    • Download Signed ActiveX controls-set to Prompt.
    • Download Un-Signed ActiveX controls-set to Disable.
    • Initialize and script ActiveX controls marked as unsafe-set to disable.

    Step 9:

    Run an online antivirus scan at:

    http://housecall.antivirus.com/

    Reboot and post another hijackthis log.

0

well something worked because the home search thing is gone, but I must have ****** up my internet-connection somewhere along the way...

The infected PC won't go online... ****. But that´s something you probably can't help me with, so here´s the other problems i had:

problems:
STEP 3:
- I cant find the files:
C:\WINDOWS\system32\ntcr32.exe
C:\WINDOWS\ntms32.exe:
C:\WINDOWS\system32\eauwb.dll
C:\WINDOWS\sysre32.dll
C:\DOCUME~1\Troels\LOCALS~1\Temp\3.tmp.exe

Can this because i ran the about:buster and HS removal before getting your advice?

STEP 4:
-Can't find the:
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntms32.exe

STEP 5:
cant find the:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

Other than that, it worked out nicely. I havnt got a clue to what I did, but something did work. I will hit the bed now as it is 5.14 in the morning here and I´m tired.

Thanks again. I will post i new hijack list as soon as the other PC gets online.

Happy newyear to all.

Troels

0

Happy New Year to you too :).
Also, please do not use inappropriate language in the forums. We cater for all ages here, being a public forum.

I wouldn't worry about what you could not fix :). Just post another hijackthis log.

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox.Then click Finish.

Hopefully that will restore the internet connection.

0

will try. Sleep later.. Sorry about the ****. I live in Denmark and **** is a part of the normal language.... Maybe i should only curse in danish... skupokkerdaogså...

Troels Mejer

0

Hi again.

I ran the web-virus-search-thing and it found 15 things. I deleted (spelling?) all 15. The HJ-log after reboot is as follows:

Logfile of HijackThis v1.99.0
Scan saved at 16:36:16, on 02-01-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\TempVirusRemoval\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098647918263
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

Troels

0

Did you manage to get the PC back on-line?

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

You will need to reboot and check if those 015 entries come back. Let me know :).

0

Hi.

Yes I´m back online and all seems to be in perfect order. Allmost.

All the "015´s" are gone, but Spyware Doctor finds a tracking coockie after every reboot.

I don´t know if there´s any connections to the HomeSearch-thing? I cant get any more info on the cookie and it didnt help to delete all cookies in IE.

Thanks for all your help. I will try to deal with the tracking cookie later. Any ideas on how to find out more obuet the cookie and how to remove it?

Troels

0

You can try to clear it out manually by going to C:\Documents and Settings\Administrator\Cookies and deleting them manually. If you have spywareblaster you can set it to block tracking cookies.
Also you can set IE up to prompt you every time a site tries to set a cookie. Go to Internet Properties in IE then go to Privacy>Advanced. Select override automatic cookie handling and set both to prompt.

0

Did you do what I suggested above? If you did, you should be able to delete those cookies and the only way they can come back is if you let them.

0

Hi.

I did as you suggested and it seems that some of those cookies come from my hotmail-account... they are now blocked.

I ran Adaware once more and it found 5 things which are now deleted.
I guess that the PC is OK now, and I very greatfull for all your help.

Troels

0

wait a minute...

As i was posting my last reply the "tribal-cookie" asked for permission... Does that mean that it is comming from daniweb?

Troels

0

and once more, along with the falkag-cookie..

Strange... They are blocked again

Troels

0

You should get an option to remember your answer so that you do not keep getting the same message for the same site. Check that option.

0

Ok new problem....

After removing the virus/cookie-thing One of my programs won't start. The error message is:

c:\windows<system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications.

everything else seems to be in perfect order.

Any ideas?

Troels

0

It´s almost to good to be true...

Guess what, - I got hijacked again.. It seems to be the same problem, so here's a hijack-list and a list of services:

Logfile of HijackThis v1.99.0
Scan saved at 20:16:03, on 19-01-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\ntik32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\PROGRA~1\ICQ\ICQNet.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\appbr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\TempVirusRemoval\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BAC5E68D-E458-C434-7DFA-97938DFC94F3} - C:\WINDOWS\system32\javavo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [appbr32.exe] C:\WINDOWS\appbr32.exe
O4 - HKLM\..\RunOnce: [ntik32.exe] C:\WINDOWS\system32\ntik32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://151.204.174.22/home/SonySncRz30View.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098647918263
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntms32.exe (file missing)



PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com


SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Alerter
DEPENDENCIES      : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Application Layer Gateway Service
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Application Management
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : ASP.NET State Service
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : AudioGroup
TAG       : 0
DISPLAY_NAME      : Windows Audio
DEPENDENCIES      : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: BITS
Uses idle network bandwidth to transfer data.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Background Intelligent Transfer Service
DEPENDENCIES      : Rpcss
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Computer Browser
DEPENDENCIES      : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\cisvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Indexing Service
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : ClipBook
DEPENDENCIES      : NetDDE
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : COM+ System Application
DEPENDENCIES      : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS   : Restart DELAY: 1000 seconds
: Restart   DELAY: 5000 seconds
: None  DELAY: 1000 seconds


SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Cryptographic Services
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : DHCP Client
DEPENDENCIES      : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Logical Disk Manager Administrative Service
DEPENDENCIES      : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Logical Disk Manager
DEPENDENCIES      : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : DNS Client
DEPENDENCIES      : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Error Reporting Service
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP  : Event log
TAG       : 0
DISPLAY_NAME      : Event Log
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : Network
TAG       : 0
DISPLAY_NAME      : COM+ Event System
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Fast User Switching Compatibility
DEPENDENCIES      : TermService
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Help and Support
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 100 seconds
: Restart   DELAY: 100 seconds
: None  DELAY: 100 seconds


SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 4  DISABLED
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Human Interface Device Access
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\imapi.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : IMAPI CD-Burning COM Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Server
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : NetworkProvider
TAG       : 0
DISPLAY_NAME      : Workstation
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : TCP/IP NetBIOS Helper
DEPENDENCIES      : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Messenger
DEPENDENCIES      : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : NetMeeting Remote Desktop Sharing
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP  : MS Transactions
TAG       : 0
DISPLAY_NAME      : Distributed Transaction Coordinator
DEPENDENCIES      : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\msiexec.exe /V
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Installer
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP  : NetDDEGroup
TAG       : 0
DISPLAY_NAME      : Network DDE
DEPENDENCIES      : NetDDEDSDM
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Network DDE DSDM
DEPENDENCIES      :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: ion
: onsole
: Ch
:
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP  : RemoteValidation
TAG       : 0
DISPLAY_NAME      : Net Logon
DEPENDENCIES      : LanmanWorkstation
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Network Connections
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Network Location Awareness (NLA)
DEPENDENCIES      : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : NT LM Security Support Provider
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: NtmsSvc
(null)
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Removable Storage
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Office Source Engine
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PAVFIRES
(null)
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Panda Firewall Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PAVSRV
(null)
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Panda anti-virus service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP  : PlugPlay
TAG       : 0
DISPLAY_NAME      : Plug and Play
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : IPSEC Services
DEPENDENCIES      : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Protected Storage
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Access Auto Connection Manager
DEPENDENCIES      : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RasMan
Creates a network connection.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Access Connection Manager
DEPENDENCIES      : Tapisrv
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Desktop Help Session Manager
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 4  DISABLED
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Routing and Remote Access
DEPENDENCIES      : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Registry
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS   : Restart DELAY: 1000 seconds


SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\locator.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Remote Procedure Call (RPC) Locator
DEPENDENCIES      : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService


SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP  : COM Infrastructure
TAG       : 0
DISPLAY_NAME      : Remote Procedure Call (RPC)
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS   : Reboot  DELAY: 60000 seconds


SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\rsvp.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : QoS RSVP
DEPENDENCIES      : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP  : LocalValidation
TAG       : 0
DISPLAY_NAME      : Security Accounts Manager
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Smart Card Helper
DEPENDENCIES      : +Smart Card Reader
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Smart Card
DEPENDENCIES      : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : SchedulerGroup
TAG       : 0
DISPLAY_NAME      : Task Scheduler
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Secondary Logon
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : Network
TAG       : 0
DISPLAY_NAME      : System Event Notification
DEPENDENCIES      : EventSystem
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
DEPENDENCIES      : Netman
: NLA
: RasMan
: ALG
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: ShellHWDetection
(null)
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : ShellSvcGroup
TAG       : 0
DISPLAY_NAME      : Shell Hardware Detection
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP  : SpoolerGroup
TAG       : 0
DISPLAY_NAME      : Print Spooler
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
: Restart   DELAY: 60000 seconds
: None  DELAY: 0 seconds


SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : System Restore Service
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : SSDP Discovery Service
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Image Acquisition (WIA)
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{F5D5B145-2A4D-4835-A484-39279F25FE9F}
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : MS Software Shadow Copy Provider
DEPENDENCIES      : rpcss
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Performance Logs and Alerts
DEPENDENCIES      :
SERVICE_START_NAME: NT Authority\NetworkService


SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Telephony
DEPENDENCIES      : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Terminal Services
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Themes
Provides user experience theme management.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : UIGroup
TAG       : 0
DISPLAY_NAME      : Themes
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
: Restart   DELAY: 60000 seconds
: None  DELAY: 0 seconds


SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\tlntsvr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Telnet
DEPENDENCIES      : RPCSS
: TCPIP
: NTLMSSP
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Distributed Link Tracking Client
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: UMWdf
Enables Windows user mode drivers.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\wdfmgr.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows User Mode Driver Framework
DEPENDENCIES      : RpcSs
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: uploadmgr
Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Upload Manager
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 100 seconds
: Restart   DELAY: 100 seconds
: None  DELAY: 100 seconds


SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Universal Plug and Play Device Host
DEPENDENCIES      : SSDPSRV
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS   : Restart DELAY: 0 seconds


SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Uninterruptible Power Supply
DEPENDENCIES      :
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Volume Shadow Copy
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Time
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP  : NetworkProvider
TAG       : 0
DISPLAY_NAME      : WebClient
DEPENDENCIES      : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService


SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Management Instrumentation
DEPENDENCIES      : RPCSS
: Eventlog
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
: Restart   DELAY: 60000 seconds


SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Portable Media Serial Number Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Windows Management Instrumentation Driver Extensions
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE          : 10 WIN32_OWN_PROCESS
START_TYPE    : 3  DEMAND_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : WMI Performance Adapter
DEPENDENCIES      : RPCSS
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Automatic Updates
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 1  NORMAL
BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP  : TDI
TAG       : 0
DISPLAY_NAME      : Wireless Zero Configuration
DEPENDENCIES      : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: %AF夶À¨
(null)
TYPE          : 20 WIN32_SHARE_PROCESS
START_TYPE    : 2  AUTO_START
ERROR_CONTROL     : 0  IGNORE
BINARY_PATH_NAME  : C:\WINDOWS\ntms32.exe /s
LOAD_ORDER_GROUP  :
TAG       : 0
DISPLAY_NAME      : Workstation NetLogon Service
DEPENDENCIES      :
SERVICE_START_NAME: LocalSystem

Hope that some of you can find the time to help me once again. -And no, -I don't know what I did wrong...

TroelsM

Edited by mike_2000_17: Fixed formatting

0

What you did wrong was continue to use Internet Explorer :mrgreen:

Download about:Buster and unzip it to your Desktop. Doubleclick on AboutBuster.exe to run it and then click on Update > Check for Update. If there is an update available, click on 'Download Update and wait while it downloads. Once downloaded, click on Exit.

When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and make sure that you can view hidden files and folders.

Close all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wfahz.dll/sp.html#10001
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {BAC5E68D-E458-C434-7DFA-97938DFC94F3} - C:\WINDOWS\system32\javavo.dll

O4 - HKLM\..\Run: [appbr32.exe] C:\WINDOWS\appbr32.exe
O4 - HKLM\..\RunOnce: [ntik32.exe] C:\WINDOWS\system32\ntik32.exe

O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntms32.exe (file missing)

Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive.

To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'.

Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted.

While still in Safe Mode, run a search and make sure that all of the below files in bold have been deleted (if not delete them):

C:\WINDOWS\system32\wfahz.dll<----file
C:\WINDOWS\system32\javavo.dll<----file
C:\WINDOWS\appbr32.exe<----file
C:\WINDOWS\system32\ntik32.exe<----file

Reboot, reset your Home Page and run a Housecall scan. It will get rid of any remaining files. Post a new Hijack This log (and your About Buster log).

0

If you get your Critical Updates (as suggested in post #3), it may help prevent some of these attacks. SpywareBlaster (link in crunchie's sig) will also help.

0

I have done as you told me and it seems to do the trick. The housecall-thing found 12 trojans and as they could not be "cleaned" I pressed delete. OK?

The HJ-log:
Logfile of HijackThis v1.99.0
Scan saved at 18:52:24, on 22-01-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\TempVirusRemoval\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\da\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://151.204.174.22/home/SonySncRz30View.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098647918263
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

And the AboutBuster-log
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

That´s all for now.

TroelsM

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.