TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Guest_nick on November 14, 2004, 07:38:04 AM

Title: about:blank trusted start page
Post by: Guest_nick on November 14, 2004, 07:38:04 AM: Hello,
looking for help on removing about:blank.
trusted start page

Here is my hijack this and startdreck logs with run keys, browser helper objects and running processes checked.

your help would be much appreciated.
Nick

Logfile of HijackThis v1.98.2
Scan saved at 10:38:33 PM, on 14/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\csmss.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4345 (http://\"http://searchcentral.cc/search.php?v=4&aff=4345\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oxovz.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ncxpnt] C:\WINDOWS\System32\ncxpnt.exe
O4 - HKCU\..\Run: [Sooe] C:\Documents and Settings\Daniel\Application Data\heup.exe
O4 - HKCU\..\Run: [Bxks] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {94A38FC1-920D-41EC-B9EC-04AF7B5CF733} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {94A38FC1-920D-41EC-B9EC-04AF7B5CF733} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")

StartDreck (build 2.1.7 public stable) - 2004-11-14 @ 22:41:36 (GMT +10:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Daniel at DANIEL-R68WEOCI

»Registry
»Run Keys
»Current User
»Run
*CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe
*ncxpnt=C:\WINDOWS\System32\ncxpnt.exe
*Sooe=C:\Documents and Settings\Daniel\Application Data\heup.exe
*Bxks=C:\WINDOWS\System32\w?nlogon.exe
*H/PC Connection Agent="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*cmssSystemProcess=c:\windows\system32\csmss.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
+Setup
*Registrando Panda ActiveX=C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll
*Registrando Panda Almacen=C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll
*Registering ActiveScan controles=C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\ascontrol.dll
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+648=\SystemRoot\System32\smss.exe
+724=\??\C:\WINDOWS\system32\csrss.exe
+760=\??\C:\WINDOWS\system32\winlogon.exe
+804=C:\WINDOWS\system32\services.exe
+816=C:\WINDOWS\system32\lsass.exe
+1064=C:\WINDOWS\system32\svchost.exe
+1132=C:\WINDOWS\system32\svchost.exe
+1272=C:\WINDOWS\System32\svchost.exe
+1332=C:\WINDOWS\System32\svchost.exe
+1528=C:\WINDOWS\System32\svchost.exe
+1956=C:\WINDOWS\system32\spoolsv.exe
+588=C:\WINDOWS\Explorer.EXE
+820=C:\WINDOWS\system32\csmss.exe
+1084=C:\Program Files\QuickTime\qttask.exe
+1092=C:\WINDOWS\system32\ctfmon.exe
+1072=C:\WINDOWS\System32\w?nlogon.exe
+1168=C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
+1488=C:\WINDOWS\System32\Ati2evxx.exe
+1588=C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
+1728=C:\Program Files\CA\eTrust Antivirus\InoRT.exe
+1812=C:\Program Files\CA\eTrust Antivirus\InoTask.exe
+256=C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
+336=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+1208=C:\WINDOWS\System32\svchost.exe
+1240=C:\WINDOWS\System32\wdfmgr.exe
+2552=C:\WINDOWS\System32\alg.exe
+2452=C:\Program Files\Internet Explorer\iexplore.exe
+2748=C:\WINDOWS\system32\NOTEPAD.EXE
+3080=C:\Startdreck\StartDreck.exe
»Application specific
Title: about:blank trusted start page
Post by: guestolo on November 14, 2004, 11:11:15 AM: Startdreck is not needed for this case...
It's a tool to help with Windows 95,98,ME

But let's try another tool
Could you Download GetServices.zip (http://\"http://www.bleepingcomputer.com/files/spyware/getservice.zip\")
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Please post back the Getservices.txt in and a fresh hijackthis log
Try not to Restart your computer again until we have applied a fix
Title: about:blank trusted start page
Post by: Guest on November 14, 2004, 06:00:58 PM: hello, guestolo
thanks for the reply, here is the get service log and a fresh hijackthis log.

PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Alerter
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Application Layer Gateway Service
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Application Management
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : ASP.NET State Service
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: Ati HotKey Poller
(null)
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\Ati2evxx.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Ati HotKey Poller
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : AudioGroup
   TAG       : 0
   DISPLAY_NAME    : Windows Audio
   DEPENDENCIES    : PlugPlay
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Background Intelligent Transfer Service
   DEPENDENCIES    : Rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Computer Browser
   DEPENDENCIES    : LanmanWorkstation
          : LanmanServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CA_LIC_CLNT
CA License Client
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : CA License Client
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CA_LIC_SRVR
CA License Server
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : CA License Server
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\cisvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Indexing Service
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : ClipBook
   DEPENDENCIES    : NetDDE
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : COM+ System Application
   DEPENDENCIES    : rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 30 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 1000 seconds
          : Restart   DELAY: 5000 seconds
          : None   DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Cryptographic Services
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
   LOAD_ORDER_GROUP : Event Log
   TAG       : 0
   DISPLAY_NAME    : DCOM Server Process Launcher
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Reboot   DELAY: 60000 seconds

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : DHCP Client
   DEPENDENCIES    : Tcpip
          : Afd
          : NetBT
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Logical Disk Manager Administrative Service
   DEPENDENCIES    : RpcSs
          : PlugPlay
          : DmServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Logical Disk Manager
   DEPENDENCIES    : RpcSs
          : PlugPlay
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : DNS Client
   DEPENDENCIES    : Tcpip
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Error Reporting Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP : Event log
   TAG       : 0
   DISPLAY_NAME    : Event Log
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : Network
   TAG       : 0
   DISPLAY_NAME    : COM+ Event System
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Fast User Switching Compatibility
   DEPENDENCIES    : TermService
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Help and Support
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 100 seconds
          : Restart   DELAY: 100 seconds
          : None   DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Human Interface Device Access
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : HTTP SSL
   DEPENDENCIES    : HTTP
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : IMAPI CD-Burning COM Service
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: InoRPC
(null)
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : "C:\Program Files\CA\eTrust Antivirus\InoRpc.exe"
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : eTrust Antivirus RPC Server
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: InoRT
(null)
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : "C:\Program Files\CA\eTrust Antivirus\InoRT.exe"
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : eTrust Antivirus Realtime Server
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: InoTask
(null)
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : "C:\Program Files\CA\eTrust Antivirus\InoTask.exe"
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : eTrust Antivirus Job Server
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Irmon
Supports infrared devices installed on the computer and detects other devices that are in range.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : Infrared Monitor
   DEPENDENCIES    : irda
          : RpcSs
          : TermService
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Server
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : NetworkProvider
   TAG       : 0
   DISPLAY_NAME    : Workstation
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : TCP/IP NetBIOS Helper
   DEPENDENCIES    : NetBT
          : Afd
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: LogWatch
Event Log Watch
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Event Log Watch
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MDM
Manages local and remote debugging for Visual Studio debuggers
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Machine Debug Manager
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Messenger
   DEPENDENCIES    : LanmanWorkstation
          : NetBIOS
          : PlugPlay
          : RpcSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : NetMeeting Remote Desktop Sharing
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
   LOAD_ORDER_GROUP : MS Transactions
   TAG       : 0
   DISPLAY_NAME    : Distributed Transaction Coordinator
   DEPENDENCIES    : RPCSS
          : SamSS
   SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Installer
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP : NetDDEGroup
   TAG       : 0
   DISPLAY_NAME    : Network DDE
   DEPENDENCIES    : NetDDEDSDM
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network DDE DSDM
   DEPENDENCIES    :
          : EGrLocalSystem
          : Network DDE DSDM
          : etwork DDE
          : workService
          : Distributed Transaction Coordinator
          : ion
          : \CA\SHARp
          :
          : Æ
          :
          : ø8
          : ø8
          : ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
          :
          : u
          : n
          : a
          : v
          : a
          : i
          : l
          : a
          : b
          : l
          : e
          : .
          :
          : I
          : f
          :
          : t
          : h
          : i
          : s
          :
          : s
          : e
          : r
          : v
          : i
          : c
          : e
          :
          : i
          : s
          :
          : d
          : i
          : s
          : a
          : b
          : l
          : e
          : d
          : ,
          :
          : a
          : n
          : y
          :
          : s
          : e
          : r
          : v
          : i
          : c
          : e
          : s
          :
          : t
          : h
          : a
          : t
          :
          : e
          : x
          : p
          : l
          : i
          : c
          : i
          : t
          : l
          : y
          :
          : d
          : e
          : p
          : e
          : n
          : d
          :
          : o
          : n
          :
          : i
          : t
          :
          : w
          : i
          : l
          : l
          :
          : f
          : a
          : i
          : l
          :
          : t
          : o
          :
          : s
          : t
          : a
          : r
          : t
          : .
          :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP : RemoteValidation
   TAG       : 0
   DISPLAY_NAME    : Net Logon
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Connections
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Location Awareness (NLA)
   DEPENDENCIES    : Tcpip
          : Afd
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : NT LM Security Support Provider
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Removable Storage
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP : PlugPlay
   TAG       : 0
   DISPLAY_NAME    : Plug and Play
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : IPSEC Services
   DEPENDENCIES    : RPCSS
          : Tcpip
          : IPSec
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Protected Storage
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Access Auto Connection Manager
   DEPENDENCIES    : RasMan
          : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Access Connection Manager
   DEPENDENCIES    : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Desktop Help Session Manager
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Routing and Remote Access
   DEPENDENCIES    : RpcSS
          : +NetBIOSGroup
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Registry
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: NT AUTHORITY\LocalService
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Procedure Call (RPC) Locator
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
   LOAD_ORDER_GROUP : COM Infrastructure
   TAG       : 0
   DISPLAY_NAME    : Remote Procedure Call (RPC)
   DEPENDENCIES    :
   SERVICE_START_NAME: NT Authority\NetworkService
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Reboot   DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : QoS RSVP
   DEPENDENCIES    : TcpIp
          : Afd
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP : LocalValidation
   TAG       : 0
   DISPLAY_NAME    : Security Accounts Manager
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
   LOAD_ORDER_GROUP : SmartCardGroup
   TAG       : 0
   DISPLAY_NAME    : Smart Card
   DEPENDENCIES    : PlugPlay
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : SchedulerGroup
   TAG       : 0
   DISPLAY_NAME    : Task Scheduler
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Secondary Logon
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : Network
   TAG       : 0
   DISPLAY_NAME    : System Event Notification
   DEPENDENCIES    : EventSystem
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Firewall/Internet Connection Sharing (ICS)
   DEPENDENCIES    : Netman
          : WinMgmt
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : ShellSvcGroup
   TAG       : 0
   DISPLAY_NAME    : Shell Hardware Detection
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
   LOAD_ORDER_GROUP : SpoolerGroup
   TAG       : 0
   DISPLAY_NAME    : Print Spooler
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : None   DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : System Restore Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : SSDP Discovery Service
   DEPENDENCIES    : HTTP
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Image Acquisition (WIA)
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{C1FD734C-F222-4A34-B259-35374B514FF7}
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : MS Software Shadow Copy Provider
   DEPENDENCIES    : rpcss
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Performance Logs and Alerts
   DEPENDENCIES    :
   SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Telephony
   DEPENDENCIES    : PlugPlay
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Terminal Services
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : UIGroup
   TAG       : 0
   DISPLAY_NAME    : Themes
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : None   DELAY: 0 seconds

SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Telnet
   DEPENDENCIES    : RPCSS
          : TCPIP
          : NTLMSSP
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Distributed Link Tracking Client
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UMWdf
Enables Windows user mode drivers.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\wdfmgr.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows User Mode Driver Framework
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Universal Plug and Play Device Host
   DEPENDENCIES    : SSDPSRV
          : HTTP
   SERVICE_START_NAME: NT AUTHORITY\LocalService
   FAIL_RESET_PERIOD : -1 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Uninterruptible Power Supply
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Volume Shadow Copy
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Time
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 5 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP : NetworkProvider
   TAG       : 0
   DISPLAY_NAME    : WebClient
   DEPENDENCIES    : MRxDAV
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Management Instrumentation
   DEPENDENCIES    : RPCSS
          : Eventlog
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Portable Media Serial Number Service
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Management Instrumentation Driver Extensions
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : WMI Performance Adapter
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Security Center
   DEPENDENCIES    : RpcSs
          : winmgmt
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Automatic Updates
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : Wireless Zero Configuration
   DEPENDENCIES    : RpcSs
          : Ndisuio
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Provisioning Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

Logfile of HijackThis v1.98.2
Scan saved at 9:07:42 AM, on 15/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\csmss.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4345 (http://\"http://searchcentral.cc/search.php?v=4&aff=4345\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oxovz.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ncxpnt] C:\WINDOWS\System32\ncxpnt.exe
O4 - HKCU\..\Run: [Sooe] C:\Documents and Settings\Daniel\Application Data\heup.exe
O4 - HKCU\..\Run: [Bxks] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {94A38FC1-920D-41EC-B9EC-04AF7B5CF733} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {94A38FC1-920D-41EC-B9EC-04AF7B5CF733} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
Title: about:blank trusted start page
Post by: guestolo on November 14, 2004, 08:29:54 PM: The GetServices looks ok....

We need a couple of tools to help get you clean

The first one is a free Spyware Remover, yours to hold onto for free
Update every couple of weeks and run scans with

===Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button\")
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Download the updates
Don't run it yet but update it for now!

===Create a New folder on your desktop, Right click an empty spot on desktop--
Left click NEW>>>FOLDER>>Name the new folder Aboutbuster
Download and save to that new folder About:Buster (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
UNZIP it to that new folder===Open it and Check for Updates
Download the updates
Don't run it yet, but update for now

===Know how to start in safe mode ahead of time, the link I supplied below will show you how, you may want to print out the rest of these instructions

===Set Windows to Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the HIde extensions for Known File Types
* Click Yes to confirm.
* Click OK.

===Open Hijackthis>>Config>>Misc Tools>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\system32\csmss.exe
C:\WINDOWS\System32\w?nlogon.exe

Kill the exact process names

===Do another scan with Hijackthis and put a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4345 (http://\"http://searchcentral.cc/search.php?v=4&aff=4345\")

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oxovz.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe

O4 - HKCU\..\Run: [ncxpnt] C:\WINDOWS\System32\ncxpnt.exe
O4 - HKCU\..\Run: [Sooe] C:\Documents and Settings\Daniel\Application Data\heup.exe
O4 - HKCU\..\Run: [Bxks] C:\WINDOWS\System32\w?nlogon.exe

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {94A38FC1-920D-41EC-B9EC-04AF7B5CF733} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {94A38FC1-920D-41EC-B9EC-04AF7B5CF733} - (no file)

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe

After you have put a tick beside the above entries
Close down ALL other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
Click YES to the prompt and Exit hijackthis

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")

Find and delete these files and folders if they exist
c:\windows\system32\csmss.exe <--exact file name, don't delete anything looking similiar
C:\WINDOWS\System32\w?nlogon.exe <--exact file name, don't delete anything looking similiar
C:\WINDOWS\System32\ncxpnt.exe <--file
C:\Documents and Settings\Daniel\Application Data\heup.exe <--file

Stay in safe mode and Open About:Buster that you unzipped and updated earlier
Hit the Start button and Run a Scan with About:buster, let it run twice if prompted

Again in safe mode
Open Ad-Aware and Run a Full System Scan---ensure you updated beforehand
Remove ALL Critical Objects by right clicking in the Critical pane and selecting all objects
Restart your computer back into Normal Mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh hijackthis log afterwards and let me know how things are going...
Could you also post the About:buster logs, thanks
Title: about:blank trusted start page
Post by: Guest on November 14, 2004, 10:00:25 PM: Hello, guestolo
Still have the same problem
followed all your steps exactly, except once i rebooted the computer in safe mode i was unable to find w?nlogon.exe and ncxpnt.exe. ncxpnt.dll existed however, should i delete that?

here is my new hijack this and aboutbuster logs.

hijackThis v1.98.2
Scan saved at 1:01:29 PM, on 15/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\csmss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")

Scanned at: 12:43:07 PM on: 15/11/2004

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 17

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 17

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Title: about:blank trusted start page
Post by: guestolo on November 14, 2004, 10:29:06 PM: Quote
ncxpnt.dll existed however, should i delete that?

Nope, that's a Microsoft file, leave it alone

Restart your computer into safe mode

Open Hijackthis>>Config>>Misc Tools>>Open Process Manager
Kill this process if still running
C:\WINDOWS\system32\csmss.exe

Stay in safe mode and look for these files and delete them if found

C:\WINDOWS\system32\csmss.exe <--file, remember, exact file name

C:\WINDOWS\system32\winacpi.dll <--file
C:\WINDOWS\system32\me.exe <--file

Stay in safe mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)

Restart back into Normal Mode
I see you have done an Online Virus scan at Panda's
Can you also do one at RAV's

http://www.ravantivirus.com/scan/ (http://\"http://www.ravantivirus.com/scan/\")
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and dat files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan
Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here

I would also like to check for a hidden installer
Can you Download DLLCompare (http://\"http://download.broadbandmedic.com/DllCompare.exe\")

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log too

And post back a fresh hijackthis log, we'll get you clean, just want to make sure we see everything
Title: about:blank trusted start page
Post by: Guest on November 14, 2004, 11:26:44 PM: Hello,
I had a few problems.

1. csmss.exe was not running in the open process manager
2. winacpi.dll and me.exe were not there.
3. when i went to run Dll compare it came up with this error msg

C:\DLLCOM~1\locate.com
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and microsoft windows applications.

Here is the ravantivirus log and hijack this log.
Scan started at 15/11/2004 1:59:52 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\ldr.exe - TrojanDropper:Win32/Small.MF -> Infected
C:\hooks.dll - Trojan:Win32/Small.BT -> Infected
C:\WINDOWS\system32\csmss.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\WINDOWS\system32\tksrv99.exe - TrojanDownloader:Win32/Esepor.Q -> Suspicious
C:\WINDOWS\system32\tmksrvu.exe - TrojanDownloader:Win32/Esepor.Y -> Infected
C:\WINDOWS\system32\a.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\WINDOWS\system32\mscdmss.dll - TrojanDownloader:Win32/Agent.CO -> Infected
C:\WINDOWS\system32\MegaZu.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\WINDOWS\Downloaded Program Files\rdgIN187.exe - Trojan:Win32/Dialer.AX -> Infected
C:\Documents and Settings\Daniel\Local Settings\Temp\aihc.dat->(UPXW)->(RARSfx)->ldr.exe - TrojanDropper:Win32/Small.MF -> Infected
C:\Documents and Settings\Daniel\Local Settings\Temp\aihc.dat->(UPXW)->(RARSfx)->dl11.exe - Tool:PornDialer.BP -> Infected
C:\Documents and Settings\Daniel\Local Settings\Temp\Temporary Internet Files\Content.IE5\SDUB0DQR\MegaZu[1].exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\Documents and Settings\Daniel\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst->Attachment.19: "EM.student-2040.EML.pif" - Win32/Sober.G@mm -> Infected
C:\Documents and Settings\Daniel\Local Settings\Application Data\Identities\{8B95040B-793D-4BF1-9DD9-F5412672429B}\Microsoft\Outlook Express\Inbox.dbx->Message.39: ( [Mail delivery failed (Nr.:8369)])->(part0002:EMstuden.pif) - Win32/Sober.G@mm -> Infected
C:\Documents and Settings\Daniel\My Documents\data\backup\backup-20041028-113439-252 - Exploit:HTML/MhtRedir.gen* -> Infected
C:\Documents and Settings\Daniel\My Documents\data\backup2\Copy of backup-20041028-113439-252 - Exploit:HTML/MhtRedir.gen* -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-37254322.zip->GetAccess.class - Trojan:Java/ClassLoader -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-37254322.zip->InsecureClassLoader.class - Java/Bytverify -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-37254322.zip->Installer.class - TrojanDownloader:Java/OpenConnection.F -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv106.jar-833cb5b-544ca98d.zip->Counter.class - Trojan:Java/ClassLoader -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv106.jar-833cb5b-544ca98d.zip->Matrix.class - TrojanDownloader:Java/OpenStream.C -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv106.jar-833cb5b-544ca98d.zip->Parser.class - Java/Bytverify -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dccb95f-7e82aeaf.zip->GetAccess.class - Trojan:Java/ClassLoader -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dccb95f-7e82aeaf.zip->InsecureClassLoader.class - Java/Bytverify -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dccb95f-7e82aeaf.zip->Installer.class - TrojanDownloader:Java/OpenConnection.F -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ef6b10-6dfa2df5.zip->GetAccess.class - Trojan:Java/ClassLoader -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ef6b10-6dfa2df5.zip->InsecureClassLoader.class - Java/Bytverify -> Infected
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ef6b10-6dfa2df5.zip->Installer.class - TrojanDownloader:Java/OpenConnection.F -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP178\A0038227.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP179\A0038240.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP180\A0038274.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP180\A0039274.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP180\A0039297.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP180\A0040296.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP181\A0041297.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP181\A0041309.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP181\A0041319.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP181\A0041332.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP181\A0042333.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP182\A0042345.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP183\A0042357.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042387.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042411.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042433.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042463.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042477.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042503.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042515.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042527.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042554.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042560.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP184\A0042601.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP185\A0042636.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP185\A0043635.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP185\A0043663.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP185\A0043694.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP185\A0043706.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP186\A0043718.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP186\A0043769.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP186\A0043783.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP187\A0043807.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP188\A0043823.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP188\A0043824.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP188\A0043848.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP189\A0043886.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP189\A0043898.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP189\A0043920.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP189\A0043937.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP189\A0043964.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP189\A0043998.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP189\A0044156.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP190\A0044169.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP190\A0044198.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP190\A0044244.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP190\A0044269.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP192\A0044565.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP192\A0044713.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP192\A0045713.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP192\A0045745.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP194\A0045965.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP194\A0045981.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP194\A0046015.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP194\A0046023.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP194\A0047015.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP195\A0047132.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP195\A0047191.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP195\A0047212.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047380.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047439.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047469.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047518.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047537.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047543.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047573.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047606.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047641.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP196\A0047658.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047664.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047673.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047685.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047696.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047735.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047759.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047768.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047775.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP197\A0047784.exe - TrojanDownloader:Win32/Agent.CO.dam#2 -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP198\A0047802.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP198\A0047811.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP199\A0047929.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP199\A0047941.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP200\A0048929.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP200\A0048938.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP200\A0048947.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP200\A0048957.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP203\A0048996.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP203\A0049008.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP203\A0049019.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP203\A0049030.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049045.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049055.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049070.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049077.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049086.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049140.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049353.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049362.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049366.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP204\A0049374.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP205\A0049389.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP206\A0049399.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049415.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049424.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049433.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049441.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049445.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049453.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049472.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0049480.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0050469.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0050477.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0050490.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0050498.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0051490.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0051498.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0051506.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0051610.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP207\A0051618.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP208\A0051632.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP208\A0051640.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0051658.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0051668.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0051682.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0051690.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0052682.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0052694.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0052758.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP209\A0052767.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP210\A0052787.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP210\A0052795.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP210\A0052800.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP210\A0052809.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP210\A0052825.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP210\A0052833.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052858.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052878.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052887.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052899.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052909.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052919.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052930.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP212\A0052947.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP213\A0052962.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP213\A0052973.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP213\A0052988.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP213\A0053002.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP213\A0053010.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053079.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053089.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053297.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053305.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053315.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053323.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053344.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053352.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053356.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053362.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053366.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053371.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053378.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053383.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053391.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053395.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053399.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053402.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053409.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053412.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053416.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053419.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053442.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053445.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053449.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053453.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053593.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053651.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053658.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053661.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP214\A0053665.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP215\A0053670.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP215\A0053674.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP215\A0053686.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP215\A0053690.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP215\A0053749.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP216\A0053765.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP216\A0053783.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP217\A0053795.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP217\A0053800.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP217\A0053813.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP217\A0053817.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP218\A0053821.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP219\A0053828.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP219\A0053829.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP219\A0053833.exe - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP219\A0053848.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP220\A0053857.exe - Tool:PornDialer.BP -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP220\A0053860.exe - Tool:PornDialer.BP -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP220\A0053874.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP220\A0053887.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP220\A0053899.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053917.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053922.exe - Tool:PornDialer.BP -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053925.exe - TrojanDropper:Win32/Small.MF -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053926.dll - Trojan:Win32/Small.BT -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053936.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053944.exe - Tool:PornDialer.BP -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053960.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0053967.exe - TrojanDropper:Win32/ExeBundle.B -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0054015.EXE - Tool:PornDialer.BP -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP221\A0054026.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP223\A0054075.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP223\A0054091.exe - TrojanDropper:Win32/Small.MF -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP223\A0054092.dll - Trojan:Win32/Small.BT -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP223\A0054096.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP223\A0054103.exe - Tool:PornDialer.BP -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP235\A0054575.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP235\A0054722.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP235\A0054731.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP236\A0054741.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP236\A0054749.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP238\A0057997.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP238\A0058028.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP238\A0059036.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP239\A0059064.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP239\A0059080.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP239\A0059086.exe - Tool:PornDialer.BP -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP239\A0059124.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP239\A0059149.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP239\A0059202.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP240\A0059410.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP240\A0059419.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP241\A0059485.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP241\A0059529.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP241\A0059697.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP242\A0060696.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP242\A0061696.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP242\A0061706.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP243\A0062705.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP243\A0062781.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP243\A0062793.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP243\A0062949.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP244\A0062970.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP244\A0063037.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\System Volume Information\_restore{1D45C3CC-96F1-4561-815F-28C5E6DCDB62}\RP244\A0063041.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\Recycled\Dc1.exe->(EXEEmb) - TrojanDownloader:Win32/Agent.CO -> Infected
C:\HJT\hijackthis.log - Exploit:HTML/MhtRedir.gen* -> Infected
C:\HJT\backups\backup-20041115-120338-717 - Exploit:HTML/MhtRedir.gen* -> Infected

Scanned
============================
   Objects: 46492
   Directories: 2894
   Archives: 857
   Size(Kb): -741595
   Infected files: 274

Found
============================
   Viruses found: 14
   Suspicious files: 1
   Disinfected files: 0
   Mail files: 170

Logfile of HijackThis v1.98.2
Scan saved at 2:33:42 PM, on 15/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\csmss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
Title: about:blank trusted start page
Post by: guestolo on November 15, 2004, 12:26:47 AM: Well, we definitely have to make that Rav log smaller
Can you download and install Process Explorer (http://\"http://www.sysinternals.com/ntw2k/freeware/procexp.shtml\")
by SysInternals--Place it in it's own folder
This may help you identify that running process, I can see it in your log
Don't run it yet

Can you Open up your Control Panel
Double click on the Java Plugin
Click on the CACHE tab and clear the cache

Next: Enter your email client (Outlook and/or Outlook Express) and delete any mails that you know are untrustworthy
Don't open them up, some have attachments that are carrying viruses

Next: Could you download this tool that will help to remove files from your Temp folders and such--Install it
Windows CleanUp! (http://\"http://cleanup.stevengould.org/\")
This is a great little tool
We will want to do a Standard Cleanup this time, but you can uncheck Prefetch folder in the future and just clean that folder once every couple of months
Don't run it yet

Now with the fixes
A lot of the identified trojans are in your System Restore folder, Anti-Virus software can't touch this folder
Please disable System Restore
Link will show you how---Reenable it after we are done with these fixes
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

After you have done that
Open Process Explorer that you downloaded earlier
Look for this process
csmss.exe
Left click to highlight it and use the Process button in the Menu bar and Kill the Process
If you see any other processes that are identified as malware, can you Kill those processes too.....

Next open Hijackthis>>Config>>Misc Tools>>Click the Delete file on Reboot
Copy and paste the bolded text to the File Name field

C:\WINDOWS\system32\csmss.exe
Click Open
Hijackthis will warn that this file will be deleted and to Restart your computer
DON'T Restart yet
Instead do the same with these files, one at a time, remember don't restart yet

C:\WINDOWS\system32\tksrv99.exe

C:\WINDOWS\system32\tmksrvu.exe

C:\WINDOWS\system32\a.exe

C:\WINDOWS\system32\mscdmss.dll

C:\WINDOWS\system32\MegaZu.exe

C:\WINDOWS\Downloaded Program Files\rdgIN187.exe

C:\ldr.exe

C:\hooks.dll

After you have done the above
Open Hijackthis and do another scan and put a tick next to this entry

O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe

After you have checked the above entry, close All other open Windows, including this one
Leave Hijackthis open and click FIX CHECKED
Yes to the Prompt and exit hijackthis

Restart your computer into Safe mode

Once in safe mode
Open up Cleanup>>>Leave the Standard cleanup in the Options menu
Click the CleanUp! button
Let it scan and remove files>>>It will prompt you once it's done that it needs to Restart your computer

Restart back into Normal Mode and Reenable System Restore

Can you run another scan at RAV's and post the log again, it should be a lot shorter this time

Let's try an alternate method than DLLCompare
Download and install Registrar Lite.
A great little registry editor, you should hang on to this
http://www.resplendence.com/reglite (http://\"http://www.resplendence.com/reglite\")
Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Could you also post back a Fresh hijackthis log, thanks

Seems like a lot to do, but most of the tools I'm asking you to download are yours to
keep, for free /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: about:blank trusted start page
Post by: Guest on November 15, 2004, 02:03:17 AM: Hello,
Still have the Hijacked webpage,
Thanks for sticking with me though your help is much appreciated.
Have done everything you said except when i used reglite there was no AppInit_DLLs in the right panel

Here is my RAV scan and hijack this log. "Looking much better /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> "

Scan started at 15/11/2004 4:27:22 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Daniel\Local Settings\Application Data\Identities\{8B95040B-793D-4BF1-9DD9-F5412672429B}\Microsoft\Outlook Express\Inbox.dbx->Message.39: ( [Mail delivery failed (Nr.:8369)])->(part0002:EMstuden.pif) - Win32/Sober.G@mm -> Infected
C:\Documents and Settings\Daniel\My Documents\data\backup\backup-20041028-113439-252 - Exploit:HTML/MhtRedir.gen* -> Infected
C:\Documents and Settings\Daniel\My Documents\data\backup2\Copy of backup-20041028-113439-252 - Exploit:HTML/MhtRedir.gen* -> Infected
C:\HJT\backups\backup-20041115-120338-717 - Exploit:HTML/MhtRedir.gen* -> Infected

Scanned
============================
   Objects: 32767
   Directories: 2506
   Archives: 815
   Size(Kb): -618816
   Infected files: 4

Found
============================
   Viruses found: 2
   Suspicious files: 0
   Disinfected files: 0
   Mail files: 160
Logfile of HijackThis v1.98.2
Scan saved at 5:09:43 PM, on 15/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\HJT\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
Title: about:blank trusted start page
Post by: guestolo on November 15, 2004, 02:35:08 AM: Some of the files identified by Rav on in your Hijackthis backups folder
You look like you tried some fixes before

You can delete these backups made by hijackthis
C:\HJT\backups\backup-20041115-120338-717 <--this backup

C:\Documents and Settings\Daniel\My Documents\data\backup\backup-20041028-113439-252 <--this backup
C:\Documents and Settings\Daniel\My Documents\data\backup2\Copy of backup-20041028-113439-252 <--this backup

You still have one an infected file in your Outlook Express Inbox
Make sure you remove it

What fixes did you try before you posted here?

Let's try this==I think you may of tried this already, but let's make sure
Download and save to desktop this Removal Tool (http://\"http://securityresponse.symantec.com/avcenter/FxAgentB.exe\") developed by Symantec

Don't run it yet

Second---Download and save to desktop CWShredder (http://\"https://ssl.perfora.net/tools.radiosplace.com/CWShredder.exe\")
Don't run it yet

Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
RESTART your computer when Done

==Double click to Run to open CWShredder, Let it FIX all problems
RESTART your computer again

==Do another Full System Scan with Ad-Aware and restart your computer after you have removed all critical objects

Access Internet Options via ControlPanel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Post back here a Fresh hijackthis log ===and the FxAgentB.log

I probably won't see the results till tomorrow, but keep me informed
I'm curious of what fixes you have already tried, you should of found an
AppInit_DLLs in the right panel

Can you let me know what version of Windows Xp your running
Home or PRO
If your not sure>>Go to START>>RUN>>type in winver and hit Enter

Could you also let me know how your disk is formatted
NTFS or FAT32
Double click "MyComputer"
right click on the C:\Drive
Left click properties
It will be labelled under the File system

Could you also open up Hijackthis>>Config>>Misc Tools>>Open Hosts File Manager
Click the "Open in Notepad"
Copy and paste the Whole contents of that Hosts Notepad file back here
Title: about:blank trusted start page
Post by: guestolo on November 15, 2004, 02:50:26 AM: I want you to try another thing after you have done the above
this is a new tool to help identify the culprit
Also, one of your entries in your hijackthis log that looks legit, is actually bad

We'll see what your log looks like after you have done the above in my other response

Download reglook.zip from the link I supplied. Unzip it to it's own folder and doubleclick on the runme.bat file inside. Let it run then post the log it produces in your next reply to this thread.

Reglook.zip (http://\"http://forums.techguy.org/attachment.php?attachmentid=43107\")
Title: about:blank trusted start page
Post by: Guest on November 15, 2004, 06:34:20 PM: Here is the few logs you requestered, am using xp pro
Fat 32. Had a few problems.
When i updated and ran Ad-aware, i got a msg that said system shutdown in 60s
authorised by c:\windows\system32\services.exe
went to some forums and they said it has something to with a file called prmtec.exe

All i had done previously was run hijack this and remove files in which i thought looked suspicious I also removed a folder called spe in c drive that was running scripts that changed my home page.

sorry! You must be getting really pissed of!

Logfile of HijackThis v1.98.2
Scan saved at 2:33:42 PM, on 15/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\csmss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")

ymantec Backdoor.Agent.B Removal Tool 1.0.1.2

Backdoor.Agent.B has not been found on your computer.

127.0.0.1   www.viruslist.com
127.0.0.1   viruslist.com
127.0.0.1   networkassociates.com
127.0.0.1   secure.nai.com
127.0.0.1   downloads1.kaspersky-labs.com
127.0.0.1   downloads2.kaspersky-labs.com
127.0.0.1   downloads3.kaspersky-labs.com
127.0.0.1   downloads4.kaspersky-labs.com
127.0.0.1   downloads-us1.kaspersky-labs.com
127.0.0.1   downloads-eu1.kaspersky-labs.com
127.0.0.1   kaspersky-labs.com
127.0.0.1   www.networkassociates.com
127.0.0.1   us.mcafee.com
127.0.0.1   f-secure.com
127.0.0.1   avp.com
127.0.0.1   www.sophos.com
127.0.0.1   sophos.com
127.0.0.1   www.ca.com
127.0.0.1   ca.com
127.0.0.1   mast.mcafee.com
127.0.0.1   my-etrust.com
127.0.0.1   www.kaspersky.com
127.0.0.1   www.f-secure.com
127.0.0.1   dispatch.mcafee.com
127.0.0.1   nai.com
127.0.0.1   www.nai.com
127.0.0.1   rads.mcafee.com
127.0.0.1   trendmicro.com
127.0.0.1   liveupdate.symantecliveupdate.com
127.0.0.1   www.mcafee.com
127.0.0.1   mcafee.com
127.0.0.1   viruslist.com
127.0.0.1   www.my-etrust.com
127.0.0.1   download.mcafee.com
127.0.0.1   kaspersky.com
127.0.0.1   www.trendmicro.com

A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 6 value entries - last modified 06:00(UTC) 11/09/2004)
[AppInit_DLLs] = not present!
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 5 subkeys and 31 value entries - last modified 22:50(UTC) 15/11/2004)
[Userinit] = "Userinit.exe,TGBRFV_" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 11:41(UTC) 24/10/2001)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------
Title: about:blank trusted start page
Post by: guestolo on November 15, 2004, 08:00:45 PM: On to the next set of instructions /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Download this small utility called Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
by Option^Explicit
Extract it to the desktop or a convienent folder for easy access

Open up Process Viewer and kill this process on this again
csmss.exe

Run Killbox
Individually copy and paste the 5 bolded lines below into the 'Full Path of File to Delete' box
Select delete on reboot and end explorer shell before deleting
On any .dll file tick unregister dll before deleting
Then press the red X button, when it says reboot now, say NO and continue to paste the lines in turn and follow the above procedure every time, DO NOT let it reboot yet

C:\WINDOWS\System32\TGBRFV_.exe

C:\WINDOWS\System32\TGBRFV_5.dll

C:\WINDOWS\System32\TGBRFV_.dll

C:\WINDOWS\System32\TGBRFV_5.exe

C:\WINDOWS\system32\csmss.exe

Remember, don't let it reboot yet

Open up Windows CleanUp! and click the Cleanup button
Again don't restart the computer yet

Next, open up Hijackthis and put a tick next to these entries

F2 - REG:system.ini: UserInit=Userinit.exe,

O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\csmss.exe

After you ticked the above items, close down ALL other windows, including this one
Leave Hijackthis open and click FIX CHECKED
Exit hijackthis
RESTART your computer

Once back in windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab--- Reset home page

Your Hosts file should look something like this in quotes
Quote
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Open Hijackthis>>Config>>Misc Tools>>Open Hosts File Manager
Any line BELOW 127.0.0.1 localhost
Left click to highlight and then use the Delete line(s) button to remove

After you have done that
Can you post back a fresh hijackthis log
and go back and click the "Open in Notepad" button in Host file manager
to copy and paste the whole host file notepad entries
back here
Title: about:blank trusted start page
Post by: Guest on November 15, 2004, 08:55:44 PM: Wow! Dont believe it, didn't redirect to trusted start page. /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Here is my host files and new hijack this log I dont understand what you want me to delete from these host files. When i open hijack this, the host files look exactly as is below:

127.0.0.1   www.viruslist.com
127.0.0.1   viruslist.com
127.0.0.1   networkassociates.com
127.0.0.1   secure.nai.com
127.0.0.1   downloads1.kaspersky-labs.com
127.0.0.1   downloads2.kaspersky-labs.com
127.0.0.1   downloads3.kaspersky-labs.com
127.0.0.1   downloads4.kaspersky-labs.com
127.0.0.1   downloads-us1.kaspersky-labs.com
127.0.0.1   downloads-eu1.kaspersky-labs.com
127.0.0.1   kaspersky-labs.com
127.0.0.1   www.networkassociates.com
127.0.0.1   us.mcafee.com
127.0.0.1   f-secure.com
127.0.0.1   avp.com
127.0.0.1   www.sophos.com
127.0.0.1   sophos.com
127.0.0.1   www.ca.com
127.0.0.1   ca.com
127.0.0.1   mast.mcafee.com
127.0.0.1   my-etrust.com
127.0.0.1   www.kaspersky.com
127.0.0.1   www.f-secure.com
127.0.0.1   dispatch.mcafee.com
127.0.0.1   nai.com
127.0.0.1   www.nai.com
127.0.0.1   rads.mcafee.com
127.0.0.1   trendmicro.com
127.0.0.1   liveupdate.symantecliveupdate.com
127.0.0.1   www.mcafee.com
127.0.0.1   mcafee.com

Logfile of HijackThis v1.98.2
Scan saved at 12:01:24 PM, on 16/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HJT\hijackthis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
Title: about:blank trusted start page
Post by: guestolo on November 15, 2004, 09:15:30 PM: Well that's looking a lot better, except for your hosts file /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

Let's make sure that we get some Preventive tools on your computer to help Eliminate this from happening in the future

But first, let's set your hosts file back to Windows default
One more tool will be needed to ensure that we do
A trojan or virus has rewritten your hosts file so that you can't directly access the sites
that have these in it
127.0.0.1 www.sophos.com <--eg....

You want to leave this entry
127.0.0.1 localhost
but nothing below it unless it was redirecting a Nasty site
The ones you have, are legitimate sites

Can you download and UNZIP to it's own folder
Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")

Open up Hoster
Ensure that the hosts file is marked as Writeable
button on the top right
Then click the "Restore Original Hosts"

After you have done that
Install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks
IE-Spyad works with Windows XP SP2 also, I use it on this machine

Once you have done the above
Can you post back one last hijackthis log
Also Open Hijackthis>>Config>>Misc Tools>>Open Hosts File Manager
Click the "Open in Notepad" button
Copy and paste the Whole notepad file back here
I recommend using the Edit button on the Menu bar and Select All before right clicking and copying the host file back here

Later, if you would like to add a custom hosts file to add additional protection, let me know, I'll walk you through it
Let me know if you also need a hand with IE-Spyad too
Title: about:blank trusted start page
Post by: Guest_Nick on November 16, 2004, 04:11:12 AM: Wow thank you so much, I really appreciate that you took time to help me
I finally have a computer free from all that crap /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Is there anypoint me downlading mozilla, or will ie-spyad do the job?

Thanks again
Nick

Here is the hijack this and open processes log as requestered.

Logfile of HijackThis v1.98.2
Scan saved at 7:18:25 PM, on 16/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/ (http://\"http://dsl.optusnet.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099634730356 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099634730356\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
Title: about:blank trusted start page
Post by: guestolo on November 16, 2004, 09:18:29 PM: Looking good Nick
I recommend that if everything is running better, this would be a good time to Clear your System Restore Points, you don't need to take the chance to restore a nasty
Simply Disable System Restore---Restart your computer---Enable System Restore
Link will show you how
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

After you have done the above

IE-Spyad combined with SpywareBlaster will give you great added protection
Remember to keep the link to IE-Spyad bookmarked so you can update when there is one

If you would like to add a great Custom Host File to help prevent malware from entering your computer
Check out this link
http://www.mvps.org/winhelp2002/hosts.htm (http://\"http://www.mvps.org/winhelp2002/hosts.htm\")
Simply download hosts.zip file to desktop and Unzip it to your
C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder
Allow it to overwrite when prompted

I like using Mozilla Firefox, it's a more secure browser and has some additional features
Check it out
http://www.mozilla.org/products/firefox/ (http://\"http://www.mozilla.org/products/firefox/\")
If you decide to install it make sure you install the flash and shockwave plugins
for Mozilla browser