Ive been hijacked by the looking-for.cc spy (Resolved)

**flew** · 09-10-2004

Hello,

My IE has been hijacked by that pesky looking-for.cc spyware. I've run Adware, Spybot S&D, CW Shredder, Norton 2005 but it's still here.

I've attached a Hijack This log.

Can someone PLEASE help me?

Thanks, Flew

Logfile of HijackThis v1.98.2
Scan saved at 8:29:16 PM, on 10/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Family\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fgwte.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fgwte.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fgwte.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nppluuzaspkbm.com/d/HyrOF...XVlKtCQyg.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E6B0FD47-235C-961C-D6D6-CAE8CB8289B9} - C:\WINDOWS\system32\sdkdv32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Creative Beep] C:\PROGRA~1\MIX1SE~1\Settings Pile Axis.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [txpoxiqonkc] C:\WINDOWS\System32\ulmtyc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iprf32.exe] C:\WINDOWS\system32\iprf32.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ntiq.exe] C:\WINDOWS\system32\ntiq.exe
O4 - HKLM\..\Run: [Book Logo Test Cash] C:\Documents and Settings\All Users\Application Data\Option user book logo\Amok The.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mskg32.exe] C:\WINDOWS\system32\mskg32.exe
O4 - HKLM\..\Run: [apihd.exe] C:\WINDOWS\system32\apihd.exe
O4 - HKLM\..\RunOnce: [winsj32.exe] C:\WINDOWS\system32\winsj32.exe
O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
O4 - HKLM\..\RunOnce: [ipzf.exe] C:\WINDOWS\system32\ipzf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab

**owen** · 09-10-2004

Post a new Hijack This log as well as one of these logs. Once you have generated the log and posted it do not reboot until your log has been analysed and instructions have been given. If you do, the whole fix is more than likely to fail.

ActiveServices ...
- Please download GetService.zip
- Extract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.
- getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work

**flew** · 10-10-2004

Thanks, Owen,

Here is the latest Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 10:20:27 PM, on 10/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\d3ag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\iprf32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Family\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pxues.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pxues.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pxues.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://fnkcxdzxbcusct.com/O4s8382HUL...S/TyuQxsdE.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E1855C39-8820-BABA-C94F-7C3D2AD1C652} - C:\WINDOWS\system32\sdkoa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Creative Beep] C:\PROGRA~1\MIX1SE~1\Settings Pile Axis.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [txpoxiqonkc] C:\WINDOWS\System32\ulmtyc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iprf32.exe] C:\WINDOWS\system32\iprf32.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ntiq.exe] C:\WINDOWS\system32\ntiq.exe
O4 - HKLM\..\Run: [Book Logo Test Cash] C:\Documents and Settings\All Users\Application Data\Option user book logo\Amok The.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mskg32.exe] C:\WINDOWS\system32\mskg32.exe
O4 - HKLM\..\Run: [apihd.exe] C:\WINDOWS\system32\apihd.exe
O4 - HKLM\..\RunOnce: [winsj32.exe] C:\WINDOWS\system32\winsj32.exe
O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
O4 - HKLM\..\RunOnce: [ipzf.exe] C:\WINDOWS\system32\ipzf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab

The getsrevices.txt will follow in the next post.

Flew

**flew** · 10-10-2004

Owen,

Here is the getservices.txt: Part one:

PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Ati HotKey Poller
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\Ati2evxx.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Ati HotKey Poller
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ATI Smart
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\ati2sgag.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ATI Smart
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : LanmanWorkstation
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: C-DillaCdaC11BA
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\drivers\CDAC11BA.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : C-DillaCdaC11BA
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccEvtMgr
Symantec Event Manager
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec Event Manager
DEPENDENCIES : RPCSS
: ccSetMgr
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccPwdSvc
Symantec Password Validation Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Symantec Password Validation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccSetMgr
Symantec Settings Manager
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec Settings Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: navapsvc
Handles Norton AntiVirus Auto-Protect events.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Norton AntiVirus\navapsvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Norton AntiVirus Auto-Protect Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: on AntiVirus Auto-Protect Service
: n Coordinator
: ion
: er
: plicar
:
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

standby for part 2 in next post.
Flew

**flew** · 10-10-2004

Owen,

This is getservices.txt part 2:

SERVICE_NAME: Netman
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NPFMntor
Detects installation of Symantec Firewall clients
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Norton AntiVirus Firewall Monitor Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: O?’ŽrtñåÈ²$Ó
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\d3ag.exe /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Workstation NetLogon Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SAVScan
Handles Norton AntiVirus Auto-Protect Archive Scanning
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Norton AntiVirus\SAVScan.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SAVScan
DEPENDENCIES : SAVRT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SBService
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ScriptBlocking Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: NLA
: RasMan
: ALG
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SNDSrvc
Symantec Network Drivers Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec Network Drivers Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SPBBCSvc
Symantec SPBBC
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec SPBBCSvc
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{85CBA3BC-9025-4E5A-AAA7-DBD297C966F6}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Symantec Core LC
Symantec Core LC
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Symantec Core LC
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TrkWks
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: uploadmgr
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Upload Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VSS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Tim

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
: Eventlog
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WinToolsSvc
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\WinTools\WToolsS.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WinTools for IE service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmdmPmSN
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem

Thanks, again,

Flew

**owen** · 10-10-2004

Download AboutBuster. Unzip it to c:\aboutbuster but don't run it yet we'll do that later on down in this list in SAFE MODE.
Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process. With that in mind, read through the instructions and download all necessary files ahead of time. Opening IE may cause the fix to fail
Make sure your PC is configured to show hidden files. Open Windows Explorer & Go to "Tools" => "Folder Options". Click on the "View" tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK"
Reboot to Safe Mode => How do I boot into safe mode?
Next, go to Start => Run and type "Services.msc" (without quotes) then hit Ok. Scroll down and find the service called
- Workstation NetLogon Service
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
- d3ag.exe
Run HijackThis and put checks next to all the following, then click "Fix Checked":
- R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pxues.dll/sp.html#28129
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pxues.dll/sp.html#28129
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pxues.dll/sp.html#28129
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://fnkcxdzxbcusct.com/O4s8382HU...PS/TyuQxsdE.jpg
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
  R3 - Default URLSearchHook is missing
  O2 - BHO: (no name) - {E1855C39-8820-BABA-C94F-7C3D2AD1C652} - C:\WINDOWS\system32\sdkoa.dll
  O4 - HKLM\..\Run: [txpoxiqonkc] C:\WINDOWS\System32\ulmtyc.exe
  O4 - HKLM\..\Run: [iprf32.exe] C:\WINDOWS\system32\iprf32.exe
  O4 - HKLM\..\Run: [ntiq.exe] C:\WINDOWS\system32\ntiq.exe
  O4 - HKLM\..\Run: [mskg32.exe] C:\WINDOWS\system32\mskg32.exe
  O4 - HKLM\..\Run: [apihd.exe] C:\WINDOWS\system32\apihd.exe
  O4 - HKLM\..\RunOnce: [winsj32.exe] C:\WINDOWS\system32\winsj32.exe
  O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
  O4 - HKLM\..\RunOnce: [ipzf.exe] C:\WINDOWS\system32\ipzf.exe
  O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
  O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
Delete the following files if present (If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.):
- O2 - BHO: (no name) - {E1855C39-8820-BABA-C94F-7C3D2AD1C652} - C:\WINDOWS\system32\sdkoa.dll
  C:\WINDOWS\System32\ulmtyc.exe
  C:\WINDOWS\system32\iprf32.exe
  C:\WINDOWS\system32\ntiq.exe
  C:\WINDOWS\system32\mskg32.exe
  C:\WINDOWS\system32\apihd.exe
  C:\WINDOWS\system32\winsj32.exe
  C:\WINDOWS\appcd32.exe
  C:\WINDOWS\system32\ipzf.exe
  C:\WINDOWS\system32\d3ag.exe
Next, we will remove the offending service.
1. Go to "Start" => "Run" and type in regedit and press "Enter".
2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\O?’ŽrtñåÈ²$Ó.
3. If O?’ŽrtñåÈ²$Ó exists , right click on it and choose delete from the menu.
4. Now navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_O?’ŽrtñåÈ²$Ó
5. If LEGACY_O?’ŽrtñåÈ²$Ó exists then right click on it and choose delete from the menu.
6. If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
Browse to c:\aboutbusterand double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
Copy the contents of the Quote Box below (Listed after all steps) to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop
Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
Run Ad-Aware with the latest update.
1. Download the latest version of Ad-Aware (Ad-Aware SE Build 1.03) from here.
2. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
3. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
4. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
5. Once the definitions have been updated:
6. Reconfigure Ad-Aware for Full Scan as per the following instructions:
  - Launch the program, and click on the Gear at the top of the start screen.
  - Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    - "Automatically save logfile"
    - Automatically quarrantine objects prior to removal"
    - Safe Mode (always request confirmation)
    - Prompt to update outdated confirmation) - Change to 7 days.
  - Click the "Scanning" button (On the left side).
  - Under Drives & Folders, select "Scan within Archives"
  - Click "Click here to select Drives + folders" and select your installed hard drives.
  - Under Memory & Registry, select all options.
  - Click the "Advanced" button (On the left hand side).
  - Under "Shell Integration", select "Move deleted files to Recycle Bin".
  - Under "Log-file detail", select all options.
  - Click on the "Defaults" button on the left.
  - Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  - Click the "Tweak" button (Again, on the left hand side).
  - Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
    - "Unload recognized processes during scanning."
    - "Obtain command line of scanned processes"
    - "Scan registry for all users instead of current user only"
  - Under "Cleaning Engine", select the following:
    - "Automatically try to unregister objects prior to deletion."
    - "During removal, unload explorer and IE if necessary"
    - "Let Windows remove files in use at next reboot."
    - "Delete quarrantined objects after restoring"
  - Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  - Click on "Proceed" to save these Preferences.
  - Click on the "Scan Now" button on the left.
  - Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
7. Close all programs except ad-aware.
8. Click on "Next" in the bottom right corner to start the scan.
9. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
10. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
Clean out temporary and temporary Internet files. Go to "Start" => "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "ok" to remove:
- Temporary Files
- Temporary Internet Files
- Recycle Bin
Reboot to normal mode.
NOTE: Two, possibly three files may have been deleted from your computer by the hijacker and may need to be replaced:
- Control.exe. If control. exe is missing go to merijn and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
- hosts (with no extension). Download the Hoster. Press "Restore Original Hosts" and press "OK". Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
- SDHelper.dll (if you are using Spybot Search & Destroy). If you have Spybot S&D installed and SDHelper.dll is missing, replace it with this one. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.In IE, click on "Tools" => "Internet Options" and under the "Security" tab, click on "Custom Level" and make sure that the following settings are correct:
- Download signed ActiveX controls (Prompt)
- Download unsigned ActiveX controls (Disable)
- Initialize and script ActiveX controls not marked as safe (Disable)
- Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
- Script ActiveX controls marked safe for scripting (Prompt)
Do an online scan at TrendMicro's site. Let it remove any infected files found.
Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review.

Quote box for Step #11

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]

**flew** · 11-10-2004

Owen,

I,ve done it all and the problem seems to be corrected. Thanks VERY much. Here is the latest Hijack This log and the Aboutbuster log:

Logfile of HijackThis v1.98.2
Scan saved at 6:07:57 PM, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Family\Desktop\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.adhqnqclglzcax.com/O4s838.../TyuQxsdE.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Creative Beep] C:\PROGRA~1\MIX1SE~1\Settings Pile Axis.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Book Logo Test Cash] C:\Documents and Settings\All Users\Application Data\Option user book logo\Amok The.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [cetec] regedit.exe /s C:\DOCUME~1\Family\LOCALS~1\Temp\cetec.reg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab

Aboutbuster log in next post...

**flew** · 11-10-2004

Aboutbuster log:

Scanned at: 4:02:45 PM on: 10/10/2004

-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

ADS not scanned System(FAT)
Removed 3 Random Key Entries
Deleted 1 Service Keys Successfully!
Removed! : C:\WINDOWS\oanhc.dat
Removed! : C:\WINDOWS\gglaxw.dat
Removed! : C:\WINDOWS\yhdfrh.dat
Removed! : C:\WINDOWS\nipicm.dat
Removed! : C:\WINDOWS\mzngxn.dat
Removed! : C:\WINDOWS\ipew.exe
Removed! : C:\WINDOWS\aiqkzt.dat
Removed! : C:\WINDOWS\mfchv.exe
Removed! : C:\WINDOWS\n_fjhyhc.dat
Removed! : C:\WINDOWS\n_gmsucj.dat
Removed! : C:\WINDOWS\nipic.dat
Removed! : C:\WINDOWS\qdngz.dat
Removed! : C:\WINDOWS\clihmz.dat
Removed! : C:\WINDOWS\n_bafsyv.dat
Removed! : C:\WINDOWS\phnfvo.dat
Removed! : C:\WINDOWS\hcybam.dat
Removed! : C:\WINDOWS\rjbrwv.dat
Removed! : C:\WINDOWS\ntbt32.exe
Removed! : C:\WINDOWS\kuuorb.dat
Removed! : C:\WINDOWS\uffthg.dat
Removed! : C:\WINDOWS\edfnxa.dat
Removed! : C:\WINDOWS\foqksh.dat
Removed! : C:\WINDOWS\slhmr.dat
Removed! : C:\WINDOWS\ovlevw.dat
Removed! : C:\WINDOWS\yenqbu.dat
Removed! : C:\WINDOWS\ntiv.exe
Removed! : C:\WINDOWS\atlvb32.exe
Removed! : C:\WINDOWS\ayxtxb.dat
Removed! : C:\WINDOWS\dnalfo.dat
Removed! : C:\WINDOWS\sysuk.exe
Removed! : C:\WINDOWS\xughsl.dat
Removed! : C:\WINDOWS\zfrdes.dat
Removed! : C:\WINDOWS\n_bpbroz.dat
Removed! : C:\WINDOWS\n_czgtyd.dat
Removed! : C:\WINDOWS\sysli.exe
Removed! : C:\WINDOWS\oeujjh.dat
Removed! : C:\WINDOWS\leorr.dat
Removed! : C:\WINDOWS\jfrxnt.dat
Removed! : C:\WINDOWS\mhyne.dat
Removed! : C:\WINDOWS\kxlkoy.dat
Removed! : C:\WINDOWS\atlcl.exe
Removed! : C:\WINDOWS\syszo.exe
Removed! : C:\WINDOWS\gcqqcj.dat
Removed! : C:\WINDOWS\brccg.dll
Removed! : C:\WINDOWS\npreh.dll
Removed! : C:\WINDOWS\neqro.dll
Removed! : C:\WINDOWS\srgsh.dll
Removed! : C:\WINDOWS\addaj32.exe
Removed! : C:\WINDOWS\iepq32.exe
Removed! : C:\WINDOWS\qavzf.dll
Removed! : C:\WINDOWS\herjm.dll
Removed! : C:\WINDOWS\nsjle.dll
Removed! : C:\WINDOWS\cbyeh.dll
Removed! : C:\WINDOWS\ntzv32.exe
Removed! : C:\WINDOWS\nethh.exe
Removed! : C:\WINDOWS\wrkpo.dll
Removed! : C:\WINDOWS\wqpqa.dll
Removed! : C:\WINDOWS\ktfit.dll
Removed! : C:\WINDOWS\oidhm.dll
Removed! : C:\WINDOWS\ohsnf.dll
Removed! : C:\WINDOWS\gepwn.dll
Removed! : C:\WINDOWS\eydzu.dll
Removed! : C:\WINDOWS\fqqyi.dll
Removed! : C:\WINDOWS\gbbvu.dll
Removed! : C:\WINDOWS\ulims.dll
Removed! : C:\WINDOWS\masaz.dll
Removed! : C:\WINDOWS\gsmxo.dll
Removed! : C:\WINDOWS\rjtoz.dll
Removed! : C:\WINDOWS\tbtho.dll
Removed! : C:\WINDOWS\qduqt.dll
Removed! : C:\WINDOWS\cfsag.dll
Removed! : C:\WINDOWS\pvexu.dll
Removed! : C:\WINDOWS\nuijs.dll
Removed! : C:\WINDOWS\rmdvn.dll
Removed! : C:\WINDOWS\yejrv.dll
Removed! : C:\WINDOWS\ncxtr.dll
Removed! : C:\WINDOWS\hwztt.dll
Removed! : C:\WINDOWS\hquzn.dll
Removed! : C:\WINDOWS\icuox.dll
Removed! : C:\WINDOWS\ejpdj.dll
Removed! : C:\WINDOWS\fzubz.dll
Removed! : C:\WINDOWS\hnjtl.dll
Removed! : C:\WINDOWS\cjhri.dll
Removed! : C:\WINDOWS\vomuh.dll
Removed! : C:\WINDOWS\cgtqq.dll
Removed! : C:\WINDOWS\qhymm.dll
Removed! : C:\WINDOWS\ocjse.dll
Removed! : C:\WINDOWS\rgklz.dll
Removed! : C:\WINDOWS\jlprv.dll
Removed! : C:\WINDOWS\atlib.dll
Removed! : C:\WINDOWS\jjovb.dll
Removed! : C:\WINDOWS\uivet.dll
Removed! : C:\WINDOWS\swogl.dll
Removed! : C:\WINDOWS\xhfqn.dll
Removed! : C:\WINDOWS\xfbsr.dll
Removed! : C:\WINDOWS\lrfse.dll
Removed! : C:\WINDOWS\lggwn.dll
Removed! : C:\WINDOWS\adddg.exe
Removed! : C:\WINDOWS\qglss.dll
Removed! : C:\WINDOWS\n_xedgoa.dat
Removed! : C:\WINDOWS\n_ywibzd.dat
Removed! : C:\WINDOWS\qlxun.dll
Removed! : C:\WINDOWS\xamvm.dll
Removed! : C:\WINDOWS\rwctk.dll
Removed! : C:\WINDOWS\uqeml.dll
Removed! : C:\WINDOWS\kryxl.dll
Removed! : C:\WINDOWS\anuptv.dat
Removed! : C:\WINDOWS\sdkdr32.exe
Removed! : C:\WINDOWS\kobzs.dll
Removed! : C:\WINDOWS\ipgb.exe
Removed! : C:\WINDOWS\sswtl.dll
Removed! : C:\WINDOWS\addjn32.exe
Removed! : C:\WINDOWS\nhrii.dll
Removed! : C:\WINDOWS\ndbtr.dll
Removed! : C:\WINDOWS\bpxmx.dll
Removed! : C:\WINDOWS\sjfxq.dll
Removed! : C:\WINDOWS\mjhem.dll
Removed! : C:\WINDOWS\wzesh.dll
Removed! : C:\WINDOWS\xgezm.dll
Removed! : C:\WINDOWS\weeho.dll
Removed! : C:\WINDOWS\qwama.dll
Removed! : C:\WINDOWS\txxqg.dll
Removed! : C:\WINDOWS\pwglq.dll
Removed! : C:\WINDOWS\psbjj.dll
Removed! : C:\WINDOWS\mfcdt.exe
Removed! : C:\WINDOWS\cfzmm.dll
Removed! : C:\WINDOWS\wineo.exe
Removed! : C:\WINDOWS\numiv.dll
Removed! : C:\WINDOWS\ohcoy.dll
Removed! : C:\WINDOWS\eysdw.dll
Removed! : C:\WINDOWS\adtpm.dll
Removed! : C:\WINDOWS\stxzr.dll
Removed! : C:\WINDOWS\dpypn.dll
Removed! : C:\WINDOWS\sdkdj32.exe
Removed! : C:\WINDOWS\zmlek.dll
Removed! : C:\WINDOWS\appqy.exe
Removed! : C:\WINDOWS\qibwj.dll
Removed! : C:\WINDOWS\gzrmh.dll
Removed! : C:\WINDOWS\xokzg.dll
Removed! : C:\WINDOWS\phpme.dll
Removed! : C:\WINDOWS\knxdo.dll
Removed! : C:\WINDOWS\mfcav32.exe
Removed! : C:\WINDOWS\mrjgc.dll
Removed! : C:\WINDOWS\gshlu.dll
Removed! : C:\WINDOWS\hvaah.dll
Removed! : C:\WINDOWS\kqkxr.dll
Removed! : C:\WINDOWS\wpsvo.dll
Removed! : C:\WINDOWS\rgguf.dll
Removed! : C:\WINDOWS\pwpai.dll
Removed! : C:\WINDOWS\adrmu.dll
Removed! : C:\WINDOWS\yvocp.dll
Removed! : C:\WINDOWS\srmsm.dll
Removed! : C:\WINDOWS\odila.dll
Removed! : C:\WINDOWS\lkayk.dll
Removed! : C:\WINDOWS\lgqks.dll
Removed! : C:\WINDOWS\nzhaf.dll
Removed! : C:\WINDOWS\ocrwr.dll
Removed! : C:\WINDOWS\graai.dll
Removed! : C:\WINDOWS\gemce.dll
Removed! : C:\WINDOWS\pezts.dll
Removed! : C:\WINDOWS\tywek.dll
Removed! : C:\WINDOWS\ntyk32.exe
Removed! : C:\WINDOWS\iohgh.dll
Removed! : C:\WINDOWS\addvi32.exe
Removed! : C:\WINDOWS\njpsx.dll
Removed! : C:\WINDOWS\pkyty.dll
Removed! : C:\WINDOWS\pidvc.dll
Removed! : C:\WINDOWS\nzjpw.dat
Removed! : C:\WINDOWS\ggude.dll
Removed! : C:\WINDOWS\ythiz.dll
Removed! : C:\WINDOWS\gmheb.dll
Removed! : C:\WINDOWS\rfxnr.dll
Removed! : C:\WINDOWS\iphe32.exe
Removed! : C:\WINDOWS\nwgqa.dll
Removed! : C:\WINDOWS\lzwxw.dll
Removed! : C:\WINDOWS\gagub.dll
Removed! : C:\WINDOWS\clopq.dll
Removed! : C:\WINDOWS\npaxc.dll
Removed! : C:\WINDOWS\rxykb.dll
Removed! : C:\WINDOWS\oiiuc.dll
Removed! : C:\WINDOWS\vioqd.dll
Removed! : C:\WINDOWS\rvfhe.dll
Removed! : C:\WINDOWS\damnl.dll
Removed! : C:\WINDOWS\hihsc.dll
Removed! : C:\WINDOWS\vbwcs.dll
Removed! : C:\WINDOWS\xwubp.dll
Removed! : C:\WINDOWS\xvycu.dll
Removed! : C:\WINDOWS\pirye.dll
Removed! : C:\WINDOWS\linnz.dll
Removed! : C:\WINDOWS\dlxvz.dll
Removed! : C:\WINDOWS\yeivd.dll
Removed! : C:\WINDOWS\zhzrd.dll
Removed! : C:\WINDOWS\tryms.dll
Removed! : C:\WINDOWS\tqcnw.dll
Removed! : C:\WINDOWS\kmgxd.dll
Removed! : C:\WINDOWS\eaibx.dll
Removed! : C:\WINDOWS\tqqan.dll
Removed! : C:\WINDOWS\kmucu.dll
Removed! : C:\WINDOWS\yqvxr.dll
Removed! : C:\WINDOWS\ywpzn.dll
Removed! : C:\WINDOWS\ospqw.dll
Removed! : C:\WINDOWS\jpxid.dll
Removed! : C:\WINDOWS\zmlxd.dll
Removed! : C:\WINDOWS\uyhyr.dll
Removed! : C:\WINDOWS\yrsbi.dll
Removed! : C:\WINDOWS\frqyi.dll
Removed! : C:\WINDOWS\xbulg.dll
Removed! : C:\WINDOWS\rkghz.dll
Removed! : C:\WINDOWS\lvnkn.dll
Removed! : C:\WINDOWS\fyxga.dll
Removed! : C:\WINDOWS\ymaku.dll
Removed! : C:\WINDOWS\qbiol.dll
Removed! : C:\WINDOWS\nfsab.dll
Removed! : C:\WINDOWS\dozqh.dll
Removed! : C:\WINDOWS\orsxl.dll
Removed! : C:\WINDOWS\oxkxn.dll
Removed! : C:\WINDOWS\gmtbe.dll
Removed! : C:\WINDOWS\ncvhq.dll
Removed! : C:\WINDOWS\dvgmc.dll
Removed! : C:\WINDOWS\pmkjt.dll
Removed! : C:\WINDOWS\wbutl.dll
Removed! : C:\WINDOWS\qsjzu.dll
Removed! : C:\WINDOWS\vaijf.dll
Removed! : C:\WINDOWS\teyqj.dll
Removed! : C:\WINDOWS\wdeao.dll
Removed! : C:\WINDOWS\ijmzo.dat
Removed! : C:\WINDOWS\kmxwa.dat
Removed! : C:\WINDOWS\kekyl.dat
Removed! : C:\WINDOWS\huuej.dat
Removed! : C:\WINDOWS\llqgb.dll
Removed! : C:\WINDOWS\vapjr.dat
Removed! : C:\WINDOWS\javahh.exe
Removed! : C:\WINDOWS\hjbdj.dat
Removed! : C:\WINDOWS\apitx.exe
Removed! : C:\WINDOWS\crca.exe
Removed! : C:\WINDOWS\tyxdv.dat
Removed! : C:\WINDOWS\kmtfdh.dat
Removed! : C:\WINDOWS\zoics.dat
Removed! : C:\WINDOWS\jwzupl.dat
Removed! : C:\WINDOWS\ieez32.exe
Removed! : C:\WINDOWS\atlud.exe
Removed! : C:\WINDOWS\dlhfoz.dat
Removed! : C:\WINDOWS\tfwvf.dat
Removed! : C:\WINDOWS\gemeia.dat
Removed! : C:\WINDOWS\zexjkl.dat
Removed! : C:\WINDOWS\jfpoen.dat
Removed! : C:\WINDOWS\onkxku.dat
Removed! : C:\WINDOWS\netby32.exe
Removed! : C:\WINDOWS\hicsxh.dat
Removed! : C:\WINDOWS\zjvfzj.dat
Removed! : C:\WINDOWS\rlqmgs.dat
Removed! : C:\WINDOWS\tdygaz.dat
Removed! : C:\WINDOWS\ftomm.dat
Removed! : C:\WINDOWS\wsfxkr.dat
Removed! : C:\WINDOWS\htxcec.dat
Removed! : C:\WINDOWS\zuiige.dat
Removed! : C:\WINDOWS\zmwze.dat
Removed! : C:\WINDOWS\fmcdxe.dat
Removed! : C:\WINDOWS\xnmjzg.dat
Removed! : C:\WINDOWS\kmirbc.dat
Removed! : C:\WINDOWS\qjgsnp.dat
Removed! : C:\WINDOWS\buhrrb.dat
Removed! : C:\WINDOWS\uvaxll.dat
Removed! : C:\WINDOWS\izhuwv.dat
Removed! : C:\WINDOWS\bazhqf.dat
Removed! : C:\WINDOWS\atlzs.exe
Removed! : C:\WINDOWS\oqepr.dat
Removed! : C:\WINDOWS\cmdgej.dat
Removed! : C:\WINDOWS\appbb32.exe
Removed! : C:\WINDOWS\isrwa.dat
Removed! : C:\WINDOWS\boojp.dat
Removed! : C:\WINDOWS\jnesit.dat
Removed! : C:\WINDOWS\crxj.exe
Removed! : C:\WINDOWS\sysvq.exe
Removed! : C:\WINDOWS\bgpxce.dat
Removed! : C:\WINDOWS\vlykhj.dat
Removed! : C:\WINDOWS\nmjpbu.dat
Removed! : C:\WINDOWS\uhhdfg.dat
Removed! : C:\WINDOWS\ntcl32.exe
Removed! : C:\WINDOWS\aeivt.dat
Removed! : C:\WINDOWS\dftop.dat
Removed! : C:\WINDOWS\sdkuy.exe
Removed! : C:\WINDOWS\tkbqti.dat
Removed! : C:\WINDOWS\lkmwnk.dat
Removed! : C:\WINDOWS\dlfbpu.dat
Removed! : C:\WINDOWS\addsv.exe
Removed! : C:\WINDOWS\xfjwqq.dat
Removed! : C:\WINDOWS\qgbjsb.dat
Removed! : C:\WINDOWS\hqodo.dat
Removed! : C:\WINDOWS\apibf.exe
Removed! : C:\WINDOWS\igmhbq.dat
Removed! : C:\WINDOWS\msmf32.exe
Removed! : C:\WINDOWS\nzigof.dat
Removed! : C:\WINDOWS\xcjgy.dat
Removed! : C:\WINDOWS\epjdx.dat
Removed! : C:\WINDOWS\mdpcs.dat
Removed! : C:\WINDOWS\feahu.dat
Removed! : C:\WINDOWS\ilmst.dat
Removed! : C:\WINDOWS\hpinj.dat
Removed! : C:\WINDOWS\lxilga.dat
Removed! : C:\WINDOWS\extyil.dat
Removed! : C:\WINDOWS\wylecv.dat
Removed! : C:\WINDOWS\hhfta.dat
Removed! : C:\WINDOWS\netmr32.exe
Removed! : C:\WINDOWS\fdlfn.dat
Removed! : C:\WINDOWS\cemgyl.dat
Removed! : C:\WINDOWS\vfwlbv.dat
Removed! : C:\WINDOWS\addii32.exe
Removed! : C:\WINDOWS\apimm.exe
Removed! : C:\WINDOWS\d3zw.exe
Removed! : C:\WINDOWS\bhufm.dat
Removed! : C:\WINDOWS\vgafly.dat
Removed! : C:\WINDOWS\ohlknj.dat
Removed! : C:\WINDOWS\ysovn.dat
Removed! : C:\WINDOWS\javakj32.exe
Removed! : C:\WINDOWS\bsiru.dat
Removed! : C:\WINDOWS\qiuicj.dat
Removed! : C:\WINDOWS\ijenet.dat
Removed! : C:\WINDOWS\ievy.exe
Removed! : C:\WINDOWS\oemhj.dat
Removed! : C:\WINDOWS\apifa32.exe
Removed! : C:\WINDOWS\ipnh.exe
Removed! : C:\WINDOWS\erndpu.dat
Removed! : C:\WINDOWS\zyemjh.dat
Removed! : C:\WINDOWS\rzxrls.dat
Removed! : C:\WINDOWS\kahxgu.dat
Removed! : C:\WINDOWS\hvtzch.dat
Removed! : C:\WINDOWS\zvmexs.dat
Removed! : C:\WINDOWS\swxkzc.dat
Removed! : C:\WINDOWS\huwcj.dat
Removed! : C:\WINDOWS\rodef.dat
Removed! : C:\WINDOWS\kikzb.dat
Removed! : C:\WINDOWS\gystsk.dat
Removed! : C:\WINDOWS\zzkyuv.dat
Removed! : C:\WINDOWS\ietz.exe
Removed! : C:\WINDOWS\netto32.exe
Removed! : C:\WINDOWS\qveswk.dat
Removed! : C:\WINDOWS\kvetd.dat
Removed! : C:\WINDOWS\fcfys.dat
Removed! : C:\WINDOWS\dvgmgw.dat
Removed! : C:\WINDOWS\uyjwzv.dat
Removed! : C:\WINDOWS\nyujbx.dat
Removed! : C:\WINDOWS\fzmpvh.dat
Removed! : C:\WINDOWS\xlfhpw.dat
Removed! : C:\WINDOWS\qlxmjg.dat
Removed! : C:\WINDOWS\imnff.dat
Removed! : C:\WINDOWS\euyreu.dat
Removed! : C:\WINDOWS\wvrwyf.dat
Removed! : C:\WINDOWS\ldocvo.dat
Removed! : C:\WINDOWS\eeyhpz.dat
Removed! : C:\WINDOWS\oernsb.dat
Removed! : C:\WINDOWS\kxyvqt.dat
Removed! : C:\WINDOWS\uyrisw.dat
Removed! : C:\WINDOWS\nzjomg.dat
Removed! : C:\WINDOWS\addfz32.exe
Removed! : C:\WINDOWS\crhp.exe
Removed! : C:\WINDOWS\mfctg32.exe
Removed! : C:\WINDOWS\suniju.dat
Removed! : C:\WINDOWS\kvgvde.dat
Removed! : C:\WINDOWS\dvybfg.dat
Removed! : C:\WINDOWS\sdkjt32.exe
Removed! : C:\WINDOWS\fhipcf.dat
Removed! : C:\WINDOWS\appke.exe
Removed! : C:\WINDOWS\eryrdg.dat
Removed! : C:\WINDOWS\xsqwfi.dat
Removed! : C:\WINDOWS\ptjbzt.dat
Removed! : C:\WINDOWS\dwlgq.dat
Removed! : C:\WINDOWS\ntpd32.exe
Removed! : C:\WINDOWS\hewik.dat
Removed! : C:\WINDOWS\dpech.dat
Removed! : C:\WINDOWS\bhkupo.dat
Removed! : C:\WINDOWS\d3gr32.exe
Removed! : C:\WINDOWS\zyzsxh.dat
Removed! : C:\WINDOWS\rzsyzs.dat
Removed! : C:\WINDOWS\msai32.exe
Removed! : C:\WINDOWS\d3gt32.exe
Removed! : C:\WINDOWS\fqytqb.dat
Removed! : C:\WINDOWS\yriztm.dat
Removed! : C:\WINDOWS\crjs.exe
Removed! : C:\WINDOWS\mfcix32.exe
Removed! : C:\WINDOWS\bcjag.dat
Removed! : C:\WINDOWS\rlsufg.dat
Removed! : C:\WINDOWS\hkujsd.dat
Removed! : C:\WINDOWS\zlfomo.dat
Removed! : C:\WINDOWS\d3lc32.exe
Removed! : C:\WINDOWS\zpondh.dat
Removed! : C:\WINDOWS\vnpjc.dat
Removed! : C:\WINDOWS\hkcey.dat
Removed! : C:\WINDOWS\livpeq.dat
Removed! : C:\WINDOWS\ejgcgt.dat
Removed! : C:\WINDOWS\okyhad.dat
Removed! : C:\WINDOWS\frzeoo.dat
Removed! : C:\WINDOWS\fjxycv.dat
Removed! : C:\WINDOWS\ykqdef.dat
Removed! : C:\WINDOWS\nwzui.dat
Removed! : C:\WINDOWS\cruq.exe
Removed! : C:\WINDOWS\System32\pliep.dat
Removed! : C:\WINDOWS\System32\czweo.dat
Removed! : C:\WINDOWS\System32\izyhj.dat
Removed! : C:\WINDOWS\System32\tztzf.dat
Removed! : C:\WINDOWS\System32\uclvr.dat
Removed! : C:\WINDOWS\System32\suhdq.dat
Removed! : C:\WINDOWS\System32\d3aa32.exe
Removed! : C:\WINDOWS\System32\amtlz.dat
Removed! : C:\WINDOWS\System32\pbpht.dat
Removed! : C:\WINDOWS\System32\wblcc.dat
Removed! : C:\WINDOWS\System32\cpvaf.dat
Removed! : C:\WINDOWS\System32\oftsj.dat
Removed! : C:\WINDOWS\System32\ahcbc.dat
Removed! : C:\WINDOWS\System32\psphe.dat
Removed! : C:\WINDOWS\System32\pbdha.dat
Removed! : C:\WINDOWS\System32\xrnor.dat
Removed! : C:\WINDOWS\System32\jpduc.dat
Removed! : C:\WINDOWS\System32\gsvqt.dat
Removed! : C:\WINDOWS\System32\ifrgv.dat
Removed! : C:\WINDOWS\System32\ldjcw.dat
Removed! : C:\WINDOWS\System32\mcssl.dat
Removed! : C:\WINDOWS\System32\kqzhv.dat
Removed! : C:\WINDOWS\System32\xuzxh.dat
Removed! : C:\WINDOWS\System32\kqnbe.dat
Removed! : C:\WINDOWS\System32\cryoy.dat
Removed! : C:\WINDOWS\System32\uqaxs.dat
Removed! : C:\WINDOWS\System32\mrlku.dat
Removed! : C:\WINDOWS\System32\derlh.dat
Removed! : C:\WINDOWS\System32\sdavu.dat
Removed! : C:\WINDOWS\System32\ldqjr.dat
Removed! : C:\WINDOWS\System32\jbqve.dat
Removed! : C:\WINDOWS\System32\dnpdw.dat
Removed! : C:\WINDOWS\System32\pdrer.dat
Removed! : C:\WINDOWS\System32\nmddc.dat
Removed! : C:\WINDOWS\System32\kqlcp.dat
Removed! : C:\WINDOWS\System32\wfwxn.dat
Removed! : C:\WINDOWS\System32\zhrnl.dat
Removed! : C:\WINDOWS\System32\mfcoz32.exe
Removed! : C:\WINDOWS\System32\ossje.dat
Removed! : C:\WINDOWS\System32\qwlgz.dat
Removed! : C:\WINDOWS\System32\nhxdo.dat
Removed! : C:\WINDOWS\System32\nzkfz.dat
Removed! : C:\WINDOWS\System32\mptlt.dat
Removed! : C:\WINDOWS\System32\nsory.dat
Removed! : C:\WINDOWS\System32\okulj.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

ADS not scanned System(FAT)
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

Thanks, again, Owen.

Cheers,
Flew

**flew** · 11-10-2004

Owen,

My IE seems to be running just fine; However, I still have the "looking-for.cc Search Extender" coming on at the bottom of the page. I cannot uninstall using their uninstall instructions.

Is this related and is there a way to get rid of this Program?

Thanks,

Flew

**owen** · 11-10-2004

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.adhqnqclglzcax.com/O4s83...S/TyuQxsdE.html
O4 - HKLM\..\Run: [Creative Beep] C:\PROGRA~1\MIX1SE~1\Settings Pile Axis.exe
O4 - HKLM\..\Run: [Book Logo Test Cash] C:\Documents and Settings\All Users\Application Data\Option user book logo\Amok The.exe
O4 - HKLM\..\RunOnce: [cetec] regedit.exe /s C:\DOCUME~1\Family\LOCALS~1\Temp\cetec.reg
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Go to C:\documents and settings\family\local settings\temp and once in the folder click Edit> Select All. Then hit the delete key to get rid of the entire contents of the folder. Leave the folder itself intact though.

Delete the following files and folders:
C:\Program Files\MIX1SE~1
C:\Documents and Settings\All Users\Application Data\Option user book logo
C:\freescan

Reboot and post a fresh log

Ive been hijacked by the looking-for.cc spy (Resolved)

Ive been hijacked by the looking-for.cc spy (Resolved)

Similar Threads

Help my HTPC has been hijacked(RESOLVED)

Hijacked???? Im Not Sure Xx (RESOLVED)

Hijacked browser (Resolved)

hijacked browser (Resolved)

Hijacked by about:blank. What do I do? (Resolved)