TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Guest_Jim on January 03, 2005, 08:30:58 PM

Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: Guest_Jim on January 03, 2005, 08:30:58 PM: I can't keep spyware of my computer using ad-aware, spybot S&D, or spyware doctor, even while in safemode with system restore turned off. They can be removed but come back after reboot.

I have a trojan guard that detects SED.exe and removes it, but it comes back as well. Similar case with xwlxxw.exe and calsp.dll.

CWshedder and hijackthis crash so i had to use a older version of hijackthis.
Here are some of my logs:

Logfile of HijackThis v1.98.2
Scan saved at 6:00:49 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\qrvqqr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 05:31 PM 222,991 lv6409jqe.dll
01/03/2005 05:24 PM 224,867 r6p8lg7u16.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
5 File(s) 1,121,597 bytes
2 Dir(s) 3,108,782,080 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,108,782,080 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 06:01 PM 224,867 guard.tmp
1 File(s) 224,867 bytes
0 Dir(s) 3,108,782,080 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 06:01 PM 224,867 guard.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
2 File(s) 227,444 bytes
0 Dir(s) 3,108,782,080 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r6p8lg7u16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINDOWS\System32\LV6409~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
lv6409~1.dll Mon Jan 3 2005 5:31:26p ..S.R 222,991 217.76 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
r6p8lg~1.dll Mon Jan 3 2005 5:24:24p ..S.R 224,867 219.59 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,121,597 bytes 1.07 M

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
Explorer
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{3A171278-78A9-44E8-84BC-B0A3289C0D08}

Please help, this totally sucks

Thanks in advance,
Jim
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 03, 2005, 09:24:28 PM: Let's try this, I want to make sure I'm seeing everything

Can you Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

Download this version of Findit.zip (http://\"http://forums.tomcoyote.org/index.php?act=Attach&type=post&id=112186\")

Unzip its contents to its own folder
Open the folder and double click on Find.bat (File with a gear symbol)
Ignore any File not found messages
It runs for a minute, and produces a log
Please copy and paste the log on your next response.

Could you also download Runkey.zip (http://\"http://forums.techguy.org/attachment.php?attachmentid=45168&stc=1\")

Unzip it and then doubleclick on RunKey2.bat. It will produce a All.txt file. Please copy and paste that here.

Could you search in your
system32folder for *.dat
Simply use XP's search feature and add *.dat to the All or part of the file name
Use the Browse selection and navigate to C:\WINDOWS\system32 folder and select it

When you get the list, find one recently created. Right click on it, open in Notepad and look for this in the first line of the file:
This program cannot be run in DOS mode.
Post back the name of the file if you find it

One last request
Could you please update your version of Hijackthis to 1.99
Open Hijackthis>>Config>>Misc Tools>>Check for Updates online
If for some reason it won't update
Redownload Hijackthis from
This Link--CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or This Link--CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Please try and save Hijackthis to a permanent folder, somewhere other than your desktop
You can right click an empty spot in MyDocuments and select NEW>>FOLDER
Name it and save Hijackthis.exe to there

Post back with a log from Hijackthis 1.99

Once you've updated to 1.99
Could you also post back a startup list from Hijackthis
Simply open Hijackthis>>Click open Misc Tools Section
Put a check in "List all minor sections (full)"
Generate a startup list and post it back here
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 03, 2005, 09:42:40 PM: Hi again Jim, once you've posted all those logs
Can you ensure that you don't restart your computer until we have tried some fixes

This nasty may take a couple shots at ridding you of it, but we'll get it
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 03, 2005, 09:52:26 PM: Ok, I did everything except for 1 task: run hijackthis 1.99 to generate a log. It crashed everytime i tried to (tried a million times, even in safe mode).

There was only one .dat modified since the problem, it is called gbwggb.dat.

Here is a list of the logs in the order requested:

CompareDLL:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
C:\WINDOWS\SYSTEM32\lv6409~1.dll Mon Jan 3 2005 5:31:26p ..S.R 222,991 217.76 K
C:\WINDOWS\SYSTEM32\hr4u05~1.dll Mon Jan 3 2005 6:01:10p ..S.R 224,867 219.59 K
C:\WINDOWS\SYSTEM32\k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
C:\WINDOWS\SYSTEM32\m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K
________________________________________________

1,278 items found: 1,278 files (5 H/S), 0 directories.
Total of file sizes: 260,314,012 bytes 248.25 M

Administrator Account = True

--------------------End log---------------------

FINDIT

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 06:01 PM 224,867 hr4u05h9e.dll
01/03/2005 05:31 PM 222,991 lv6409jqe.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
5 File(s) 1,121,597 bytes
2 Dir(s) 3,106,258,944 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,106,250,752 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,106,234,368 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv6409jqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\LV6409~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
lv6409~1.dll Mon Jan 3 2005 5:31:26p ..S.R 222,991 217.76 K
hr4u05~1.dll Mon Jan 3 2005 6:01:10p ..S.R 224,867 219.59 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,121,597 bytes 1.07 M

RUNKEY2 - All.txt

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu]
@="{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido]
@="{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\stmsst]
@="{60fd7959-bcfe-455c-a70c-81a47420dbc0}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR]
@="{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu]
@="{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ewido]
@="{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\stmsst]
@="{60fd7959-bcfe-455c-a70c-81a47420dbc0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@="{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

HijackThis Startup -LOG

StartupList report, 1/3/2005, 7:39:19 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hi\Hijackthis.exe.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\qrvqqr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Notepad.exe
C:\Program Files\hi\Hijackthis.exe.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
VBundleOuterDL = C:\Program Files\VBouncer\BundleOuter.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38014.8156018518\")

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HPFECP06: \SystemRoot\System32\drivers\HPFECP06.SYS (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 10,692 bytes
Report generated in 0.400 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Not included : Hijackthis log (1.99 crashes)

Thanks again,
Jim

PS I should be back in 2 hours or so, if you are unable to post anything tonight, i understand, i will be around all day tomorrow working on this. Thanks again
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 03, 2005, 10:19:47 PM: They keep updating the Findit.bat
Can you download this version, unzip it run the scan and post a log from it
Give it time to do it's scan
Findit.zip (http://\"http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip\")

Sorry, but I will post a fix to most of this tonight
You have a Narrator trojan on your computer along with this fairly new VX2 infection
and possible a Rootkit infection

I would like to get most of the initial cleanup all in one shot
It may take a couple tries however to rid you of all of it.....
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 03, 2005, 11:21:34 PM: Hi again Jim, let's get you started in case I don't see your new output.txt created by findit.bat

I believe your also infected with a Rootkit infection
Can you please download and save to your desktop
Remv3.zip (http://\"http://www.freewebs.com/benditup/remv3.zip\")
To make that link work properly you will have to Right click on it and Copy Shortcut
Paste it to your IE address bar and hit GO
UNZIP the contents to a folder

1. Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
2.Unzip the contents of KillBox.zip to a convenient location.
3.Double-click on KillBox.exe.
4.Click "Replace on Reboot" and check the "Use Dummy" box.
5.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\lv6409jqe.dll

6.Click the "Delete File" button which looks like a stop sign.
7.Click "Yes" at the Replace on Reboot prompt.
8.Click "No" at the Pending Operations prompt.
# Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\hr4u05h9e.dll
C:\WINDOWS\System32\m082lalo1dqc.dll
C:\WINDOWS\System32\g4lm0e31eh.dll
C:\WINDOWS\System32\k0080adued080.dll

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.

At this point, ensure that all Other windows are closed down, including this one but leave Killbox open
# Click "Yes" at the Pending Operations prompt to restart your computer.

Try and Restart your computer into SAFE MODE
You can do this by tapping the F8 key on the keyboard as the system is booting up

Navigate to the folder that you unzipped remv3.zip too
Open it
Please run remv3.bat in safe mode
Reboot back to Normal mode
remv3.bat should of made a log
c:\log.txt
Can you post this log too, thanks

along with a fresh hijackthis log and the new output.txt
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 03, 2005, 11:54:35 PM: Below is the new Findit log from the updated version. I will follow your instructions and post the 2 logs, hijack and findit, following the procedure.

Thanks again,
Jim

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 09:35 PM 223,016 j6j6lg1s16.dll
01/03/2005 06:01 PM 224,867 hr4u05h9e.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
5 File(s) 1,121,622 bytes
2 Dir(s) 3,107,962,880 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,107,954,688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,107,938,304 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr4u05h9e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
hr4u05~1.dll Mon Jan 3 2005 6:01:10p ..S.R 224,867 219.59 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
j6j6lg~1.dll Mon Jan 3 2005 9:35:36p ..S.R 223,016 217.79 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,121,622 bytes 1.07 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\sbissb.dll: updates.qoologic.com
C:\WINDOWS\system32\ioliio.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\qrvqqr.exe: .aspack
C:\WINDOWS\system32\gbwggb.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ftkfft.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 12:03:48 AM: Go ahead and do what I posted in my last reply and then we can
try to hit these infections with another blast /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

I see the entries needed to rid you of Narrator
So please post back a fresh hijackthis log and Findit log after you are done
Also try and post the log.txt from remv3.bat
After you have tried the fix with remv3.bat can you try also posting a hijackthis log with version 1.99
Let's see if it will work after that

I hope to see your response tonight before I go to bed, if not please don't reboot until we can try another round of fixes
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 12:22:25 AM: My computer crashed so unfortunitely, i'm forced to restart here and there (just crashed after the procedure). Also, i continually tell Trojan Guarder to delete the trojan xwlxxw.exe, so i'm not sure how that affects the logs. Hijack 1.99 still will not record a log so i had to use the older version. Here are my new hijack 1.98 and findit logs:

Thanks again,
Jim

Hijack 1.98

Logfile of HijackThis v1.98.2
Scan saved at 10:14:02 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\qrvqqr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\strings.exe
C:\WINDOWS\system32\find.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Findit

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 10:10 PM 224,595 irp0l57m1.dll
01/03/2005 10:03 PM 224,405 hr8805lue.dll
01/03/2005 09:55 PM 223,520 h40q0ed5eh0.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
6 File(s) 1,346,259 bytes
2 Dir(s) 3,106,783,232 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,106,775,040 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,106,758,656 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h40q0ed5eh0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
hr8805~1.dll Mon Jan 3 2005 10:03:18p ..S.R 224,405 219.14 K
irp0l5~1.dll Mon Jan 3 2005 10:10:08p ..S.R 224,595 219.33 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K
h40q0e~1.dll Mon Jan 3 2005 9:55:34p ..S.R 223,520 218.28 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,346,259 bytes 1.28 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\sbissb.dll: updates.qoologic.com
C:\WINDOWS\system32\ioliio.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\qrvqqr.exe: .aspack
C:\WINDOWS\system32\gbwggb.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ftkfft.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 12:24:04 AM: Oh ya, the remv log:

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msde.dll
msi.dll
Finished
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 12:48:00 AM: Navigate to this file
C:\WINDOWS\System32\msde.dll
Right click on msde.dll and rename it to msde.old
You may have to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Try this Jim, where is trojanguarder telling you where the file is located, I'll assume the System32 folder, we can add it below, I can find no info on it, so it's probably bad
1.Double-click on KillBox.exe.
2.Click "Replace on Reboot" and check the "Use Dummy" box.
3.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\hr4u05h9e.dll

4.Click the "Delete File" button which looks like a stop sign.
5.Click "Yes" at the Replace on Reboot prompt.
6.Click "No" at the Pending Operations prompt.
# Repeat steps 2-6 above for these files:

C:\WINDOWS\System32\irp0l57m1.dll
C:\WINDOWS\System32\hr8805lue.dll
C:\WINDOWS\System32\h40q0ed5eh0.dll
C:\WINDOWS\System32\m082lalo1dqc.dll
C:\WINDOWS\System32\g4lm0e31eh.dll
C:\WINDOWS\System32\k0080adued080.dll
C:\WINDOWS\system32\sbissb.dll
C:\WINDOWS\system32\ioliio.dll
C:\WINDOWS\system32\qrvqqr.exe
C:\WINDOWS\system32\gbwggb.dat
C:\WINDOWS\system32\xwlxxw.exe

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ftkfft.exe

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.

At this point, ensure that all Other windows are closed down, including this one but leave Killbox open
# Click "Yes" at the Pending Operations prompt to restart your computer.

Once back in windows
Post back a new Findit.bat---Output.txt log

Also a new hijackthis log >>>EDIT
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 01:29:58 AM: Following the procedure, there was a error that poped up in a msdos box for ftkfft.exe, but i accidently hit enter too quick to pick it up (oppsss). HiJack this still crashes so i had to use the old hijack (1.98) for the log. xwlxxw.exe still appeared and was deleted (again) by trojan guarder following bootup. Here are my logs:

Thanks again

Logfile of HijackThis v1.98.2
Scan saved at 11:18:18 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\qrvqqr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 11:15 PM 225,250 hrn6055se.dll
01/03/2005 10:10 PM 224,595 irp0l57m1.dll
01/03/2005 10:03 PM 224,405 hr8805lue.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
6 File(s) 1,347,989 bytes
2 Dir(s) 3,108,233,216 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,108,225,024 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,108,208,640 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irp0l57m1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
hr8805~1.dll Mon Jan 3 2005 10:03:18p ..S.R 224,405 219.14 K
irp0l5~1.dll Mon Jan 3 2005 10:10:08p ..S.R 224,595 219.33 K
hrn605~1.dll Mon Jan 3 2005 11:15:44p ..S.R 225,250 219.97 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,347,989 bytes 1.29 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\sbissb.dll: updates.qoologic.com
C:\WINDOWS\system32\ioliio.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\qrvqqr.exe: .aspack
C:\WINDOWS\system32\gbwggb.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 01:58:31 AM: Can we try this, is there any way of shutting down TrojanGuarder and SpywareDoctor until we can get you clean, it may be getting in the way of these fixes
Some of the same files are popping back up, something is getting in our way

Try and save this too a Notepad file on the desktop and then Disconnect completely from the Internet

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

1.Double-click on KillBox.exe.
2.Click "Replace on Reboot" and check the "Use Dummy" box.
3.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\irp0l57m1.dll

4.Click the "Delete File" button which looks like a stop sign.
5.Click "Yes" at the Replace on Reboot prompt.
6.Click "No" at the Pending Operations prompt.
# Repeat steps 2-6 above for these files:

C:\WINDOWS\System32\hrn6055se.dll
C:\WINDOWS\System32\hr8805lue.dll
C:\WINDOWS\System32\m082lalo1dqc.dll
C:\WINDOWS\System32\g4lm0e31eh.dll
C:\WINDOWS\System32\g4lm0e31eh.dll
C:\WINDOWS\System32\k0080adued080.dll
C:\WINDOWS\system32\qrvqqr.exe
C:\WINDOWS\system32\gbwggb.dat
C:\WINDOWS\system32\sbissb.dll
C:\WINDOWS\system32\ioliio.dll

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\system32\Guard.tmp

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.
# Click "Yes" at the Pending Operations prompt to restart your computer.

Post back a new Output.txt log from Find.bat

Make sure you copy and paste the whole path to the file names
EG..don't copy paste this hrn6055se.dll
Do it this way C:\WINDOWS\System32\hrn6055se.dll
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 02:26:20 AM: Hijack still crashes but i followed all procedures as described, i.e., uninstalled spy doctor, trojan guard, unplugged the internet. I just switched to firefox today but i still get thrown over to weird sites and maybe thats how the spyware gets back into the computer? Here are the 2 logs:

Thanks

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Logfile of HijackThis v1.98.2
Scan saved at 12:15:59 AM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\qrvqqr.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: ftkfft.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 3,124,903,936 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,124,895,744 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,124,879,360 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrn6055se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 02:29:30 AM: That's looking better Jim
Can I now see a Startup list from Hijackthis again

We will still have to repair your recycle bin
I'm on my way to bed soon, so let's try and get rid of the rest of this now
As you can see Narrator and random name startup appeared in Hijackthis
Let me see that startup list and we'll try to nab the rest of it
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 02:31:06 AM: Here it is:

StartupList report, 1/4/2005, 12:29:10 AM
StartupList version: 1.52.2
Started from : C:\Program Files\hi\hi.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hi\hi.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
ftkfft.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
Narrator = C:\WINDOWS\system32\qrvqqr.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38014.8156018518\")

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,878 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 02:34:32 AM: Jim, could you edit your last reply, when you generate a startup list could you put a check in "List all minor sections (full)"
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 02:36:00 AM: My bad, i thought i did, here it is:

StartupList report, 1/4/2005, 12:33:43 AM
StartupList version: 1.52.2
Started from : C:\Program Files\hi\hi.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hi\hi.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
ftkfft.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
Narrator = C:\WINDOWS\system32\qrvqqr.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38014.8156018518\")

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,878 bytes
Report generated in 0.020 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 02:42:21 AM: Still not seeing what I need to see
Go back and look what the startup list looked like when you first posted it
See these entries
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

I'm not seeing them in your last startup list

Just checked mine, you have to put a check in List all minor sections (full)
If you don't I will only see the list you generated
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 02:47:43 AM: I was using 1.99 for those last 2 startups, here is 1.98's startup list, this had the enumerating sub paths thing:

StartupList report, 1/4/2005, 12:44:20 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\james sosby\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
ftkfft.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
Narrator = C:\WINDOWS\system32\qrvqqr.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38014.8156018518\")

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HPFECP06: \SystemRoot\System32\drivers\HPFECP06.SYS (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,947 bytes
Report generated in 0.080 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 02:51:19 AM: Hmm, both my versions of 1.98.2 and 1.99 work the same way /blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Well, I just wanted to check on something
Hold tight and I'll post some cleanup measures

I won't see your last logs until tomorrow, but we should also get some tools on your computer to keep you clean

Give me about 15 minutes to post back
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 02:54:38 AM: Sounds good, maybe the trojan is keeping 1.99 from working? its odd nonetheless, i tried to create a startup log again and again just for fun with 1.99, the log just wont show the "enumerator" line you were looking for.

Once again, thanks, appreciate your help alot /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 03:28:22 AM: Download and Unzip to a folder
Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Click File>>Save as
IMPORTANT>>Change the Save as Type to All Files.
Name the file as fixVX2.reg

Save this file on the desktop

Quote
REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\stmsst][-HKEY_CLASSES_ROOT\CLSID\{60fd7959-bcfe-455c-a70c-81a47420dbc0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\qrvqqr.exe

O4 - Global Startup: ftkfft.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click on fixVX2.reg and allow it to merge to the registry

In KillBox.exe.
# In the File menu click "Delete all Dummy files".
# In the Tools menu click "Delete Temp Files".
# Choose "Standard File Kill" if not already selected.
# Paste these files one by one into the top "Full Path of File to Delete" box.

C:\RECYCLER\desktop.ini
C:\WINDOWS\System32\drivers\etc\HOSTS

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Confirm Delete prompt.
# It should give you a successful "File was deleted" prompt for each one.

Again in KillBox.exe.
2.Click "Replace on Reboot" and check the "Use Dummy" box.
3.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\qrvqqr.exe

4.Click the "Delete File" button which looks like a stop sign.
5.Click "Yes" at the Replace on Reboot prompt.
6.Click "No" at the Pending Operations prompt.
# Repeat steps 2-6 above for these files:

C:\WINDOWS\System32\hrn6055se.dll
C:\WINDOWS\System32\xwlxxw.exe

On the last file click YES at the Pending Operations Prompt
Restart the computer

Back in Windows
Open VX2 Finder and click to Find VX2.BetterInternet
Click on any of these that are highlighted on the right hand side
Click 'Guardian.reg'.
Click 'User Agent'.
Click 'Restore Policy'.

Restart your computer again
Open Hoster and let it create a new Host file
Open Killbox and delete dummy files again

I'd recommend at this time you do an online virus scan at Housecall's to be safe
Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")

Post back a fresh hijackthis log, one last Find.bat log and a VX2 log

Could you also
Download and save to desktop ServiceFilter.zip (http://\"http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip\")
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

We should just about killed all this, just have to figure out why Hijackthis 1.99 is crashing
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 03:43:22 AM: Before I go off to bed Jim
Could you also go to this site
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\") and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Copy and paste this in the dialog box: xwlxxw.exe
After a while a prompt will come up.(About 10 seconds) Click OK to write the results to wordpad or notepad and post them

Also, if you don't have your own Anti-Virus to install, or I missed that you had one installed by mistake
Could you download the Free version of AVG 7
Yours to keep and update for the life of the product
After installation ensure you let it update and run a full system scan
http://free.grisoft.com/doc/1 (http://\"http://free.grisoft.com/doc/1\")

EDIT>>Could you also let me know any error messages you may get when you try running CWShredder or the newer version of Hijackthis
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: jim4299 on January 04, 2005, 04:27:55 AM: Hijackthis still crashes but CWShredder works fine, and finds nothing.

RegSearch does not find any reference to: xwlxxw.exe

I couldnt get the homescan to load (couldn't get it to recognize the netscape plugin) but i installed the other virus scan and removed 3 trojans - downloader.agent.3.D, dyfica.2.BA and 3.G.

Thank you,
Jim

Here are my Hijackthis, Find.bat, VX2, and ServiceFilter logs:

Logfile of HijackThis v1.98.2
Scan saved at 3:07:51 AM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\strings.exe
C:\WINDOWS\system32\find.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 3,882,991,616 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,882,983,424 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,882,967,040 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Jan 4, 2005 3:09:07 AM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: Pml Driver HPH11
Display Name: Pml Driver HPH11
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\hphipm11.exe
State: Running
Process ID: 1868
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{52886906-8a2d-4438-8ac3-9bce6f96ae08}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 83 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 4.987305 seconds.
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 01:49:28 PM: Last logs look fine Jim

We have to restore your UserAgent String for Windows XP SP2
and we should restore your Url Searchhooks

If you could, one last request
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Click File>>Save as
IMPORTANT>>Change the Save as Type to All Files.
Name the file as Restore.reg

Save this file on the desktop

Quote
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

Double click on Restore.reg and allow it to merge to the registry

Open VX2 Finder and Click to Find VX2.Betterinternet
After it's done scanning can you click on only
Restore Policy on the right hand side
OK out of there

When your back in Windows

Run another scan with VX2.BetterInter (All) version
I'm not sure how many versions you've downloaded, but stick with this one
Before running the scan click on VERSION in the menu bar
Check all instances of
MSG122-126
Run the scan and make a log and post it back here
One last Hijackthis log too please

Let me know how everythings running

I know your trying to stay away from IE
But
To enhance your privacy and security
You should set up protection against future attacks

You should install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
SpywareBlaster also blocks bad cookies in Mozilla

If possible can you let me know exactly the error message you get when you try to run Hijackthis 1.99, if any

Oh yah, that usually happens with Housecall's when running a scan
It only seems to like IE>>Darn ActiveX controls
If you install the above utilities you should be a lot safer on IE
However, I'm with you and would stick with either Netscape or Mozilla(More or less the same thing)
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: Guest on January 04, 2005, 04:06:28 PM: Again, thanks for your help, i greatly appreciate it.

Here are the Hijack and vx2 logs. I am also including a error report from the hijackthis 1.99 crash, it crashes on the O23 NT Services part, close to the end of the scan.

Hijackthis error:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="hi.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="hi.exe" SIZE="203264" CHECKSUM="0xF4FA82B" BIN_FILE_VERSION="1.99.0.0" BIN_PRODUCT_VERSION="1.99.0.0" PRODUCT_VERSION="1.99" FILE_DESCRIPTION="HijackThis" COMPANY_NAME="Soeperman Enterprises Ltd." PRODUCT_NAME="HijackThis" FILE_VERSION="1.99" ORIGINAL_FILENAME="HijackThis.exe" INTERNAL_NAME="HijackThis" LEGAL_COPYRIGHT="Freeware" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x10063" UPTO_BIN_FILE_VERSION="1.99.0.0" UPTO_BIN_PRODUCT_VERSION="1.99.0.0" LINK_DATE="12/15/2004 09:40:42" UPTO_LINK_DATE="12/15/2004 09:40:42" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="ntdll.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="ntdll.dll" SIZE="708096" CHECKSUM="0x9D20568" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="NT Layer DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="ntdll.dll" INTERNAL_NAME="ntdll.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xAF2F7" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="983552" CHECKSUM="0x4CE79457" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFF848" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

Logfile of HijackThis v1.98.2
Scan saved at 1:54:26 PM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Notepad.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab (http://\"https://webmail.hudoig.gov/iNotes.cab\")
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab (http://\"https://webmail.hudoig.gov/iNotes6.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
SV1
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 04:50:12 PM: Not sure why it's crashing then
Seems a few others around the Net are having problems with it at the 023 entries

remv3 showed clear, did you rename that file msde.old in your System32 folder?
Leave that file renamed until your happy with the way everything is running
Shouldn't effect it then
Would you mind trying a scan with 1.99 in safe mode and let me know if it works

Could you also Download GetServices.zip (http://\"http://www.bleepingcomputer.com/files/spyware/getservice.zip\")
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Post the getservices.txt, I just want to double check we have no nasty services running
I also want to check on the service related to Hi.exe
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: Guest on January 04, 2005, 06:12:04 PM: Hijackthis still crashes in safemode as well. At least it gets to o23, it used to crash a lot sooner. Also, i did keep the file as msde.old, I havent changed it back.

Here is my GetServices log:

PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Alerter
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Application Layer Gateway Service
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Application Management
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : AudioGroup
   TAG       : 0
   DISPLAY_NAME    : Windows Audio
   DEPENDENCIES    : PlugPlay
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7Alrt
(null)
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : AVG7 Alert Manager Server
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7UpdSvc
(null)
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : AVG7 Update Service
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Background Intelligent Transfer Service
   DEPENDENCIES    : Rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Computer Browser
   DEPENDENCIES    : LanmanWorkstation
          : LanmanServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\cisvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Indexing Service
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : ClipBook
   DEPENDENCIES    : NetDDE
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : COM+ System Application
   DEPENDENCIES    : rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 30 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 1000 seconds
          : Restart   DELAY: 5000 seconds
          : None   DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Cryptographic Services
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
   LOAD_ORDER_GROUP : Event Log
   TAG       : 0
   DISPLAY_NAME    : DCOM Server Process Launcher
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Reboot   DELAY: 60000 seconds

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : DHCP Client
   DEPENDENCIES    : Tcpip
          : Afd
          : NetBT
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Logical Disk Manager Administrative Service
   DEPENDENCIES    : RpcSs
          : PlugPlay
          : DmServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Logical Disk Manager
   DEPENDENCIES    : RpcSs
          : PlugPlay
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : DNS Client
   DEPENDENCIES    : Tcpip
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Error Reporting Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP : Event log
   TAG       : 0
   DISPLAY_NAME    : Event Log
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : Network
   TAG       : 0
   DISPLAY_NAME    : COM+ Event System
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Fast User Switching Compatibility
   DEPENDENCIES    : TermService
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Help and Support
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 100 seconds
          : Restart   DELAY: 100 seconds
          : None   DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Human Interface Device Access
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : HTTP SSL
   DEPENDENCIES    : HTTP
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : IMAPI CD-Burning COM Service
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Server
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : NetworkProvider
   TAG       : 0
   DISPLAY_NAME    : Workstation
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : TCP/IP NetBIOS Helper
   DEPENDENCIES    : NetBT
          : Afd
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Messenger
   DEPENDENCIES    : LanmanWorkstation
          : NetBIOS
          : PlugPlay
          : RpcSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : NetMeeting Remote Desktop Sharing
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
   LOAD_ORDER_GROUP : MS Transactions
   TAG       : 0
   DISPLAY_NAME    : Distributed Transaction Coordinator
   DEPENDENCIES    : RPCSS
          : SamSS
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Installer
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP : NetDDEGroup
   TAG       : 0
   DISPLAY_NAME    : Network DDE
   DEPENDENCIES    : NetDDEDSDM
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network DDE DSDM
   DEPENDENCIES    :
          : EGrLocalSystem
          : Network DDE DSDM
          : etwork DDE
          : workService
          : Distributed Transaction Coordinator
          : ion
          : ~1.1E\lin
          :
          : n
          :
          : è6
          : è6
          : ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
          :
          : u
          : n
          : a
          : v
          : a
          : i
          : l
          : a
          : b
          : l
          : e
          : .
          :
          : I
          : f
          :
          : t
          : h
          : i
          : s
          :
          : s
          : e
          : r
          : v
          : i
          : c
          : e
          :
          : i
          : s
          :
          : d
          : i
          : s
          : a
          : b
          : l
          : e
          : d
          : ,
          :
          : a
          : n
          : y
          :
          : s
          : e
          : r
          : v
          : i
          : c
          : e
          : s
          :
          : t
          : h
          : a
          : t
          :
          : e
          : x
          : p
          : l
          : i
          : c
          : i
          : t
          : l
          : y
          :
          : d
          : e
          : p
          : e
          : n
          : d
          :
          : o
          : n
          :
          : i
          : t
          :
          : w
          : i
          : l
          : l
          :
          : f
          : a
          : i
          : l
          :
          : t
          : o
          :
          : s
          : t
          : a
          : r
          : t
          : .
          :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP : RemoteValidation
   TAG       : 0
   DISPLAY_NAME    : Net Logon
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Connections
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Location Awareness (NLA)
   DEPENDENCIES    : Tcpip
          : Afd
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : NT LM Security Support Provider
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Removable Storage
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP : PlugPlay
   TAG       : 0
   DISPLAY_NAME    : Plug and Play
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Pml Driver HPH11
(null)
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\HPHipm11.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Pml Driver HPH11
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : IPSEC Services
   DEPENDENCIES    : RPCSS
          : Tcpip
          : IPSec
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Protected Storage
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Access Auto Connection Manager
   DEPENDENCIES    : RasMan
          : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Access Connection Manager
   DEPENDENCIES    : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Desktop Help Session Manager
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Routing and Remote Access
   DEPENDENCIES    : RpcSS
          : +NetBIOSGroup
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Registry
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: NT AUTHORITY\LocalService
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Procedure Call (RPC) Locator
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
   LOAD_ORDER_GROUP : COM Infrastructure
   TAG       : 0
   DISPLAY_NAME    : Remote Procedure Call (RPC)
   DEPENDENCIES    :
   SERVICE_START_NAME: NT Authority\NetworkService
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Reboot   DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : QoS RSVP
   DEPENDENCIES    : TcpIp
          : Afd
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP : LocalValidation
   TAG       : 0
   DISPLAY_NAME    : Security Accounts Manager
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
   LOAD_ORDER_GROUP : SmartCardGroup
   TAG       : 0
   DISPLAY_NAME    : Smart Card
   DEPENDENCIES    : PlugPlay
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : SchedulerGroup
   TAG       : 0
   DISPLAY_NAME    : Task Scheduler
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Secondary Logon
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : Network
   TAG       : 0
   DISPLAY_NAME    : System Event Notification
   DEPENDENCIES    : EventSystem
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Firewall/Internet Connection Sharing (ICS)
   DEPENDENCIES    : Netman
          : WinMgmt
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : ShellSvcGroup
   TAG       : 0
   DISPLAY_NAME    : Shell Hardware Detection
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
   LOAD_ORDER_GROUP : SpoolerGroup
   TAG       : 0
   DISPLAY_NAME    : Print Spooler
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : None   DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : System Restore Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : SSDP Discovery Service
   DEPENDENCIES    : HTTP
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Image Acquisition (WIA)
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{52886906-8A2D-4438-8AC3-9BCE6F96AE08}
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : MS Software Shadow Copy Provider
   DEPENDENCIES    : rpcss
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Performance Logs and Alerts
   DEPENDENCIES    :
   SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Telephony
   DEPENDENCIES    : PlugPlay
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Terminal Services
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : UIGroup
   TAG       : 0
   DISPLAY_NAME    : Themes
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : None   DELAY: 0 seconds

SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Telnet
   DEPENDENCIES    : RPCSS
          : TCPIP
          : NTLMSSP
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Distributed Link Tracking Client
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Universal Plug and Play Device Host
   DEPENDENCIES    : SSDPSRV
          : HTTP
   SERVICE_START_NAME: NT AUTHORITY\LocalService
   FAIL_RESET_PERIOD : -1 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Uninterruptible Power Supply
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Volume Shadow Copy
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Time
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 5 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: WANMiniportService
(null)
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : "C:\WINDOWS\wanmpsvc.exe"
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : WAN Miniport (ATW) Service
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP : NetworkProvider
   TAG       : 0
   DISPLAY_NAME    : WebClient
   DEPENDENCIES    : MRxDAV
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Management Instrumentation
   DEPENDENCIES    : RPCSS
          : Eventlog
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Portable Media Serial Number Service
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Management Instrumentation Driver Extensions
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : WMI Performance Adapter
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Security Center
   DEPENDENCIES    : RpcSs
          : winmgmt
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Automatic Updates
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : Wireless Zero Configuration
   DEPENDENCIES    : RpcSs
          : Ndisuio
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Provisioning Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: Guest on January 04, 2005, 06:41:00 PM: I have to look into the error your getting
I forgot to ask you to delete this folder

C:\Program Files\VBouncer <--folder

One thing I noticed is this where your running hijackthis from when your generating a startuplist?
C:\Program Files\hi\hi.exe
or from here
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe
But I also see this in the startup list
C:\Program Files\hi\Hijackthis.exe.exe

Would you mind redownloading Hijackthis 1.99
from This Link--CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or This Link--CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
and try running another scan, don't rename it or anything
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: Guest on January 04, 2005, 06:48:44 PM: C:\Program Files\hi\hi.exe - v. 1.99 that crashes (i renamed it in case it was targeted that way)

C:\Documents and Settings\james sosby\Desktop\HijackThis.exe - v. 1.98

I redownloaded hijackthis 1.99 and ran it from the desktop and received the same crash result.

Do you need me to record the crash error via another method?
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 06:50:01 PM: No, let me look into it and see what I come up with

Are you sure you unzipped remv3.zip before running it?

EDIT>>and you made sure that you ran
remv3.bat in Safe mode?

One more edit
If your sure that msde.dll was in this directory

C:\WINDOWS\System32

go ahead and delete msde.old
Make sure it's in the System32 folder

Let me know if that makes any change
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: Guest on January 04, 2005, 07:47:07 PM: I was certain i did the first time, i will delete msde.old.

Here is the new log, the only file that is listed is the same from before, msi.dll:

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
Finished
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: guestolo on January 04, 2005, 08:15:00 PM: msi.dll is legit
Let me look into this further
Thanks for helping out.....

Can't remember if I asked
Is everything running good?
Make sure you delete the VBouncer folder

If I find out anything I'll post back
Title: cws.bootconf, cws.svchost32, and other trojan crap
Post by: Guest on January 04, 2005, 08:28:05 PM: I deleted vbouncer.

Oh ya, everything is running real good. Many thanks putting my computer back together /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />