Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

WIN32 P2P WORM.ALCAN.a

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

WIN32 P2P WORM.ALCAN.a

Unread postby pekingzibaduck » February 11th, 2006, 5:03 pm

Hi. Can you Help Please.

Last week you helped me get rid of the Alcan.a worm.
Adaware has just shown that it has returned. ( Ihave run it every day and it has been clear until today)

I have tried getting rid following last weeks instructions but to no avail.
The 2 files that I removed last week are not showing on the HijackThis Log. Can you help?

Is this worm programmed to return after a perios of time or have I just been hit afresh?

Her's my log

Logfile of HijackThis v1.99.1
Scan saved at 20:53:38, on 11/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Browser mouse\1.3\mouse32a.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\outlook\outlook.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Paul Darby\Desktop\Malware Removal.com Tools\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Program Files\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylo ... loader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am
Advertisement
Register to Remove

Unread postby Die Hard » February 11th, 2006, 11:48 pm

pekingzibaduck , hi :)

Open your taskmanager and end this process:
winlog.exe

then...

Close all open browser windows , run HiJack This and checkmark the following details, then click on "fix checked" and click "yes" on the prompt that follows:
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe


Reboot into safe mode (press the F8-key repetedly on bootup) and delete the following file, in bold text :
C:\WINDOWS\system32\winlog.exe

In order to find it, click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes"

then...

Reboot normally and go to either,or both, of these sites and make an online virus scan:
Panda ActiveScan http://www.pandasoftware.com/activescan/

Trend Micro HouseCall http://housecall.trendmicro.com/

Post back with a new HiJack This-log

regards

Die Hard :)
User avatar
Die Hard
MRU Emeritus
MRU Emeritus
 
Posts: 10
Joined: August 31st, 2005, 6:22 pm
Location: Sweden

Unread postby pekingzibaduck » February 12th, 2006, 10:59 am

Hi Thanks for your reply
I am unable to run Task Manager.
I have done everyrhing else you recommneded but when I reboot the files return/

Here is my log

Logfile of HijackThis v1.99.1
Scan saved at 14:57:01, on 12/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Browser mouse\1.3\mouse32a.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\outlook\outlook.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Paul Darby\Desktop\Malware Removal.com Tools\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Program Files\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylo ... loader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am

Unread postby pekingzibaduck » February 12th, 2006, 12:18 pm

I tried running msconfig and got into the start menu. winlog.exe was showing. I unticked it and followed the proceedures again but on reboot the files returned and the log is the same as the previous one
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am

Unread postby Die Hard » February 12th, 2006, 5:42 pm

pekingzibaduck, :)

The removal of that bugger shouldn´t be that hard,maybe it has changed charasteristics. Besides, it looks like it has tampered with your taskmanager.

Could you please navigate to the file and copy it to a separate folder, then zip it and e-mail it to "diehardATmalware-research.co.uk",replacing "AT" with @.
Also look in the system32-folder for winlog.dll Don´t be worried if you don´t find a file with that name.

Also try this:
Since your taskmanager is out of order, please go here and download ProcessExplorer: http://www.sysinternals.com/Utilities/P ... lorer.html
Use the link at the bottom of the page for your OS.

Just run procexp.exe and in the upper window locate "winlog.exe" and click on it to highlight it. Then right-click and choose "kill process".
Then see if its possible to use HiJack This to remove it from the registry and delete the file from the windows folder.

You could also ,in ProcXP, click "options" and choose "Replace Taskmanager". This utility will now open instead of the taskmanager.
Once you would like to change it back, just untick this option.

regards

Die Hard :)
User avatar
Die Hard
MRU Emeritus
MRU Emeritus
 
Posts: 10
Joined: August 31st, 2005, 6:22 pm
Location: Sweden

Unread postby pekingzibaduck » February 12th, 2006, 7:15 pm

Hi Again
Thanks for your suggestions
Ran Pro XP and killed process. Removed the 2 files in Hijack This.
Ran Adaaware and removed the alcan.afiles that it showed. Ran Ada aware again - all clear.
Rebooted - Files are back agian!!!!

I'm not sure which file you want me to email to you.
And Iv'e never zipped a file before - any hints?

Sorry Im being such a nuisance



Here is the log from Pro XP
It highlighted
1828 - Outlook.exe and 432 - winlog.exe in purple but I dont know what that means.


PID CPU Description Company Name
0 100.00
n/a Hardware Interrupts
n/a Deferred Procedure Calls
4
504 Windows NT Session Manager Microsoft Corporation
556 Client Server Runtime Process Microsoft Corporation
632 Windows NT Logon Application Microsoft Corporation
676 Services and Controller app Microsoft Corporation
844 Generic Host Process for Win32 Services Microsoft Corporation
912 Generic Host Process for Win32 Services Microsoft Corporation
1004 Generic Host Process for Win32 Services Microsoft Corporation
1080 Generic Host Process for Win32 Services Microsoft Corporation
1200 Generic Host Process for Win32 Services Microsoft Corporation
1428 Spooler SubSystem App Microsoft Corporation
1744 CA ISafe Service Computer Associates International, Inc.
1860 User-Level Modem Service
1912 Generic Host Process for Win32 Services Microsoft Corporation
184 CA Antivirus Realtime Messaging Service Computer Associates International, Inc.
248 TrueVector Service Zone Labs Inc.
2176 Application Layer Gateway Service Microsoft Corporation
688 LSA Shell (Export Version) Microsoft Corporation
1348 Windows Explorer Microsoft Corporation
1628
1676 CA Antivirus System Tray Application Computer Associates International, Inc.
1700 CA Antivirus Realtime Infection Report Computer Associates International, Inc.
1728 eTrust EZ Security Products Computer Associates
1748 RealNetworks Scheduler RealNetworks, Inc.
1816 Run a DLL as an App Microsoft Corporation
1828 Setup.exe InstallShield Software Corporation
1852 Adobe Photoshop Album Starter Edition 3.0 component Adobe Systems Incorporated
3108 Internet Explorer Microsoft Corporation
1140
1696 Multi-Media Keyboard Application
232 Run a DLL as an App Microsoft Corporation
432



Logfile of HijackThis v1.99.1
Scan saved at 22:54:30, on 12/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Browser mouse\1.3\mouse32a.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\outlook\outlook.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlog.exe
C:\Documents and Settings\Paul Darby\Desktop\Malware Removal.com Tools\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Program Files\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylo ... loader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am

Unread postby pekingzibaduck » February 12th, 2006, 7:16 pm

Oh by the way I've got a 64 bit processor does that make any difference to task manager?
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am

Unread postby Die Hard » February 12th, 2006, 8:24 pm

pekingzibaduck :)
I've got a 64 bit processor does that make any difference to task manager?

Using a 64-bit processor shouldn´t have any significance.

And Iv'e never zipped a file before - any hints?

If you right-click on the file you might find find an option in the context menu saying "Add to zip-archive".A compressed file will be created in the same folder with the file extention ".zip"
If you are having trouble with that, please go here and download a standalone tool,WinRar. Having a zip-program installed is just as useful having in the system as cutlery is at the dinner-table. :)
http://www.rarlab.com/download.htm
It´s an eternal trial version. After a month you will have a window prompting you to "Buy" or "use evaluation copy", you will have to click the latter to close the window.

The file I´m interested in is winlog.exe
Also the file C:\Program Files\outlook\outlook.exe
Just copy that one for the time being and zip it as well and submit it.

I should have said this before, but I thought this should be an easy fix : :roll:
Please move your HiJack This to a permanent folder, or the backups generated will be in danger of being deleted. It could be something like "C:\HiJackThis"

Please print those instructions ,or copy them to a notepad sheet to your desktop, when we are going to work without internet connection in safe mode.

1. Please go here and download "GetService" :
http://www.bleepingcomputer.com/files/getservices.php
User-info is supplied there.
Save the log generated by the tool.

2. Go here and download datFind.bat, it will list files in your system folders by date:
http://virus-protect.net/bat/datFind.bat
Open the datFind.bat and the first log will be created. Collapse it to the taskbar and press any key to create the next one until all four logs are produced. (They are by default stored directly under "C:\ " as .txt-files )

Copy the files from the last 2 months (or from the date when the problem started)from the top of each log and post them in your next reply.

3. Please go here and download Ewido Security Suit:
http://www.ewido.net/en/download/

A quick guide is found here:
http://www.greyknight17.com/spy/Tutoria ... kGuide.pdf

[*]Install ewido security suite
[*]Launch ewido, there should be an icon on your desktop double-click it.
[*]The program will now go to the main screen
You will need to update ewido to the latest definition files.
[*]On the left hand side of the main screen click update
[*]Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed close the program for now.

4. Go here and download "EmptyTempFolders" : http://www.danish-shareware.dk/soft/emptemp/
Install the program and click "Options" and select "Predefined folders".
Checkmark :
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temporary Internet files
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temporary Internet files
C:\Windows\Temp
Do not run the program yet.

5. Open ProcessExplorer and kill winlog.exe

6. Run HiJack This and checkmark and "fix" those entries,then click yes on the prompt.
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe


7. Reboot into safe mode .

8. Navigate to this file and remove it:
C:\WINDOWS\system32\winlog.exe

while still in safe mode.....

9. Run the EmptyTemp program. Click the blue lightning to delete the contents in the preset folders.

10.. Run the Ewido scanner, a yellow "e" is on your desktop.

[*]Click on scanner
[*]Click on Complete System Scan and the scan will begin.

On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".
[*]Once the scan has completed, there will be a button located on the bottom of the screen named Save report
[*]Click Save report.
[*]Save the report .txt file to your desktop.
Now close ewido security suite.

11. Reboot normally

12. Post a new HiJack This-log together with the logs from datFind, Ewido and GetService.

regards

Die Hard :)
User avatar
Die Hard
MRU Emeritus
MRU Emeritus
 
Posts: 10
Joined: August 31st, 2005, 6:22 pm
Location: Sweden

Unread postby pekingzibaduck » February 12th, 2006, 10:27 pm

WOW!!!!! What a marathon!!!!!!
Seems to be sorted!!!
Files have gone and Ad aware is showing no worms.
Task manager is back as well!!!
You are without a doubt a superhero!!!

As I said before this is the 2nd time Ive got this worm in a week - is it programmed to return or have I unwittingly been infected afresh?

Thanks again here are the logs
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 01:48:04, 13/02/2006
+ Report-Checksum: A7F4E302

+ Scan result:

C:\Documents and Settings\Paul Darby\Cookies\paul darby@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Paul Darby\Cookies\paul darby@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\Paul Darby\Cookies\paul darby@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned without backup
C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Cleaned without backup
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned without backup
C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Cleaned without backup
C:\RECYCLER\S-1-5-21-1507444161-2390766575-825157729-1006\Dc1.exe -> Backdoor.Rbot : Cleaned without backup





::Report End





PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - http://www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASP.NET State Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CAISafe
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CAISafe
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
LOAD_ORDER_GROUP : Event Log
TAG : 0
DISPLAY_NAME : DCOM Server Process Launcher
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP SSL
DEPENDENCIES : HTTP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: ion
: ul Darby~
: 
: -
: 
: h7
: h7
: ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
:
: u
: n
: a
: v
: a
: i
: l
: a
: b
: l
: e
: .
:
: I
: f
:
: t
: h
: i
: s
:
: s
: e
: r
: v
: i
: c
: e
:
: i
: s
:
: d
: i
: s
: a
: b
: l
: e
: d
: ,
:
: a
: n
: y
:
: s
: e
: r
: v
: i
: c
: e
: s
:
: t
: h
: a
: t
:
: e
: x
: p
: l
: i
: c
: i
: t
: l
: y
:
: d
: e
: p
: e
: n
: d
:
: o
: n
:
: i
: t
:
: w
: i
: l
: l
:
: f
: a
: i
: l
:
: t
: o
:
: s
: t
: a
: r
: t
: .
:
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NVSvc
Provides system and desktop level support to the NVIDIA display driver
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\nvsvc32.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NVIDIA Display Driver Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP : SmartCardGroup
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 6000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
Provides notifications for AutoPlay hardware events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SLService
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : slserv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SmartLinkService
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{1BA226F2-D25B-4D4F-B468-294D612DFFF1}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
: HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VETMSGNT
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VET Message Service
DEPENDENCIES : CAISafe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: vsmon
Monitors internet traffic and generates alerts for disallowed access.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
LOAD_ORDER_GROUP : TrueVector Group
TAG : 0
DISPLAY_NAME : TrueVector Internet Monitor
DEPENDENCIES : Afd
: RpcSs
: vsdatant
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Center
DEPENDENCIES : RpcSs
: winmgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Provisioning Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem


Volume in drive C is HDD
Volume Serial Number is 3094-2A9F

Directory of C:\WINDOWS

13/02/2006 00:35 0 0.log
13/02/2006 00:35 159 wiadebug.log
13/02/2006 00:35 50 wiaservc.log
13/02/2006 00:35 2,048 bootstat.dat
12/02/2006 23:37 1,230,510 WindowsUpdate.log
12/02/2006 23:37 32,648 SchedLgU.Txt
12/02/2006 16:11 227 system.ini
12/02/2006 16:11 632 win.ini
12/02/2006 15:48 22,430 wmsetup.log
12/02/2006 14:33 184,372 setupact.log
12/02/2006 12:35 393,360 setupapi.log
12/02/2006 11:48 39,817 iis6.log
12/02/2006 11:48 93,708 comsetup.log
12/02/2006 11:48 55,279 ntdtcsetup.log
12/02/2006 11:48 1,917 imsins.log
12/02/2006 11:48 102,008 tsoc.log
12/02/2006 11:48 14,008 ocmsn.log
12/02/2006 11:48 128,306 ocgen.log
12/02/2006 11:48 12,783 msgsocm.log
12/02/2006 11:48 247,142 FaxSetup.log
12/02/2006 11:44 3 Twain001.Mtx
12/02/2006 11:44 217 TWAIN.LOG
12/02/2006 11:44 156 Twunk001.MTX
12/02/2006 11:36 0 Twunk002.MTX
11/02/2006 16:51 2,560 _MSRSTRT.EXE
11/02/2006 11:55 2,896 COM+.log
11/02/2006 08:55 28,719 cdplayer.ini
10/02/2006 20:52 54,156 QTFont.qfn
07/02/2006 22:25 893 unins000.dat
05/02/2006 20:20 115,824 UnVet32.exe
05/02/2006 20:20 107,632 AVShlExt.dll
05/02/2006 16:03 0 PestPatrol5.INI
03/02/2006 21:21 29 DEBUGSM.INI
02/02/2006 20:03 115,824 UnVet32.1
02/02/2006 20:03 107,632 AVShlExt.1
31/01/2006 17:35 26 popcinfo.dat
14/01/2006 12:23 1,409 QTFont.for
12/01/2006 08:15 1,374 imsins.BAK
12/01/2006 08:15 11,265 KB908519.log
08/01/2006 13:10 126 ae_mini.INI
06/01/2006 11:44 11,416 KB912919.log
06/01/2006 11:44 17,052 updspapi.log
14/12/2005 15:00 11,876 KB910437.log
14/12/2005 15:00 24,590 KB905915.log
23/11/2005 22:28 18,687 KB890859.log
15/11/2005 22:06 0 nsreg.dat
10/11/2005 05:41 9,480 wmsetup10.log
09/11/2005 06:54 12,338 KB896424.log
08/11/2005 06:50 745,814 setuplog.txt
04/11/2005 22:42 9,662 EPISME00.SWB
02/11/2005 20:42 1,579 photoimpression.ini
02/11/2005 20:42 422 videoimp.ini
02/11/2005 20:30 0 OPPRIN~1.INI
02/11/2005 07:35 7,300 EPSTPLOG.TXT
02/11/2005 07:35 2,977 EPSTPLOG.BAK
02/11/2005 07:33 25 CDE RX500E.ini
02/11/2005 06:13 376 ODBC.INI
02/11/2005 06:13 59 vbaddin.ini
01/11/2005 22:58 13,317 LUINSTALL.LOG
01/11/2005 22:17 4,413 SYMEVENT.LOG
01/11/2005 21:17 28,922 KB899587.log
01/11/2005 21:17 28,046 KB896422.log
01/11/2005 21:17 28,053 KB885835.log
01/11/2005 21:16 26,773 KB885836.log
01/11/2005 21:16 27,733 KB885250.log
01/11/2005 21:16 27,739 KB901017.log
01/11/2005 21:16 28,059 KB899591.log
01/11/2005 21:16 28,467 KB893756.log
01/11/2005 21:16 26,020 KB896423.log
01/11/2005 21:16 25,812 KB873339.log
01/11/2005 21:16 25,812 KB888113.log
01/11/2005 21:16 26,568 KB887742.log
01/11/2005 21:16 26,010 KB887472.log
01/11/2005 21:16 27,541 KB896358.log
01/11/2005 21:16 17,907 KB898458.log
01/11/2005 21:16 25,311 KB891781.log
01/11/2005 21:16 36,031 KB902400.log
01/11/2005 21:16 22,704 KB890046.log
01/11/2005 21:15 24,712 KB896688.log
01/11/2005 21:15 19,380 KB893066.log
01/11/2005 21:15 19,719 KB905414.log
01/11/2005 21:15 18,948 KB901214.log
01/11/2005 21:15 17,965 KB888302.log
01/11/2005 21:15 20,511 KB900725.log
01/11/2005 21:15 11,935 KB886185.log
01/11/2005 21:15 16,994 KB904706.log
01/11/2005 21:15 17,297 KB905749.log
01/11/2005 21:15 16,094 KB896428.log
01/11/2005 21:15 17,440 KB894391.log
01/11/2005 21:04 8,953 KB893803v2.log
01/11/2005 21:03 10,701 KB898461.log
01/11/2005 21:02 1,178 OEWABLog.txt
01/11/2005 20:59 1,351,846 setupapi.log.0.old
01/11/2005 19:59 3,339 sessmgr.setup.log
01/11/2005 19:59 641 DtcInstall.log
01/11/2005 19:58 7,756 regopt.log
01/11/2005 19:53 61 smscfg.ini
01/11/2005 19:53 756,923 RESTORE.INS
01/11/2005 19:52 1,445 vmuninst.log
01/11/2005 19:49 391 xpsp1hfm.log
01/11/2005 19:46 8,192 REGLOCS.OLD
01/11/2005 19:45 15,418 WINNT32.LOG
01/11/2005 19:45 264 UPGRADE.TXT
01/11/2005 19:45 178 DHCPUPG.LOG
01/11/2005 19:38 3,936,054 DESK.BMP
26/05/2005 23:22 10,752 hh.exe
20/01/2005 15:07 40,960 unezfw.exe
10/12/2004 18:41 243,824 unicows.dll
10/12/2004 18:41 243,824 unicows.1
10/08/2004 17:15 780 orun32.ini
10/08/2004 17:15 203,055 orun32.isu
10/08/2004 16:59 0 control.ini
10/08/2004 16:58 316,640 WMSysPr9.prx
10/08/2004 16:58 4,161 ODBCINST.INI
10/08/2004 16:57 749 WindowsShell.Manifest
10/08/2004 16:55 36 vb.ini
10/08/2004 16:53 200 cmsetacl.log
10/08/2004 16:50 0 Sti_Trace.log
10/08/2004 16:46 0 setuperr.log
04/08/2004 14:00 17,362 Rhododendron.bmp
04/08/2004 14:00 146,432 regedit.exe
04/08/2004 14:00 15,360 TASKMAN.EXE
04/08/2004 14:00 48,680 winnt.bmp
04/08/2004 14:00 94,784 twain.dll
04/08/2004 14:00 65,954 Prairie Wind.bmp
04/08/2004 14:00 9,522 Zapotec.bmp
04/08/2004 14:00 50,688 twain_32.dll
04/08/2004 14:00 2 desktop.ini
04/08/2004 14:00 283,648 winhlp32.exe
04/08/2004 14:00 65,978 Soap Bubbles.bmp
04/08/2004 14:00 25,600 twunk_32.exe
04/08/2004 14:00 26,680 River Sumida.bmp
04/08/2004 14:00 1,032,192 explorer.exe
04/08/2004 14:00 82,944 clock.avi
04/08/2004 14:00 48,680 winnt256.bmp
04/08/2004 14:00 256,192 winhelp.exe
04/08/2004 14:00 65,832 Santa Fe Stucco.bmp
04/08/2004 14:00 69,120 NOTEPAD.EXE
04/08/2004 14:00 80 explorer.scf
04/08/2004 14:00 1,405 msdfmap.ini
04/08/2004 14:00 707 _default.pif
04/08/2004 14:00 17,062 Coffee Bean.bmp
04/08/2004 14:00 1,272 Blue Lace 16.bmp
04/08/2004 14:00 16,730 FeatherTexture.bmp
04/08/2004 14:00 26,582 Greenstone.bmp
04/08/2004 14:00 18,944 vmmreg32.dll
04/08/2004 14:00 49,680 twunk_16.exe
04/08/2004 14:00 17,336 Gone Fishing.bmp
05/05/2004 15:49 177,827 DESK01.JPG
11/03/2004 12:35 212,992 arclib.dll
17/01/2003 02:04 61,440 SmCfg.exe
17/01/2003 01:47 24,576 slrundll.exe
17/01/2003 00:45 128,327 sl.lng
17/12/2002 03:00 82,253 unins000.exe
18/01/2002 18:12 112 ActiveSkin.INI
20/06/2001 10:09 21 PI_setup.ini
05/06/2001 11:26 1,078 ATI.ICO
07/12/1999 02:03 73,216 ADE.DLL
10/11/1999 11:05 86,016 unvise32qt.exe
15/06/1999 11:31 96,768 SlantAdj.dll
26/05/1999 09:46 212,480 pcdlib32.dll
27/04/1999 00:17 3,136 Ade001.bin
29/10/1998 16:45 306,688 IsUninst.exe
11/02/1998 19:03 299,520 uninst.exe
164 File(s) 16,178,250 bytes
0 Dir(s) 141,841,833,984 bytes free


Volume in drive C is HDD
Volume Serial Number is 3094-2A9F

Directory of C:\WINDOWS\system32

13/02/2006 00:35 890 vsconfig.xml
13/02/2006 00:35 62,464 bszip.dll
13/02/2006 00:35 0 regedit.com
13/02/2006 00:35 0 cmd.com
13/02/2006 00:35 0 taskkill.com
13/02/2006 00:35 0 tasklist.com
13/02/2006 00:35 0 tracert.com
13/02/2006 00:35 0 ping.com
13/02/2006 00:35 43,573 nvapps.xml
13/02/2006 00:35 0 netstat.com
12/02/2006 14:45 1,158 wpa.dbl
12/02/2006 13:14 0 asfiles.txt
12/02/2006 13:12 2,550 Uninstall.ico
12/02/2006 13:12 1,406 Help.ico
12/02/2006 13:12 30,590 pavas.ico
11/02/2006 19:48 196,160 FNTCACHE.DAT
11/02/2006 11:54 380,486 perfh009.dat
11/02/2006 11:54 427,876 PerfStringBackup.INI
11/02/2006 11:54 52,900 perfc009.dat
05/02/2006 20:21 4,212 zllictbl.dat
05/02/2006 20:20 74,864 VetRedir.dll
02/02/2006 20:03 74,864 VetRedir.1
05/01/2006 03:41 2,827,616 MRT.exe
29/12/2005 02:54 280,064 gdi32.dll
10/12/2005 04:16 180,224 NVUNINST.EXE
10/12/2005 03:06 294,912 nvwrssv.dll
10/12/2005 03:06 303,104 nvwrssl.dll
10/12/2005 03:06 299,008 nvwrssk.dll
10/12/2005 03:06 315,392 nvwrsru.dll
10/12/2005 03:06 319,488 nvwrsptb.dll
10/12/2005 03:06 323,584 nvwrspt.dll
10/12/2005 03:06 294,912 nvwrspl.dll
10/12/2005 03:06 303,104 nvwrstr.dll
10/12/2005 03:06 299,008 nvwrsno.dll
10/12/2005 03:06 319,488 nvwrsnl.dll
10/12/2005 03:06 196,608 nvwrsko.dll
10/12/2005 03:06 212,992 nvwrsja.dll
10/12/2005 03:06 323,584 nvwrsit.dll
10/12/2005 03:06 315,392 nvwrshu.dll
10/12/2005 03:06 278,528 nvwrshe.dll
10/12/2005 03:06 327,680 nvwrsfr.dll
10/12/2005 03:06 303,104 nvwrsfi.dll
10/12/2005 03:06 327,680 nvwrsesm.dll
10/12/2005 03:06 335,872 nvwrses.dll
10/12/2005 03:06 286,720 nvwrseng.dll
10/12/2005 03:06 335,872 nvwrsel.dll
10/12/2005 03:06 311,296 nvwrsde.dll
10/12/2005 03:06 425,984 keystone.exe
10/12/2005 03:06 294,912 nvwrsda.dll
10/12/2005 03:06 286,720 nvwrscs.dll
10/12/2005 03:06 282,624 nvwrsar.dll
10/12/2005 03:06 163,840 nvwrszhc.dll
10/12/2005 03:06 1,662,976 nvwdmcpl.dll
10/12/2005 03:06 81,920 nvwddi.dll
10/12/2005 03:06 167,936 nvwrszht.dll
10/12/2005 03:06 180,224 nvudisp.exe
10/12/2005 03:06 73,728 nvtuicpl.cpl
10/12/2005 03:06 1,519,616 nwiz.exe
10/12/2005 03:06 466,944 nvshell.dll
10/12/2005 03:06 118,784 nvrszht.dll
10/12/2005 03:06 217,088 nvrszhc.dll
10/12/2005 03:06 249,856 nvrstr.dll
10/12/2005 03:06 245,760 nvrssv.dll
10/12/2005 03:06 249,856 nvrssl.dll
10/12/2005 03:06 249,856 nvrssk.dll
10/12/2005 03:06 262,144 nvrsru.dll
10/12/2005 03:06 262,144 nvrsptb.dll
10/12/2005 03:06 266,240 nvrspt.dll
10/12/2005 03:06 249,856 nvrspl.dll
10/12/2005 03:06 249,856 nvrsno.dll
10/12/2005 03:06 266,240 nvrsnl.dll
10/12/2005 03:06 253,952 nvrsko.dll
10/12/2005 03:06 258,048 nvrsja.dll
10/12/2005 03:06 274,432 nvrsit.dll
10/12/2005 03:06 253,952 nvrshu.dll
10/12/2005 03:06 319,488 nvrshe.dll
10/12/2005 03:06 278,528 nvrsfr.dll
10/12/2005 03:06 241,664 nvrsfi.dll
10/12/2005 03:06 266,240 nvrsesm.dll
10/12/2005 03:06 274,432 nvrses.dll
10/12/2005 03:06 241,664 nvrseng.dll
10/12/2005 03:06 274,432 nvrsel.dll
10/12/2005 03:06 270,336 nvrsde.dll
10/12/2005 03:06 245,760 nvrsda.dll
10/12/2005 03:06 241,664 nvrscs.dll
10/12/2005 03:06 319,488 nvrsar.dll
10/12/2005 03:06 5,402,624 nvoglnt.dll
10/12/2005 03:06 286,720 nvnt4cpl.dll
10/12/2005 03:06 86,016 nvmctray.dll
10/12/2005 03:06 45,056 nvmccsrs.dll
10/12/2005 03:06 229,376 nvmccs.dll
10/12/2005 03:06 1,466,368 nview.dll
10/12/2005 03:06 573,440 nvhwvid.dll
10/12/2005 03:06 1,339,392 nvdspsch.exe
10/12/2005 03:06 16,356 nvdisp.nvu
10/12/2005 03:06 7,311,360 nvcpl.dll
10/12/2005 03:06 3,955,456 nv4_disp.dll
10/12/2005 03:06 147,456 nvcolor.exe
10/12/2005 03:06 131,139 nvsvc32.exe
10/12/2005 03:06 35,840 nvcodins.dll
10/12/2005 03:06 35,840 nvcod.dll
10/12/2005 03:06 1,019,904 nvwimg.dll
10/12/2005 03:06 442,368 nvappbar.exe
10/12/2005 03:06 110,592 nvapi.dll
05/12/2005 16:40 6,617 jupdate-1.5.0_06-b05.log
01/12/2005 03:59 1,492,480 shdocvw.dll
24/11/2005 01:06 3,015,680 mshtml.dll
24/11/2005 01:06 1,022,464 browseui.dll
23/11/2005 22:43 0 REN17.tmp
23/11/2005 22:43 0 REN16.tmp
15/11/2005 12:12 126,680 GCCollection.dll
15/11/2005 12:12 117,976 hashlib.dll
15/11/2005 12:12 95,448 gcUnCompress.dll
10/11/2005 13:03 127,078 javaws.exe
10/11/2005 13:03 49,265 jpicpl32.cpl
10/11/2005 11:27 49,250 javaw.exe
10/11/2005 11:27 49,248 java.exe
06/11/2005 07:30 5,299 jupdate-1.5.0_05-b05.log
05/11/2005 03:16 609,280 urlmon.dll
05/11/2005 03:16 1,054,208 danim.dll
02/11/2005 20:42 16,832 amcompat.tlb
02/11/2005 20:42 23,392 nscompat.tlb
02/11/2005 20:42 2,272 w95inf16.dll
02/11/2005 20:42 4,608 w95inf32.dll
01/11/2005 21:01 599 $winnt$.inf
01/11/2005 19:53 333 $ncsp$.inf
01/11/2005 19:49 176,167 rmoc3260.dll
01/11/2005 19:48 6,656 pndx5016.dll
01/11/2005 19:48 5,632 pndx5032.dll
01/11/2005 19:48 278,528 pncrt.dll
01/11/2005 19:48 3,189 qtplugin.log
01/11/2005 19:42 3,056 jupdate-1.4.2_05-b04.log
21/10/2005 03:39 658,432 wininet.dll
21/10/2005 03:39 473,600 shlwapi.dll
21/10/2005 03:39 146,432 msrating.dll
21/10/2005 03:39 530,944 mstime.dll
21/10/2005 03:39 448,512 mshtmled.dll
21/10/2005 03:39 39,424 pngfilt.dll
21/10/2005 03:39 96,256 inseng.dll
21/10/2005 03:39 251,392 iepeers.dll
21/10/2005 03:39 205,312 dxtrans.dll
21/10/2005 03:39 55,808 extmgr.dll
21/10/2005 03:39 151,040 cdfview.dll
20/10/2005 22:20 1,082,368 esent.dll
17/10/2005 21:14 118,272 t2embed.dll
17/10/2005 21:14 80,896 fontsub.dll
12/10/2005 23:12 14,048 spmsg.dll
06/10/2005 00:05 1,839,488 win32k.sys
23/09/2005 03:05 8,450,560 shell32.dll
10/09/2005 01:53 2,067,968 cdosys.dll
01/09/2005 01:41 291,840 winsrv.dll
01/09/2005 01:41 19,968 linkinfo.dll
30/08/2005 03:54 1,287,168 quartz.dll
23/08/2005 03:35 123,392 umpnpmgr.dll
22/08/2005 18:29 197,632 netman.dll
29/07/2005 20:07 73,728 asuninst.exe
26/07/2005 04:39 397,824 rpcss.dll
26/07/2005 04:39 101,376 txflog.dll
26/07/2005 04:39 37,888 olecnv32.dll
26/07/2005 04:39 11,776 xolehlp.dll
26/07/2005 04:39 1,285,120 ole32.dll
26/07/2005 04:39 74,752 olecli32.dll
26/07/2005 04:39 945,152 msdtctm.dll
26/07/2005 04:39 161,280 msdtcuiu.dll
26/07/2005 04:39 91,136 mtxoci.dll
26/07/2005 04:39 66,560 mtxclu.dll
26/07/2005 04:39 425,472 msdtcprx.dll
26/07/2005 04:39 540,160 comuid.dll
26/07/2005 04:39 243,200 es.dll
26/07/2005 04:39 1,267,200 comsvcs.dll
26/07/2005 04:39 97,792 comrepl.dll
26/07/2005 04:39 110,080 clbcatex.dll
26/07/2005 04:39 60,416 colbact.dll
26/07/2005 04:39 625,152 catsrvut.dll
26/07/2005 04:39 498,688 clbcatq.dll
26/07/2005 04:39 225,792 catsrv.dll
12/07/2005 18:04 23,304 GWFSPidGen.dll
12/07/2005 18:04 520,456 LegitCheckControl.dll
08/07/2005 16:27 76,800 remotesp.tsp
08/07/2005 16:27 249,344 tapisrv.dll
29/06/2005 01:46 254,976 icm32.dll
29/06/2005 01:46 74,240 mscms.dll
15/06/2005 17:49 295,936 kerberos.dll
10/06/2005 23:53 57,856 spoolsv.exe
27/05/2005 02:04 41,472 hhsetup.dll
27/05/2005 02:04 137,216 itss.dll
27/05/2005 02:04 546,304 hhctrl.ocx
27/05/2005 02:04 155,136 itircl.dll
26/05/2005 04:16 41,240 wups.dll
26/05/2005 04:16 174,360 wuaucpl.cpl
26/05/2005 04:16 124,184 wuauclt.exe
26/05/2005 04:16 172,312 wuauclt1.exe
26/05/2005 04:16 127,256 wucltui.dll
26/05/2005 04:16 194,328 wuaueng1.dll
26/05/2005 04:16 18,200 wups2.dll
26/05/2005 04:16 173,536 wuweb.dll
26/05/2005 04:16 1,343,768 wuaueng.dll
26/05/2005 04:16 465,176 wuapi.dll
26/05/2005 04:16 75,544 cdm.dll
26/05/2005 04:16 198,424 iuengine.dll
17/05/2005 00:25 15,360 xpsp3res.dll
10/05/2005 23:45 75,776 telnet.exe
04/05/2005 14:45 15,360 msisip.dll
04/05/2005 14:45 884,736 msimsg.dll
04/05/2005 14:45 271,360 msihnd.dll
04/05/2005 14:45 78,848 msiexec.exe
04/05/2005 14:45 2,890,240 msi.dll
22/04/2005 11:58 328,128 gcTypLibA.tlb
02/03/2005 18:09 577,024 user32.dll
02/03/2005 18:09 56,832 authz.dll
02/03/2005 00:59 2,179,328 ntoskrnl.exe
02/03/2005 00:34 2,056,832 ntkrnlpa.exe
24/02/2005 13:21 22,752 spupdsvc.exe
10/12/2004 18:41 74,864 iSafProd.1
10/12/2004 18:41 74,864 iSafProd.dll
10/12/2004 18:41 95,344 ISafeIf.1
10/12/2004 18:41 95,344 ISafeIf.dll
07/12/2004 19:32 96,768 srvsvc.dll
06/12/2004 16:59 77,824 MLMON__N(2).DLL
06/12/2004 16:59 77,824 MLMON__N(3).DLL
18/11/2004 19:09 250,544 KeyHelp.ocx
17/11/2004 17:41 347,136 hypertrm.dll
16/11/2004 21:17 68,096 hlink.dll
28/10/2004 01:21 721,920 lsasrv.dll
12/10/2004 08:38 62,736 zlcommdb.dll
12/10/2004 08:38 70,928 zlcomm.dll
12/10/2004 08:37 99,592 vsxml.dll
12/10/2004 08:37 333,072 vsutil.dll
12/10/2004 08:37 70,928 vsregexp.dll
12/10/2004 08:37 169,232 vspubapi.dll
12/10/2004 08:37 111,888 vsmonapi.dll
12/10/2004 08:37 115,984 vsinit.dll
12/10/2004 08:37 271,792 vsdatant.sys
12/10/2004 08:37 75,024 vsdata.dll
12/10/2004 08:34 38,072 vsutil_oem1051.dll
08/10/2004 03:02 1,233,920 msxml4.dll
08/10/2004 03:01 82,432 msxml4r.dll
08/10/2004 03:01 44,544 msxml4a.dll
07/09/2004 18:49 5,520 OEMINFO.INI
10/08/2004 16:59 2,577 CONFIG.NT
10/08/2004 16:57 488 WindowsLogon.manifest
10/08/2004 16:57 488 logonui.exe.manifest
10/08/2004 16:57 749 sapi.cpl.manifest
10/08/2004 16:57 749 nwc.cpl.manifest
10/08/2004 16:57 749 ncpa.cpl.manifest
10/08/2004 16
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am

Unread postby pekingzibaduck » February 12th, 2006, 10:30 pm

Logfile of HijackThis v1.99.1
Scan saved at 02:09:06, on 13/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Browser mouse\1.3\mouse32a.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Paul Darby\Desktop\Malware Removal.com Tools\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Program Files\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylo ... loader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am

Unread postby Die Hard » February 13th, 2006, 4:45 am

pekingzibaduck

As I said before this is the 2nd time Ive got this worm in a week - is it programmed to return or have I unwittingly been infected afresh?

It hasn´t been totally removed.
Now, when the worm had displayed its ugly face I think we finally will get it

Please download Option ^Explicit´s KillBox:
http://www.bleepingcomputer.com/files/killbox.php

Extract it to a folder of its own and open it.
Checkmark "Delete on reboot"
Then copy and paste the following filepaths into the field "Full path of file to delete", one at a time. Then click the red button with a white "X".
A promt will come up, asking you if you want to reboot now,click "no" until you have added the last filepath,then click "yes"
If the system doesn´t reboot on its own,do so manually.

C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\ping.com


After the reboot,a folder ; "C:\!Submit" is created,containing those files. Delete it and empty the recycle bin.

Regards

Die Hard :)
User avatar
Die Hard
MRU Emeritus
MRU Emeritus
 
Posts: 10
Joined: August 31st, 2005, 6:22 pm
Location: Sweden

Unread postby pekingzibaduck » February 13th, 2006, 7:24 am

Thanks for all your help
pekingzibaduck
Active Member
 
Posts: 13
Joined: February 5th, 2006, 9:52 am

Unread postby Die Hard » February 13th, 2006, 9:06 am

pekingzibaduck :)

I´m glad to help :)
Thank you for the submission, recieved ! :)

Just a final word: Since this trojan is designed to collect passwords, product-keys and such I strongly suggest you change your delicate passwords,logins,etc. Especially if you handle bank affairs from this computer, transfer money via PayPal or your credit-card.

In other words: You have been the victim of the modern burglar.

Regards

Die Hard :)
User avatar
Die Hard
MRU Emeritus
MRU Emeritus
 
Posts: 10
Joined: August 31st, 2005, 6:22 pm
Location: Sweden

Unread postby NonSuch » February 18th, 2006, 1:54 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27211
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware