Slow PC and lots of pop-ups

edit note: Title changed to one that indicates what the problem is. Since this was a first post and the log file was already posted, I just changed it. Please follow our posting rules and #3 calls for a meaningful thread title. Newt

Hello,

I am pretty sure that my computer has some viruses and trojans. I downloaded Hijack This. Would someone please tell me what I need to delete from my computer and how to best do that? Any tips involving Safe Mode etc. would be appreciated. I just want my computer to function again--it's painfully slow and the pop-ups never end. There is a HomeSearch homepage hijacker too.

Please help...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\javaau32.exe
C:\WINDOWS\system32\sdkxp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\yktiir.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Carl Rex Hubbard II\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D7AC65FF-C9B6-66D9-0935-85FAF279CD1E} - C:\WINDOWS\appdx.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [hnobiutbhdkfo] C:\WINDOWS\System32\zltvcevu.exe
O4 - HKLM\..\Run: [netle.exe] C:\WINDOWS\system32\netle.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [addfl.exe] C:\WINDOWS\system32\addfl.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [javaau32.exe] C:\WINDOWS\system32\javaau32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordSmart Tray Icon.lnk = C:\Program Files\Smartek\WordSmart\trayicon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...c4c1b056f368:c05c8ac2b23f939ff11a0351cafa03db
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - http://www.instantchess.com/applet/chessbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

 

Hi noesis and welcome to the forum.

You have a variety of baddies that are causing you problems.

Download LSPFix but don't use it. A safety precaution as fixing several of the infestations you have can break internet access and if that happens, you'll want to run the fix.

In quicklinks (from my signature) you need to get the following and run them in this order. The first will run as downloaded. The next two need to have you update right after the install and then run. Let all of them clean what they find. In the listed order please.

- CWShredder 2.0
- Ad-Aware SE
- Spybot v1.3

After that is done, do a new HJT log and post it but please post the whole thing. Some useful bits are missing from the one you put here. Make sure you are running version 1.98.2 of HJT.

 

Thank you so much, Newt. My jaw dropped when I saw how many items Ad-Aware SE detected--over 2000! I did as you said; here is the new log.



Logfile of HijackThis v1.98.2
Scan saved at 11:51:57 PM, on 12/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Smartek\WordSmart\trayicon.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carl Rex Hubbard II\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D7AC65FF-C9B6-66D9-0935-85FAF279CD1E} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [hnobiutbhdkfo] C:\WINDOWS\System32\zltvcevu.exe
O4 - HKLM\..\Run: [netle.exe] C:\WINDOWS\system32\netle.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [addfl.exe] C:\WINDOWS\system32\addfl.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [javaau32.exe] C:\WINDOWS\system32\javaau32.exe
O4 - HKLM\..\Run: [lwfyvoz] c:\windows\lwfyvoz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordSmart Tray Icon.lnk = C:\Program Files\Smartek\WordSmart\trayicon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - http://www.instantchess.com/applet/chessbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

 

My recommendations are as follows. You should print this out and/or save it to text where you can access it in safe mode. It's very important to follow the instructions completely, and in the order given.

From add/remove programs, uninstall PSD Tools ChannelUp v1.0 and PSDT Messaging Integration.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zhbdk.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D7AC65FF-C9B6-66D9-0935-85FAF279CD1E} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [hnobiutbhdkfo] C:\WINDOWS\System32\zltvcevu.exe
O4 - HKLM\..\Run: [netle.exe] C:\WINDOWS\system32\netle.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [addfl.exe] C:\WINDOWS\system32\addfl.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [javaau32.exe] C:\WINDOWS\system32\javaau32.exe
O4 - HKLM\..\Run: [lwfyvoz] c:\windows\lwfyvoz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Click NO to restart. This will restart your computer in safe mode after rebooting later.


Download AboutBuster from one of the following locations.


http://www.atribune.org/downloads/AboutBuster.zip

http://tools.zerosrealm.com/AboutBuster.zip

http://www.downloads.subratam.org/AboutBuster.zip


First unzip all files from the zip folder to a folder or your desktop. Double click AboutBuster.exe and click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit.
Close ALL Internet Explorer windows. This is a very important step!!
Click start and then Ok. The program should start scanning. Wait for it to finish (may take a while), then hit exit and reboot. Logon to you user account in safe mode.

Now in safe mode, you will need to show hidden files and folders, as well as system files.

Open C:\WINDOWS and delete the file lwfyvoz.exe if present.
Open C:\WINDOWS\system32 and delete the files addfl.exe, netle.exe, javaau32.exe and zltvcevu.exe if present.
Open C:\Program Files and delete the folders buddylinks.net and Windows TaskAd if present.
Open C:\Program Files\Common Files and delete the folder PSD Tools if present.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

Run AboutBuster again.

Run Ad-aware in full scan mode. Delete anything it finds.

Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, you can re-enable system restore. You should visit Windows Update. I recommend you accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

Then, scan your PC with RAV. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

Noah,

Thank you for helping me. Here are some issues:

1) I did everything you said to do, except that I could not find C:\Documents and settings\username\Local Settings\temp. For some reason, even a search does not reveal that this file exists, yet when I performed the RAV scan, it showed that there were many viruses in this folder. Here is a partial list (it's still scanning):

C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temp\sdexe.exe->(UPXW)->(EXEEmb) - Clicker:Win32/BuddyLinks.A -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\0MWUGWIS\OLD[1].CHM->/old.htm->(SCRIPT0001) - JS/Psyme.gen* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\25XQNMXG\OLD[1].CHM->/old.htm->(SCRIPT0001) - JS/Psyme.gen* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\A36ZIXQ3\CA7E4JB5.htm->(SCRIPT0002) - JS/Inor.M* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\D8C1ZO1E\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[2].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[3].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\SXABC5Q3\main[1].chm->/main.htm->(EncScript) - JS/Psyme.F* -> Suspicious
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\SXABC5Q3\main[1].chm->/main.htm->(SCRIPT0000)->(EncScript) - JS/Psyme.F* -> Suspicious
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\WDYJSDEV\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected

2) For a little while, my Google homepage was able to be maintained, and yet when I opened an Internet Explorer window, the HomeSearch came back, along with pop-ups. Could it be that these last folders that I was uanble to find and delete are the ones causing this tenacious HomeSearch to remain?

3) For some reason, every time I put the mouse on one of the small icons near the clock, it disappears, and one disappears each time I run the mouse of them until no more can disappear. Very strange. But please don't address this if it's unrelated and would sidetrack you.

I'll post more information in another post, after the virus scan finishes and I can post a new HijackThis log.

 

Statistics

Scanned files: 59007
Scanned directories: 2363
Scanned archives: 6767
Size of the scanned files: 2048740556
Packed files: 1282
Known viruses found: 274
Virus bodies: 9
Suspicious files: 19

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 223458
Mail files: 90




Found viruses
File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temp\sdexe.exe->(UPXW)->(EXEEmb)
Virus: Clicker:Win32/BuddyLinks.A Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\0MWUGWIS\OLD[1].CHM->/old.htm->(SCRIPT0001)
Virus: JS/Psyme.gen* Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\25XQNMXG\OLD[1].CHM->/old.htm->(SCRIPT0001)
Virus: JS/Psyme.gen* Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\A36ZIXQ3\CA7E4JB5.htm->(SCRIPT0002)
Virus: JS/Inor.M* Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\D8C1ZO1E\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000)
Virus: JS/Psyme.AC* Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000)
Virus: JS/Psyme.AC* Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[2].CHM->/netwin.htm->(SCRIPT0000)
Virus: JS/Psyme.AC* Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[3].CHM->/netwin.htm->(SCRIPT0000)
Virus: JS/Psyme.AC* Status: Infected

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\SXABC5Q3\main[1].chm->/main.htm->(EncScript)
Virus: JS/Psyme.F* Status: Suspicious

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\SXABC5Q3\main[1].chm->/main.htm->(SCRIPT0000)->(EncScript)
Virus: JS/Psyme.F* Status: Suspicious

File: C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\WDYJSDEV\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000)
Virus: JS/Psyme.AC* Status: Infected

File: C:\System Volume Information\_restore{9FC2F40A-B7C7-41E6-B708-78AAD602C207}\RP1\A0000005.ini->ADS:xcuzh
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\System Volume Information\_restore{9FC2F40A-B7C7-41E6-B708-78AAD602C207}\RP1\A0000005.ini->ADS:nubzo
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1024 x 768 IBM Leaves Quote.bmp->ADS:xxcbo
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1024 x 768 IBM Leaves Quote.bmp->ADS:vzyps
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1024 x 768 IBM Mechanical.bmp->ADS:tnhiz
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1024 x 768 IBM Mechanical.bmp->ADS:jwshf
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1024 x 768 IBM Mechanical.bmp->ADS:fjgnu
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Americas Map.bmp->ADS:zscyu
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Americas Map.bmp->ADS:mebry
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Americas Map.bmp->ADS:kekth
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Leaves Quote.bmp->ADS:kwswk
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Mechanical.bmp->ADS:ybzsw
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Mechanical.bmp->ADSyvgq
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Mechanical.bmp->ADS:najuu
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1280 x 1024 IBM Mechanical.bmp->ADS:lgrwb
Virus: TrojanDownloader:Win32/Agent.Z Status: Infected

File: C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:xjfxu
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:qruqm
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:alahw
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1400 x 1050 IBM Leaves Quote.bmp->ADS:utcrb
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1400 x 1050 IBM Leaves Quote.bmp->ADS:ngyzy
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1400 x 1050 IBM Leaves Quote.bmp->ADS:eetwt
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1400 x 1050 IBM Mechanical.bmp->ADS:imveq
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADS:tjgjm
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADS:smsuy
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADS:qxdbq
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADS:qkxdo
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADSlfah
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\1600 x 1200 IBM Leaves Quote.bmp->ADS:ftnxd
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Mechanical.bmp->ADS:vydgg
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Mechanical.bmp->ADS:svtyh
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\1600 x 1200 IBM Mechanical.bmp->ADS:aegjs
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:syrsx
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:mkyoo
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:iqvgl
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:gtwdy
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:gjhgi
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:dzucn
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\800 x 600 IBM Leaves Quote.bmp->ADS:qrlij
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\800 x 600 IBM Leaves Quote.bmp->ADS:nchxv
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\800 x 600 IBM Mechanical.bmp->ADS:nspsm
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\800 x 600 IBM Mechanical.bmp->ADS:knmeb
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\addsf32.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\addui.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\apicq.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\apihd.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\apimp.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\apiqv.exe.bak
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\appmu.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\appoi32.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\atlbx.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\atlfd32.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\atloe.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Blue Lace 16.bmp->ADS:jjcpw
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\Blue Lace 16.bmp->ADS:gyvun
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\bootstat.dat->ADS:uyysu
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\bootstat.dat->ADS:hvxtx
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\bootstat.dat->ADS:eywng
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\cdsny.dll
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\Coffee Bean.bmp->ADS:anoql
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\comsetup.log->ADS:jsjzp
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\comsetup.log->ADS:hvanh
Virus: TrojanDownloader:Win32/Agent.Z Status: Infected

File: C:\WINDOWS\comsetup.log->ADS:cnzke
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\crmo32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\crta.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\d3jz.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\dasetup.log->ADS:rjcmc
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\desktop.ini->ADS:juxih
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\desktop.ini->ADS:cupvi
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\desktop.ini->ADS:bgbne
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\Directx.log->ADS:sqjjw
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\DtcInstall.log->ADS:izuqs
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\emule.INI->ADS:silaz
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\emule.INI->ADS:rgfos
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\emule.INI->ADS:ejaoh
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\explorer.scf->ADS:wqmgu
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\explorer.scf->ADS:hcieq
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\explorer.scf->ADS:guvmx
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\explorer.scf->ADS:azmwu
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\FaxSetup.log->ADS:wxums
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\FaxSetup.log->ADSxsqj
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\FaxSetup.log->ADS:ljeft
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\FeatherTexture.bmp->ADS:exvvv
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Gone Fishing.bmp->ADS:ujhxq
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\Gone Fishing.bmp->ADS:uejql
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Gone Fishing.bmp->ADS:hykdm
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\Greenstone.bmp->ADS:meben
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\HJEFJLMQ.ini->ADS:xcuzh
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\HJEFJLMQ.ini->ADSqnsh
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\HJEFJLMQ.ini->ADS:nubzo
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\hpbvnstp.his->ADS:ycmqe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\hpbvnstp.his->ADSuooi
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\hpbvspst.his->ADS:fmuer
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\hpbvspst.ini->ADS:wfppl
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\hpbvspst.ini->ADS:rcevy
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\hplj1010.his->ADS:anytk
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\Ibm.scr->ADS:zzkuq
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Ibm.scr->ADS:ztcvi
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\iis6.log->ADS:wktif
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\iis6.log->ADS:vkkly
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\iis6.log->ADS:nbgsm
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\iis6.log->ADS:kqtcx
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\iis6.log->ADS:iiykj
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\iis6.log->ADS:grlkc
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\iis6.log->ADS:bjbkq
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\imsins.BAK->ADS:zuqfm
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\imsins.BAK->ADS:vycvk
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\imsins.BAK->ADS:itbtt
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\imsins.BAK->ADS:dzlrc
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\imsins.BAK->ADS:ctjre
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\imsins.log->ADS:tjlqk
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\imsins.log->ADS:qqxif
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\ipep32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\ipfz32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\ipfz32.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\ippf32.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\iptx32.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\javahk32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Launcher.ini->ADS:zhiqc
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\Launcher.ini->ADS:wmers
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\Launcher.ini->ADS:klesv
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\lbbho.ini->ADS:xfnhp
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\lbbho.ini->ADS:rwtmn
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\lbbho.ini->ADS:iicop
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\mfcgl32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\msdfmap.ini->ADS:zupnz
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\msdfmap.ini->ADS:qctxf
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\msdfmap.ini->ADS:fdete
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\msek.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\msgsocm.log->ADStubo
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\msjy.exe
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\mspn32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\mstx32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\netgi32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\netsu32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\netvk32.dll
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\nsw.log->ADS:wzdmq
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\nsw.log->ADS:krifr
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\nsw.log->ADS:jkfjt
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: C:\WINDOWS\nsw.log->ADS:gugey
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

File: C:\WINDOWS\nsw.log->ADS:eaayz
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\nsw.log->ADS:duofg
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\ntdtcsetup.log->ADS:rlcqz
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

File: C:\WINDOWS\ntdtcsetup.log->ADS:gjqmf
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

 

I am unable to post the rest of what RAV found (what is posted is only half), because it says I have "too many images" in my signature.

Needless to say, there are many more infected files than the ones listed. Here, at least, is a new Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 4:00:15 AM, on 12/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sdkxp.exe
C:\WINDOWS\d3sn.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\tibs3.exe
C:\Documents and Settings\Carl Rex Hubbard II\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cdsny.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cdsny.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cdsny.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cdsny.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cdsny.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cdsny.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cdsny.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D7AC65FF-C9B6-66D9-0935-85FAF279CD1E} - C:\WINDOWS\appdx.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [d3sn.exe] C:\WINDOWS\d3sn.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordSmart Tray Icon.lnk = C:\Program Files\Smartek\WordSmart\trayicon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - http://www.instantchess.com/applet/chessbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab




When I run Hijack This, it tells me that it appears to be started from a temporary folder. Should I be worried about this? And if so, how do I correct the situation? Thanks again.

 

I suggest you first install an antivirus program, update and run a full system scan. My first choice would be eTrust, which has a 1 year free trial available (Ignore the posted expiration date. They have renewed the offer.). It also has a firewall with it, another important program for you to have. There are other good programs available totally free, such as AVG, which you can find in Newt's signature under Quicklinks. If you opt for one of these, get a third party firewall as well.

Additionally, scan with at least two of the following online scanners, allowing them to clean what they will. Finish up with another RAV scan, again posting the report, and another new HJT log.

eTrust online in my signature.
http://housecall.antivirus.com/
http://www.pandasoftware.es/actives...ivescan-com.asp
http://www.bitdefender.com/
http://www.kaspersky.com/remoteviruschk.html

You still need the Windows Updates too. Your computer is open to many vulnerabilities until properly patched.

 

Yup. Some of the baddies came back. They tend to do that if all traces aren't removed.

A couple of things to add on to what noahdfear recommended

- in windows explorer, to into tools => folder options => view and set to see all hidden files, system files (ignore the warning) and to see all file extensions. I think the Temp folder will show up then.

- turn off system restore until you get the PC cleaned. It is probably saving some baddies in the restore area and in that case they can spring back to life from what is stored. SR is a good safety item if the PC is clean but at times like this it can be a danger to you.

There will for sure be several more iterations (at least) of cleaning things to do before you are done but stay with it and we'll get you running without all the extra trash that is causing you problems now.

 

Hey Newt,

This question may get an award for utter stupidity, but anyway, how do you find 'windows explorer' so you can find the 'tools', etc.? I could not find it when I looked in 'all programs', so I did a search. What came up was 'Windows Explorer' that presented all of the different folders on the left, etc., but I did not see any 'tools' folder, and I cannot find the relevant tools folder via search.

Here's a new RAV log. Thanks again, guys.

Scan started at 12/5/2004 12:59:05 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temp\sdexe.exe->(UPXW)->(EXEEmb) - Clicker:Win32/BuddyLinks.A -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\0MWUGWIS\OLD[1].CHM->/old.htm->(SCRIPT0001) - JS/Psyme.gen* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\25XQNMXG\OLD[1].CHM->/old.htm->(SCRIPT0001) - JS/Psyme.gen* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\A36ZIXQ3\CA7E4JB5.htm->(SCRIPT0002) - JS/Inor.M* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\D8C1ZO1E\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[2].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\DBF7PL8E\NETWIN[3].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\SXABC5Q3\main[1].chm->/main.htm->(EncScript) - JS/Psyme.F* -> Suspicious
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\SXABC5Q3\main[1].chm->/main.htm->(SCRIPT0000)->(EncScript) - JS/Psyme.F* -> Suspicious
C:\Documents and Settings\Carl Rex Hubbard II\Local Settings\Temporary Internet Files\Content.IE5\WDYJSDEV\NETWIN[1].CHM->/netwin.htm->(SCRIPT0000) - JS/Psyme.AC* -> Infected
C:\WINDOWS\1280 x 1024 IBM Americas Map.bmp->ADS:zscyu - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\1280 x 1024 IBM Mechanical.bmp->ADS:lgrwb - TrojanDownloader:Win32/Agent.Z -> Infected
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:zpvwn - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp->ADS:qruqm - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\1600 x 1200 IBM Americas Map.bmp->ADSlfah - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:gtwdy - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\800 x 600 IBM Americas Map.bmp->ADS:gjhgi - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\Blue Lace 16.bmp->ADS:jjcpw - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\cdsny.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\comsetup.log->ADS:hvanh - TrojanDownloader:Win32/Agent.Z -> Infected
C:\WINDOWS\d3sn.exe - TrojanDownloader:Win32/Agent.Z -> Infected
C:\WINDOWS\dasetup.log->ADS:rjcmc - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\desktop.ini->ADS:juxih - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\explorer.scf->ADS:hcieq - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\HJEFJLMQ.ini->ADSqnsh - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\iis6.log->ADS:wktif - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\iis6.log->ADS:grlkc - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\Launcher.ini->ADS:wmers - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\msdfmap.ini->ADS:fdete - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\nsw.log->ADS:krifr - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\nsw.log->ADS:jkfjt - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\nsw.log->ADS:gugey - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\ocgen.log->ADS:yxnwe - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\ocmsn.log->ADS:ynsiy - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\ocmsn.log->ADS:cjkzx - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\OEWABLog.txt->ADS:xwuqu - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\orun32.ini->ADS:arlqh - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\Q308387.log->ADS:qtubs - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\Q308677.log->ADS:qitlg - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\regopt.log->ADS:bhbot - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\setupact.log->ADS:kjuye - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\tvyig.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\twunk_16.exe->ADS:zqfrc - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\UNWISE.EXE->ADS:xwahw - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\vursg.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\Welcome.ini->ADS:vgwvt - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\Windows Update.log->ADS:kgqtn - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\WMSysPr9.prx->ADS:lzgwn - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\WMSysPrx.prx->ADS:ambho - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\system32\dqtsw.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\system32\yqcid.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious

Scanned
============================
Objects: 60961
Directories: 2609
Archives: 6825
Size(Kb): -1703094
Infected files: 28

Found
============================
Viruses found: 6
Suspicious files: 24
Disinfected files: 0
Mail files: 92

 

Here is it.

 

Hey guys,

Can I simply delete all files in the Temporary Internet Files folder without any damage being done? There must be at least a 1000 and I'm going to go blind trying to pick through them.

What's funny is that RAV is saying that some files are infected but when I scan them with eTrust it says that they are not infected.

Thanks again, guys.

 

Do NOT delete the entire folder. Open it, then the Content.IE5 folder, select all from the edit menu on the toolbar, then delete. You may have better luck doing that in safe mode.

Did you run any of the other online scanners?

 

There are still some pop-ups, thought not nearly as many. Here is a new Hijack This log.

Noah,

I had trouble running each of the four virus scanners that you posted a while back. I will try again today, though, and let you know how it went.


Logfile of HijackThis v1.98.2
Scan saved at 1:53:05 PM, on 12/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\System32\tibs3.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Smartek\WordSmart\trayicon.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\autodown.exe
C:\Documents and Settings\Carl Rex Hubbard II\My Documents\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [iegz32.exe] C:\WINDOWS\system32\iegz32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordSmart Tray Icon.lnk = C:\Program Files\Smartek\WordSmart\trayicon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - http://www.instantchess.com/applet/chessbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102187486002
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

If you can, run the Kapersky scanner for sure.

http://www.kaspersky.com/remoteviruschk.html

Would you also do the following 2 things please.

1. Download this zip.

http://tools.zerosrealm.com/pv.zip

Unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post. Please do option 2 for Internet Explorer dlls too.

2. Please download GetService.zip
Extract it to a new folder in the desktop. Open folder and double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. Copy and paste the contents in your next reply here.

 

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 917504 C:\WINDOWS\system32\kernel32.dll 5.1.2600.153 (xpclnt_qfe.021108-2107) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.151 (xpclnt_qfe.021108-2107) GDI Client DLL
USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.152 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
SHLWAPI.dll 772d0000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2750.167 (xpclnt_qfe.040728-2019) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8318976 C:\WINDOWS\system32\SHELL32.dll 6.00.2750.166 (xpclnt_qfe.040728-2019) Windows Shell Common Dll
ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
SHDOCVW.dll 71700000 1343488 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2750.167 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
netapi32.dll 71c20000 315392 C:\WINDOWS\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
USERENV.dll 52880000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.23 (xpclnt_qfe.010827-1803) Userenv
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.165 (xpclnt_qfe.040728-2019) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
RASAPI32.dll 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
pwrmonit.dll 10000000 81920 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll 1, 0, 0, 0 IBM ThinkPad Battery MaxiMiser Gauge
MFC42.DLL 73dd0000 991232 C:\WINDOWS\System32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
IPHk2KS2.DLL 58000000 126976 C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL 5.8.0.13 Windows 2000 SP2 System Hook DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 49152 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.165 (xpclnt_qfe.040728-2019) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
SXS.DLL 75e90000 663552 C:\WINDOWS\System32\SXS.DLL 5.1.2600.136 (xpclnt_qfe.021108-2107) Fusion 2.5
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
srchui.dll 5c080000 798720 c:\windows\srchasst\srchui.dll 1.00 Search Assistant UI
OLEACC.dll 74c80000 180224 C:\WINDOWS\System32\OLEACC.dll 4.2.5406.0 (xpclient.010817-1148) Active Accessibility Core Component
MSVCP60.dll 76080000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
srchctls.dll 5c150000 110592 c:\windows\srchasst\srchctls.dll 1.00 Search Assistant Controls
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
jscript.dll 75c50000 593920 C:\WINDOWS\System32\jscript.dll 5.6.0.6626 Microsoft (r) JScript
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2745.2300 OLE32 Extensions for Win32
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
DUSER.dll 6c1b0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
VetRedir.dll 3440000 57344 C:\WINDOWS\System32\VetRedir.dll Version 10.63.0.1 ISafe LSP
ISafeIf.dll 3560000 86016 C:\WINDOWS\System32\ISafeIf.dll Version 10.63.0.1 ISafe Interface DLL
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
msadp32.acm 72cf0000 24576 C:\WINDOWS\System32\msadp32.acm 5.1.2600.0 (xpclient.010817-1148) Microsoft ADPCM CODEC for MSACM
shdoclc.dll 3700000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
MSGINA.dll 75970000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.128 (xpclnt_qfe.021108-2107) Windows NT Logon GINA DLL
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\System32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
cabview.dll 6fd40000 90112 C:\WINDOWS\System32\cabview.dll 6.00.2600.0000 (xpclient.010817-1148) Cabinet File Viewer Shell Extension
CABINET.dll 75150000 77824 C:\WINDOWS\System32\CABINET.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Cabinet File API
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
WMVCore.DLL 8530000 2084864 C:\WINDOWS\System32\WMVCore.DLL 9.00.00.2980 built by: lab03_dev(bld4act) Windows Media Playback/Authoring DLL
WMASF.DLL 7260000 233472 C:\WINDOWS\System32\WMASF.DLL 9.00.00.2980 built by: lab03_dev(bld4act) Windows Media ASF DLL
wmpshell.dll 83f0000 98304 C:\WINDOWS\System32\wmpshell.dll 9.00.00.2980 Windows Media Player Launcher
shmedia.dll 5cad0000 139264 C:\WINDOWS\System32\shmedia.dll 6.00.2600.101 (xpclnt_qfe.020823-2005) Media File Property Extractor Shell Extension
MSVFW32.dll 73bd0000 126976 C:\WINDOWS\System32\MSVFW32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Video for Windows DLL
AVIFIL32.dll 73b50000 86016 C:\WINDOWS\System32\AVIFIL32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft AVI File support library
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
zipfldr.dll 73380000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2750.167 (xpclnt_qfe.040728-2019) Compressed (zipped) Folders
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
MCPS.DLL 365a0000 86016 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub

 

PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Ati HotKey Poller
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\Ati2evxx.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Ati HotKey Poller
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Uses idle network bandwidth to transfer data.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : Rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CAISafe
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CA ISafe
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: IBMPMSVC
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\ibmpmsvc.exe
LOAD_ORDER_GROUP : Pointer Port
TAG : 0
DISPLAY_NAME : IBM PM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Irmon
Supports infrared devices installed on the computer and detects other devices that are in range.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Infrared Monitor
DEPENDENCIES : irda
: RpcSs
: TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: ributed Transaction Coordinator
: r
: ative Service
: ion
: ttings\Cj
: 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: QCONSVC
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32\QCONSVC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QCONSVC
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry
DEPENDENCIES : RPCSS
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: NLA
: RasMan
: ALG
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: STOPzilla Local Service
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\STOPzilla!\szntsvc.exe /service "STOPzilla Local Service "
LOAD_ORDER_GROUP : PNP_TDI
TAG : 9
DISPLAY_NAME : STOPzilla Local Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{B2F60546-610B-4EDC-B8CC-55F9B7289516}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telnet
DEPENDENCIES : RPCSS
: TCPIP
: NTLMSSP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: uploadmgr
Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Upload Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VETMSGNT
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VET Message Service
DEPENDENCIES : CAISafe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: vsmon
Monitors internet traffic and generates alerts for disallowed access.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
LOAD_ORDER_GROUP : TrueVector Group
TAG : 0
DISPLAY_NAME : TrueVector Internet Monitor
DEPENDENCIES : Afd
: RpcSs
: vsdatant
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
: Eventlog
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ZESOFT
ZESoft Driver
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\zeta.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ZESOFT
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: %AFÃ¥¤¶Ã€¨
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\sdkxp.exe /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Workstation NetLogon Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

 

Download AboutBuster from one of the following locations.

http://tools.zerosrealm.com/AboutBuster.zip

http://www.downloads.subratam.org/AboutBuster.zip

First unzip all files from the zip folder to a folder on your desktop. Open and double click AboutBuster.exe, click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit. Close for now.

Click here to download cwsserviceremove.zip, unzip it to your desktop and have it ready to run later.

Check for updates to Ad-aware.

Click start then run and type services.msc, then hit enter. Locate Workstation Netlogon Service, right click and choose properties. Stop the service, then set to disabled. Click Apply then OK. Close the services window.

Make sure system restore is off.

Reboot to safe mode.

Double click the cwsserviceemove.reg file you unzipped earlier. Click yes to merge it to the registry.

Scan again with HijackThis and place a check next to the following entries. Close all other windows and click fix.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [iegz32.exe] C:\WINDOWS\system32\iegz32.exe

Make sure hidden files are set to show.

Open C:\Windows\System32 and delete the files tibs3.exe, iegz32.exe and sdkxp.exe.

Again, do the following. Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

Open AboutBuster, click start then OK. Exit when finished.

Open CWShredder and click fix.

Open Ad-aware and run in full scan mode. Delete all it finds.

Reboot back to Windows and run Housecall. Make sure the box to autoclean is checked.

If you still haven't done so, go to Windows Update and install all available critical updates. You may need to go back several times.

Do another RAV scan and post the results, as well as a new HJT log.