TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Guest_irish-paddy_* on March 28, 2005, 04:35:34 PM

Title: Computer infected
Post by: Guest_irish-paddy_* on March 28, 2005, 04:35:34 PM

well guestolo hows it goin. computer got infected with about:blank.
I followed the instructions u gave others with same problem and have got my homepage fixed but i know my comp is still infected with something cuz i can only open hijackthis, tds3, etc. in safe mode.

i done a few scans and everything, adaware doesnt find anything. Also cant get into custom and default tabs in internet options/security to enable scripting, so i cant get into Email Removed or anything.

Heres my log, hope u can help, cheers guestolo ur a legend


Logfile of HijackThis v1.99.0
Scan saved at 22:19:30, on 28/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKLM\..\Run: [outpost] C:\Documents and Settings\Patrick Deighan\Local Settings\Temp\OutpostProInstall.exe
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [winmgr] C:\WINDOWS\System32\winmgr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Title: Computer infected
Post by: Guest_irish-paddy_* on March 28, 2005, 04:38:32 PM

p.s. havin trouble logging in which is why im logged in as guest

Title: Computer infected
Post by: guestolo on March 29, 2005, 10:12:25 AM

Just on my way out Irish, could you do the following while waiting
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane---  Use "CTRL and the  C" keys  on your Keyboard to copy all found in the lower pane  and save it too a notepad file

****If prompted that a Virus was found and you need to purchase the product  to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Title: Computer infected
Post by: Guest_irish-paddy_* on March 29, 2005, 07:59:34 PM

i already had that mwav but i just downloaded it again heres the results, and thanks again guestolo


File C:\WINDOWS\System32\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\navapqwa.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\PATRIC~1\MSDIRE~1.SYS infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Gavin Deighan\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Karen Deighan\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000008.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000022.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000032.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001033.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\update\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

Title: Computer infected
Post by: guestolo on March 29, 2005, 08:28:34 PM

===Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice

Save the rest of these instructions too a Notepad file and save it too desktop
Close down all other windows, disconnect from the Internet

Disable System Restore

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe


O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [winmgr] C:\WINDOWS\System32\winmgr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\crmss.exe

Select the  Delete button afterwards
The Red circle and a white X
Do the same for the below entries
For any file that won't delete keep track of them, we'll need those in a bit

Do the same for these file names
C:\WINDOWS\system32\navapqwa.exe
C:\DOCUME~1\PATRIC~1\MSDIRE~1.SYS
C:\WINDOWS\csrss.exe
C:\WINDOWS\killzx.exe
C:\WINDOWS\Messenger2.exe
C:\WINDOWS\rei.exe
C:\WINDOWS\SYSTEM32\file.exe
C:\Documents and Settings\Gavin Deighan\msdirectx.sys
C:\Documents and Settings\Karen Deighan\msdirectx.sys
C:\update\rei.exe
C:\WINDOWS\System32\mqexdlm.srg

For any file that won't delete
Use the Replace on Reboot radio button
Additionally, put a tick in the "Use Dummy"
When prompted to Replace on Reboot>>Click YES
If prompted to Reboot NOW>>Click NO until you have added the last
path to the file name
At which time>>Select YES to Reboot NOW
or Restart anyways

Please try and Restart into Normal mode
Reenable System Restore
Post back a fresh log from there

Title: Computer infected
Post by: Guest_irish-paddy_* on March 31, 2005, 01:06:32 PM

deleted them all. this is the only one that didnt delete
C:\WINDOWS\csrss.exe

Used the Replace on Reboot radio button
Additionally, put a tick in the "Use Dummy"


heres new log

Logfile of HijackThis v1.99.0
Scan saved at 19:05:18, on 31/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Title: Computer infected
Post by: guestolo on March 31, 2005, 07:40:10 PM

Are you still having problems signing into the forum?

This file here is a legitimate file, don't try and delete it in the System32 folder
C:\WINDOWS\system32\csrss.exe

We're just after this one
C:\WINDOWS\csrss.exe

It may be confusing because we were also after this bad guy
C:\WINDOWS\System32\crmss.exe

Notice the spelling

Let's try this again
Save these instructions too a Notepad file on the desktop and then leave it open

Disconnect completely from the Internet
Close all other windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe

O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next: With only Pocket killbox open and
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\csrss.exe

Select the  Delete button afterwards
The Red circle and a white X
If it won't delete or not found
Use the Replace on Reboot>>Use Dummy options
Then click the Red Circle and the whiteX

Restart the computer and post a fresh Hijackthis log

Let me know how things are running

Can you also let me know the following
If I remember correctly you were using Outpost as your Firewall protection
Now I see that you have this entry in your log
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
Which Firewall protection are you running now?
Do you still have Outpost installed?
I see some entries in your log that may be leftovers

Title: Computer infected
Post by: Guest_irish-paddy_* on April 01, 2005, 10:21:52 AM

i changed my password but cant remember what i changed it too exactly. got it sent to my Email Removed but cant get into Email Removed because java is not enabled. have tried but cant get into custom on my security tab in internet options. think that has somethin to do with the virus.

used outpost for the free trial period but as soon as that ended my computer got infected. downloaded softperect, dont really know how to use it. its alwaays changing security settings.

heres my new log, everything seems to be ok but just wana get into enable my java so i can get into Email Removed etc.

Are you still having problems signing into the forum?

This file here is a legitimate file, don't try and delete it in the System32 folder
C:\WINDOWS\system32\csrss.exe

We're just after this one
C:\WINDOWS\csrss.exe

It may be confusing because we were also after this bad guy
C:\WINDOWS\System32\crmss.exe

Notice the spelling

Let's try this again
Save these instructions too a Notepad file on the desktop and then leave it open

Disconnect completely from the Internet
Close all other windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe

O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next: With only Pocket killbox open and
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\csrss.exe

Select the Delete button afterwards
The Red circle and a white X
If it won't delete or not found
Use the Replace on Reboot>>Use Dummy options
Then click the Red Circle and the whiteX

Restart the computer and post a fresh Hijackthis log

Let me know how things are running

Can you also let me know the following
If I remember correctly you were using Outpost as your Firewall protection
Now I see that you have this entry in your log
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
Which Firewall protection are you running now?
Do you still have Outpost installed?
I see some entries in your log that may be leftovers

Title: Computer infected
Post by: Guest_irish-paddy_* on April 01, 2005, 10:26:03 AM

oops!!

posted back ur instructions instead of my log    /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />(

Logfile of HijackThis v1.99.0
Scan saved at 16:15:29, on 01/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Title: Computer infected
Post by: guestolo on April 03, 2005, 12:24:53 AM

Can you try something, Microsoft Anti-Spyware Beta is having a good record at resetting
default settings

You can download it from HERE (http://\"http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en\")

Follow the steps in the Installation Wizard until it is ready to install the program. When the wizard is ready to install, click Install to begin installing Windows AntiSpyware (Beta).

When installation is complete, select the check box next to Launch Microsoft Windows AntiSpyware, and then click Finish.

When you click Finish on the window above, the welcome page of the Setup Assistant should open. The Setup Assistant will take you through the following four steps:

1. Automatic updates
2. Real-time protection
3. SpyNet anti-spyware community
4. System scan

Click Next to begin the setup process

Step 1: Automatic updates:
You can configure Windows AntiSpyware for automatic updates. Automatic updates ensure that Windows AntiSpyware is kept up to date with the latest information about new spyware threats.

To configure this option, click Yes, automatically keep Microsoft AntiSpyware updated (recommended), and then click Next

Step 2: Real-time protection:
To enable real-time protection click Yes, help keep me secure (recommended) , and then click Next.  

Step 3: SpyNet anti-spyware community:
This option will automatically report potential threats to SpyNet servers. If you do not want MS AntiSpyware calling out and reporting threats on your system to a remote server, click No, and then click Next.

Step 4: Scan your computer:
The final step of the Setup Assistant allows you to specify whether you'd like to schedule an automatic scan and also shows you how to perform an initial scan of your computer.

To configure Windows AntiSpyware to run a spyware scan automatically, select the box next to Run a spyware scan every night at 2 a.m.    How to set up a scheduled spyware scan  (http://\"http://www.microsoft.com/athome/security/spyware/software/howto/scanauto.mspx\")

To scan your computer for spyware, click Run Quick Scan Now.

After the scan has been completed, you'll see a window with the preliminary results of your scan. To see more detailed results click View Results.

To take the recommended action, click the Continue button at the bottom of the spyware scan results window.

Restart your computer afterwards and post back a fresh Hijackthis log

Note: Those are generic instructions for setting up Antispyware Beta
I don't have the Scheduled scan running, I update it and check manually every couple of weeks
The Autoupdater, I don't have enabled, I manually check for updates before I run the scan
Step 3, I'll leave that up to you, I clicked No

Title: Computer infected
Post by: Guest_irish-paddy_* on April 05, 2005, 04:30:16 PM

it didnt work i just got this msg''

Validation Not Completed: ActiveX Error
We are unable to validate your Windows installation at this time. It appears that your internet settings will not allow the genuine ActiveX control to run properly, or you may not be the system administrator of the machine you are using. We hope that you'll return later to retry the validation process so that you may enjoy the full benefits of genuine Microsoft software.



If you believe your software is not genuine, you may take the following action:

 
 
 Contact your reseller  
 
 
 Contact your PC or software reseller to determine why you are unable to validate Windows. You can print a report of your validation results to show your reseller that will help you determine what is wrong.
 
 
   
   
or
   
 
 Purchase genuine Windows  
 
 
 If you believe you have received counterfeit Windows software, please submit a piracy report. You may also purchase genuine Windows software to replace your existing copy.
 
 
   ''



my computer is working ok. i just cant get into custom in security settings/internet options.

if i log on as a different user i can get into custom/ security-settings.

might just delete me as a user altogher and log in as someone else.



heres a fresh log if it makes a difference

Logfile of HijackThis v1.99.0
Scan saved at 22:28:23, on 05/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Title: Computer infected
Post by: Guest_irish-paddy_* on April 06, 2005, 09:15:28 AM

do u think my computer is ok to use then?   i think i might just delete my user account altoghether and make a new one wat do u think?

Title: Computer infected
Post by: Guest_irish-paddy_* on April 06, 2005, 08:39:22 PM

finally got it done!!!!!!!!!!!!!!!!!!!

sorry took so long guestolo!!   heres my log

Logfile of HijackThis v1.99.0
Scan saved at 02:37:06, on 07/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

Title: Computer infected
Post by: guestolo on April 06, 2005, 10:44:45 PM

How's everything running?
Did you get Outpost completely uninstalled?
If so you can probably remove these entries with Hijackthis
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)

I don't know much about SoftPerfect Personal Firewall, I hope it's reliable
How is it working for you?

Your log looks good

Title: Computer infected
Post by: Guest_irish-paddy_* on April 07, 2005, 07:17:48 AM

everything is running good. deleted those entries and restored all my ie settings but still i cant get into Email Removed etc. from my log in. the custom button in    internet options/security settings is still blank out (faded) and wont let me in to enable java???

im an administrator i dont know why i can get into this? all other users can get into this.


apart from that everything is running fine. cheers for all ur help mate

Title: Computer infected
Post by: Guest_irish-paddy_* on April 07, 2005, 07:25:33 AM

outpost is completly removed.

softperfect seems ok but ill prob change it dont really trust it too much

Title: Computer infected
Post by: Guest_irish-paddy_* on April 07, 2005, 09:11:19 AM

just done a scan with mwav all of these viruses were found,


File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\!Submit\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\!Submit\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\!Submit\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\!Submit\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\!Submit\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\!Submit\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\!Submit\MSDIRE~1.SYS infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\!Submit\navapqwa.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.

File C:\!Submit\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.





heres another log too, f it helps

Logfile of HijackThis v1.99.0
Scan saved at 15:08:26, on 07/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Title: Computer infected
Post by: guestolo on April 08, 2005, 05:47:08 PM

Could you take a look at this site and check to see if you have any files or folders  that need deleting
http://www.sarc.com/avcenter/venc/data/trojan.lowzones.html (http://\"http://www.sarc.com/avcenter/venc/data/trojan.lowzones.html\")

We may have to edit the registry if you can't do the recommendations in the Security tab

Title: Computer infected
Post by: Guest on April 09, 2005, 11:52:14 AM

/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />   sorry couldnt do the recommendations,

will i just go into the infected files and delete them myself? or do i need them

Title: Computer infected
Post by: Guest_irish-paddy_* on April 09, 2005, 11:54:07 AM

for example, all files in C:\!Submit seem to be infected, would i be able to just delete these myself??

Title: Computer infected
Post by: guestolo on April 09, 2005, 12:48:19 PM

You can go ahead and delete C:\!Submit <--this folder
It was just made by Killbox, nothing to worry about

Let's see what else we can clean out

Can you download and save to desktop
FixBinet.exe (http://\"http://securityresponse.symantec.com/avcenter/FixBinet.exe\")
By Symantec

Run it and let it clean what it finds, save a log if given a choice
Restart the computer afterwards

Also download
Fix180Sh.exe  (http://\"http://securityresponse.symantec.com/avcenter/Fix180Sh.exe\")
Run it and restart

Post the log from it if you have one

Did you delete the files and folders recommended by Symantec in the other link I gave you???
The ones in the temp directory don't worry about

Do the following
Enter your add/Remove programs and remove Sidefind if found
If not try the following
Open up a notepad file and save the below in bold
C:\Program Files\\Sidefind\update\sidefind.exe /remove

Close down all browsers and copy and paste that entry into
START>>RUN
open field and hit Enter

Your looking to delete these folders
C:\Program Files\180Solutions
C:\Program Files\Internet Optimizer
C:\Program Files\Media Access
C:\Program Files\SideFind

and these files
C:\WINDOWS\system32\auto_update_uninstall.exe
C:\WINDOWS\lohmvql.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\qoqek.exe
C:\WINDOWS\zeta.exe
C:\Documents and Settings\Patrick Deighan\Favorites\Adult Sites
C:\Documents and Settings\Patrick Deighan\Favorites\Free Adult Content

After you delete the other files or folders run Windows CleanUp! and then log off and back on the computer

Could you also do the following
Open an empty Notepad file
Copy and paste the below in the CODE box to the notepad file
and save it to your desktop
Name it Export.bat <<--important

Code: [Select]

@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txt
Double click on Export.bat and post back the findings

Title: Computer infected
Post by: guestolo on April 10, 2005, 07:39:00 PM

Can you also try the following for me

Download and Unzip to desktop
Cleanbube.zip so you now have Cleanbube.reg on the desktop

Double click on Cleanbube.reg and allow to merge to the registry

Restart your computer and try accessing your options in the Security tab

Title: Computer infected
Post by: Guest_irish-paddy_* on April 11, 2005, 06:58:26 AM

FixBinet.exe
adaware.betterinternet NOT FOUND


Fix180Sh.exe FOUND NOTHING EITHER



Couldnt find ANY of the files or folders, didnt really know wat to do in the Symantec website


Sidefind NOT FOUND
C:\Program Files\\Sidefind\update\sidefind.exe /remove   NOT FOUND


NONE of these were there either!!
C:\Program Files\180Solutions
C:\Program Files\Internet Optimizer
C:\Program Files\Media Access
C:\Program Files\SideFind

NONE of these were there either, checked my folder options just to make sure hidden files were being shown, they were but still i couldnt find ANY of the files or folders
C:\WINDOWS\system32\auto_update_uninstall.exe
C:\WINDOWS\lohmvql.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\qoqek.exe
C:\WINDOWS\zeta.exe
C:\Documents and Settings\Patrick Deighan\Favorites\Adult Sites
C:\Documents and Settings\Patrick Deighan\Favorites\Free Adult Content

done Windows CleanUp!  heres the export.bat log,


Export.bat


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
@=""
"SelfHealCount"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
@=""
"DisplayName"="My Computer"
"Description"="Your computer"
"Icon"="explorer.exe#0100"
"CurrentLevel"=dword:00000000
"Flags"=dword:00000021
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000000
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=hex:00,00,00,00
"1E05"=dword:00030000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
@=""
"DisplayName"="Local intranet"
"Description"="This zone contains all Web sites that are on your organization's intranet."
"Icon"="shell32.dll#0018"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00010500
"Flags"=dword:000000db
"1001"=dword:00000000
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=hex:00,00,03,00
"1E05"=dword:00020000
"{7839DA25-F5FE-11D0-883B-0080C726DCBB}"=hex:30,82,01,fc,03,02,00,00,30,82,01,\
  f4,30,81,cc,06,0a,2b,06,01,04,01,82,37,0f,03,01,30,81,bd,06,09,2b,06,01,04,\
  01,82,37,0f,01,31,81,af,30,81,ac,03,01,00,30,81,a6,a0,20,30,1e,06,09,2b,06,\
  01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,70,6c,65,74,30,00,30,\
  00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,03,02,00,01,03,02,00,\
  02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,00,02,a0,21,30,1f,06,\
  09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,01,01,00,01,01,00,01,\
  01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,02,30,08,01,01,00,\
  01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,04,03,30,0b,01,01,00,\
  01,01,00,02,01,00,14,00,30,81,fe,06,0a,2b,06,01,04,01,82,37,0f,03,02,30,81,\
  ef,06,09,2b,06,01,04,01,82,37,0f,01,31,81,e1,30,81,de,03,01,00,30,81,d8,a0,\
  20,30,1e,06,09,2b,06,01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,\
  70,6c,65,74,30,00,30,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,\
  03,02,00,01,03,02,00,02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,\
  00,02,a0,21,30,1f,06,09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,\
  01,01,00,01,01,00,01,01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,\
  04,02,30,08,01,01,00,01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,\
  04,03,30,0b,01,01,00,01,01,00,02,01,00,14,00,a0,11,30,0f,06,09,2b,06,01,04,\
  01,82,37,04,0e,03,02,00,03,a0,1d,30,1b,06,09,2b,06,01,04,01,82,37,04,0f,30,\
  0e,30,08,02,01,00,02,03,10,00,00,03,02,00,00,30,22,06,0a,2b,06,01,04,01,82,\
  37,0f,03,03,30,14,06,09,2b,06,01,04,01,82,37,0f,01,31,07,30,05,03,01,00,30,\
  00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
@=""
"DisplayName"="Trusted sites"
"Description"="This zone contains Web sites that you trust not to damage your computer or data."
"Icon"="inetcpl.cpl#00004480"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00010000
"Flags"=dword:00000047
"1001"=dword:00000000
"1004"=dword:00000001
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000000
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=hex:00,00,02,00
"1E05"=dword:00030000
"{7839DA25-F5FE-11D0-883B-0080C726DCBB}"=hex:30,82,01,fc,03,02,00,00,30,82,01,\
  f4,30,81,cc,06,0a,2b,06,01,04,01,82,37,0f,03,01,30,81,bd,06,09,2b,06,01,04,\
  01,82,37,0f,01,31,81,af,30,81,ac,03,01,00,30,81,a6,a0,20,30,1e,06,09,2b,06,\
  01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,70,6c,65,74,30,00,30,\
  00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,03,02,00,01,03,02,00,\
  02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,00,02,a0,21,30,1f,06,\
  09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,01,01,00,01,01,00,01,\
  01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,02,30,08,01,01,00,\
  01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,04,03,30,0b,01,01,00,\
  01,01,00,02,01,00,14,00,30,81,fe,06,0a,2b,06,01,04,01,82,37,0f,03,02,30,81,\
  ef,06,09,2b,06,01,04,01,82,37,0f,01,31,81,e1,30,81,de,03,01,00,30,81,d8,a0,\
  20,30,1e,06,09,2b,06,01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,\
  70,6c,65,74,30,00,30,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,\
  03,02,00,01,03,02,00,02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,\
  00,02,a0,21,30,1f,06,09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,\
  01,01,00,01,01,00,01,01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,\
  04,02,30,08,01,01,00,01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,\
  04,03,30,0b,01,01,00,01,01,00,02,01,00,14,00,a0,11,30,0f,06,09,2b,06,01,04,\
  01,82,37,04,0e,03,02,00,03,a0,1d,30,1b,06,09,2b,06,01,04,01,82,37,04,0f,30,\
  0e,30,08,02,01,00,02,03,10,00,00,03,02,00,00,30,22,06,0a,2b,06,01,04,01,82,\
  37,0f,03,03,30,14,06,09,2b,06,01,04,01,82,37,0f,01,31,07,30,05,03,01,00,30,\
  00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
@=""
"DisplayName"="Internet"
"Description"="This zone contains all Web sites you haven't placed in other zones"
"Icon"="inetcpl.cpl#001313"
"CurrentLevel"=dword:00011000
"MinLevel"=dword:00011000
"RecommendedLevel"=dword:00011000
"Flags"=dword:00000000
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000000
"1601"=dword:00000001
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000000
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000003
"1A05"=dword:00000001
"1A06"=dword:00000000
"1A10"=dword:00000001
"1C00"=dword:00010000
"1E05"=dword:00020000
"{AEBA21FA-782A-4A90-978D-B72164C80120}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,1e,28,1a,04,1b,0c,3b,c2,21,27,53,0d,36,05,2c,05,\
  04,3d,4f,3a,4a,44,33,3a,0a,06,12,68,53,7c,20,13,35,5d,4c,10,27,01,56,7a,2d,\
  3f,38,4f,79,0f,16,26,75,53,1c,31,00,56,7a,3e,32,24,4f,79,1b,00,33,71,4d,23,\
  32,29,7c,6a,35,31,34,40,72,3b,01,2e,5d,4c,2a,07,15,48,72,38,12,00,56,7a,3e,\
  16,3c,71,4d,24,33,35,7c,72,35,0e,3c,1a,41,44,19,0f,31,3a,56,7a,2e,3e,31,0c,\
  7c,6a,10,27,0c,05,5d,4c,39,19,12,15,61,54,2e,00,33,32,40,52,03,25,1f,05,5d,\
  4c,2c,0c,0a,15,61,54,1a,26,1f,05,5d,4c,10,21,1d,1b,71,4d,3b,24,3a,21,6d,72,\
  24,16,3c,32,40,72,21,0f,3a,1a,41,44,1b,1e,01,01,71,4d,32,23,30,27,6d,4d,1f,\
  28,10,3c,56,7a,2f,2e,32,16,7c,6a,3a,12,3b,28,75,53,0b,3f,12,01,71,4d,23,32,\
  29,27,75,53,12,30,32,1e,4f,79,12,38,17,01,71,4d,30,3e,37,27,6d,72,38,12,3f,\
  04,41,44,0a,0e,32,28,49,5f,1c,24,0b,1b,36,21,41,7b,5b,24,39,31,7c,6a,2b,0e,\
  25,75,53,1a,2e,26,41,72,34,16,26,71,4d,30,30,3a,7c,6a,07,33,1a,56,7a,3a,00,\
  33,71,4d,23,32,29,7c,6a,1a,26,1a,40,52,24,3f,1a,6d,4d,1c,22,28,75,53,13,25,\
  20,41,44,0a,0e,32,75,53,08,07,20,71,4d,10,27,0d,05,5d,4c,24,1a,1e,1b,71,4d,\
  3f,20,3f,21,6d,4d,10,27,0c,05,5d,4c,39,19,12,3a,56,7a,3a,20,2c,0c,7c,6a,3e,\
  0c,37,07,75,53,12,30,32,3a,56,7a,25,2d,23,0c,7c,6a,2b,08,21,3a,56,7a,22,3a,\
  32,3a,56,72,24,1e,26,1a,41,44,07,1f,03,1b,75,53,1c,31,01,01,71,4d,32,23,30,\
  27,6d,72,34,1e,30,04,41,44,1b,1e,3b,28,49,5f,07,33,12,1b,5d,4c,35,0b,0a,1f,\
  75,53,0b,00,34,28,40,72,3b,01,2d,04,41,44,01,05,34,28,40,52,22,36,04,34,48,\
  72,38,12,3f,04,41,44,0a,0e,1f,01,71,4d,24,33,35,27,06,1c,68,53,49,14,21,01,\
  40,52,10,27,0d,40,52,2c,29,05,6d,4d,1f,28,05,56,7a,2f,2e,32,75,53,07,33,12,\
  40,52,3f,3a,19,6d,72,20,00,34,71,4d,1a,26,1a,40,52,24,3f,1a,6d,72,35,08,38,\
  5d,4c,2d,01,18,48,7a,27,23,1f,56,7a,3b,2f,3f,4f,79,08,39,01,1b,71,72,33,1f,\
  39,3a,56,7a,2e,3e,31,0c,7c,72,35,0e,3f,1a,41,44,0a,0a,35,3a,56,7a,3a,20,2c,\
  0c,7c,6a,03,25,1f,05,5d,4c,2c,0c,0a,15,61,54,27,05,34,32,40,52,10,21,09,05,\
  5d,4c,2d,01,18,15,61,54,07,37,17,05,5d,4c,1c,24,03,1b,71,4d,30,30,3b,27,6d,\
  72,33,17,3f,28,40,72,34,1e,30,04,41,44,1b,1e,00,01,71,4d,2f,2c,2c,27,6d,4d,\
  0b,26,3f,3c,56,7a,3a,20,23,16,7c,6a,35,05,33,28,75,53,12,30,17,01,71,4d,30,\
  3e,37,27,75,53,13,25,20,1e,4f,79,1f,29,1f,01,71,4d,24,33,35,27,06,21,41,7b,\
  5b,3d,24,37,7c,6a,2b,0e,25,40,72,33,1f,39,5d,72,34,1e,30,5d,4c,2a,0d,18,48,\
  7a,27,12,3b,71,4d,23,32,12,56,72,20,0c,2e,5d,4c,2c,0c,0a,75,53,1a,26,1f,40,\
  72,35,08,38,5d,4c,2d,01,18,75,53,0f,21,27,41,44,07,1f,3e,61,54,3d,06,22,32,\
  40,52,2c,29,05,32,48,72,34,1e,05,1b,71,4d,10,27,0c,05,5d,4c,39,19,1a,1b,71,\
  4d,23,32,24,21,6d,4d,03,25,1f,05,5d,4c,2c,0c,0a,3a,56,7a,25,2d,23,0c,7c,6a,\
  2b,08,21,07,75,53,13,25,20,3a,56,7a,3e,3e,3b,0c,7c,6a,3f,0f,23,3a,56,7a,2f,\
  2e,3d,3c,56,72,33,1f,39,04,41,44,1a,0e,05,01,75,53,1c,31,00,01,71,4d,2f,2c,\
  2c,27,6d,72,20,0c,2d,04,41,44,06,18,2a,28,49,5f,1a,26,1a,1b,5d,4c,2c,0c,0f,\
  1f,75,53,1c,1c,3e,28,40,72,38,12,3f,04,41,44,0a,16,3c,28,40,52,3e,39,06,34,\
  21,21,41,7b,5b,23,27,3c,7c,6a,17,37,17,40,52,32,24,05,6d,4d,0e,21,2c,75,53,\
  0b,31,31,75,53,08,3e,21,41,44,07,1e,3c,61,54,17,37,17,05,5d,4c,00,33,1e,1b,\
  71,4d,2e,39,3b,21,6d,72,20,06,32,32,40,72,21,0f,3c,1a,41,44,1a,0e,1f,01,71,\
  4d,20,2c,30,27,6d,4d,0e,21,2c,3c,56,7a,3a,2e,2d,16,7c,6a,3f,07,22,28,6e,02,\
  68,4a,7c,21,09,26,5d,4c,29,1d,1f,56,7a,3f,32,38,4f,79,1e,30,01,56,7a,3a,2e,\
  2d,4f,79,14,07,22,71,4d,24,30,3b,7c,6a,2a,1e,2f,07,75,53,0c,2d,26,3a,56,7a,\
  31,25,3d,0c,7c,6a,3e,0e,35,3a,56,7a,3b,2f,3d,3a,56,72,34,1e,26,04,41,44,0b,\
  0a,1e,01,75,53,0e,38,01,01,71,4d,23,30,2b,27,6d,72,21,0f,3c,04,28,1b,67,6b,\
  5f,00,22,10,75,53,1f,21,27,41,44,0b,0a,31,75,53,0e,1d,22,71,4d,03,27,1d,40,\
  52,3e,39,08,75,53,08,31,21,41,44,1a,0e,32,3a,56,7a,3f,32,38,0c,7c,6a,06,3e,\
  0d,05,5d,4c,35,0d,09,15,61,54,29,07,22,32,40,52,17,37,17,1b,5d,4c,3a,19,16,\
  1f,61,54,06,3e,0d,1b,5d,4c,03,27,11,01,71,4d,24,33,3b,27,06,21,41,73,41,11,\
  25,1d,56,7a,2e,3e,3b,4f,79,18,12,3f,71,4d,2e,39,3b,7c,6a,3e,0e,35,40,72,21,\
  0f,3c,5d,4c,36,0d,19,48,72,34,1e,1f,1b,71,4d,00,33,16,05,5d,4c,38,04,01,1b,\
  71,4d,23,30,2b,21,6d,4d,1c,24,0d,05,5d,4c,29,1d,17,3c,56,7a,3f,32,38,16,7c,\
  6a,39,09,25,09,75,53,0b,31,31,3c,56,7a,3b,2f,3d,16,15,39,5f,7b,42,03,38,02,\
  40,20,2c,1e,4f,21,41,7b,5b,23,27,3c,7c,14,07,22,6e,02,68,4a,7c,20,13,35,5d,\
  30,37,08,06,21,41,7b,5b,23,27,3c,7c,1b,39,1d,30,0c,7c,50,68,3a,3b,34,4f,1b,\
  1e,3b,6e,02,68,73,41,0b,22,0a,56,12,30,32,28,1b,67,73,41,0b,22,2a,41,2c,0c,\
  0f,21,21,41,7b,5b,23,27,3c,7c,08,1c,3e,66,1c,44,4f,56,06,13,05,61,27,23,1f,\
  4f,2d,5b,53,7c,20,13,35,5d,3e,39,06,06,1c,68,53,7c,21,09,26,5d,32,12,3f,6e,\
  02,68,4a,44,3e,37,02,6d,1c,24,01,4f,2d,5b,73,41,08,38,27,41,38,04,19,6e,02,\
  68,4a,44,3e,37,02,6d,3e,0e,35,3b,21,41,7b,5b,24,39,31,7c,08,39,00,4f,2d,7c,\
  50,68,3b,1d,3c,71,25,2d,2c,20,28,7c,50,68,3b,25,3b,4f,01,1d,2a,6e,02,68,4a,\
  44,3e,37,02,6d,10,21,09,29,01,5e,45,67,14,30,07,49,12,16,3c,66,1c,44,73,41,\
  08,38,27,41,36,0a,1b,21,2d,42,73,41,10,3b,2d,41,00,33,1e,4f,2d,5b,53,5e,2e,\
  07,1d,75,21,07,22,66,1c,7c,50,68,23,24,31,4f,0d,15,01,4f,2d,5b,53,5e,2e,07,\
  1d,48,0b,18,3c,6e,02,68,4a,44,26,36,0c,6d,2b,06,25,66,21,41,7b,5b,14,21,01,\
  40,3a,31,24,15,21,41,7b,5b,3c,3e,3f,7c,12,38,17,4f,2d,5b,53,5e,2e,07,1d,75,\
  35,08,38,36,1d,56,76,74,37,08,19,40,07,37,17,29,01,7c,50,68,23,24,31,4f,07,\
  1f,3e,16,05,7c,50,68,20,3a,39,75,25,12,3f,66,1c,44,4f,56,1c,12,1d,56,1c,24,\
  0d,29,21,41,7b,5b,3d,24,37,7c,1e,1d,22,66,1c,44,4f,56,1c,12,30,61,23,13,11,\
  4f,2d,5b,53,5e,2f,01,15,48,10,27,0c,6e,02,68,4a,7c,36,12,38,5d,24,3f,19,6e,\
  02,68,4a,44,21,2c,04,6d,35,05,34,66,1c,44,4f,56,1c,12,1d,56,1c,3b,25,28,1b,\
  67,6b,5f,01,2c,28,75,24,1e,26,36,21,41,7b,5b,3d,24,37,7c,14,3a,0b,30,21,41,\
  7b,5b,36,0c,7c
"{A8A88C49-5EB2-4990-A1A2-0876022C854F}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,41,0f,3f,2f,28,1b,67,6b,10,28,03,09,3f,1b,3c,15,\
  36,21,50,68,3a,3b,34,4f,79,08,39,0d,49,72,33,1f,39,5d,4c,17,37,05,56,7a,2f,\
  2e,32,4f,79,1f,12,3b,75,53,0b,3f,12,56,7a,3a,20,23,4f,79,12,05,33,71,4d,3a,\
  31,29,7c,6a,2b,08,21,40,72,38,12,3f,5d,4c,39,1d,17,48,72,21,0f,03,56,7a,2f,\
  06,22,32,40,52,2c,29,05,3a,56,7a,2e,3e,31,0c,7c,6a,2b,06,25,32,40,52,33,24,\
  01,32,75,53,0b,3f,32,04,4f,79,1b,3b,1f,0c,40,72,3b,01,2d,1a,75,53,12,30,3f,\
  04,4f,79,08,3f,09,0c,75,53,13,25,20,04,75,53,07,37,17,05,5d,4c,36,0a,1b,3a,\
  56,72,35,0e,3c,3c,56,7a,2d,3f,38,16,7c,6a,17,37,01,1b,5d,4c,2a,0d,18,1f,61,\
  54,12,12,3b,28,40,52,3f,3a,19,34,48,72,20,0c,17,01,71,4d,1a,26,1a,1b,5d,4c,\
  2c,0c,17,01,71,4d,30,3e,37,27,6d,4d,1b,3b,0c,1b,5d,4c,39,1d,17,3c,56,7a,3b,\
  2f,3f,16,15,39,5f,7b,42,29,1d,3c,71,4d,30,06,22,71,4d,32,23,30,7c,6a,2a,1e,\
  19,75,53,1c,31,20,41,72,24,12,3b,71,4d,23,32,24,7c,6a,03,25,17,56,7a,25,05,\
  33,71,4d,3a,31,29,7c,6a,10,21,09,40,52,27,2c,0b,6d,4d,0f,28,2a,75,53,08,3e,\
  23,41,44,1b,1e,3c,3a,56,7a,12,34,16,05,75,53,1f,21,2d,04,4f,79,10,27,0c,05,\
  5d,4c,39,19,12,15,75,53,0b,3f,32,04,4f,79,1b,00,34,32,40,52,24,3f,19,32,48,\
  7a,2c,10,17,1b,71,4d,30,1c,3e,32,40,52,27,2c,0b,32,48,7a,27,16,3c,32,40,52,\
  3e,07,20,3a,56,7a,2f,2e,3d,16,7c,6a,12,34,1e,01,71,4d,17,37,01,1b,5d,4c,2a,\
  0d,18,3c,56,7a,3e,32,24,16,7c,6a,3e,0c,34,09,75,53,0b,3f,3f,1e,4f,79,12,38,\
  12,01,71,72,3b,01,2e,3c,56,7a,2f,24,39,16,7c,72,38,12,3f,04,41,44,0a,0e,32,\
  3c,56,7a,3b,2f,3f,16,15,39,7c,50,68,23,24,31,4f,79,08,39,0d,49,5f,12,34,16,\
  40,52,17,37,01,40,52,22,38,0b,6d,4d,0f,34,1a,56,7a,3a,20,2c,75,53,03,25,1f,\
  40,52,24,3f,19,6d,72,3b,05,34,71,4d,10,21,09,40,52,27,2c,0b,6d,72,24,1e,26,\
  5d,4c,36,0a,1b,48,7a,36,13,01,1b,71,4d,32,23,30,21,6d,4d,17,37,01,3a,56,7a,\
  2f,06,25,32,40,52,33,24,01,3a,56,7a,3a,20,2c,0c,7c,6a,3e,00,34,32,40,52,24,\
  3f,19,32,75,53,12,30,3f,04,4f,79,08,3f,09,0c,40,72,38,12,3f,1a,75,53,0f,21,\
  27,04,4f,79,14,3a,0b,0c,75,53,1c,31,21,1e,75,53,12,34,16,1b,5d,4c,29,1d,1d,\
  3c,56,72,35,0e,3f,3c,56,7a,3e,32,24,16,7c,6a,03,25,1a,1b,5d,4c,35,0b,0f,1f,\
  61,54,27,05,33,28,40,52,24,3f,1a,34,48,72,35,08,1d,01,71,4d,1b,3b,0c,1b,5d,\
  4c,39,1d,1f,01,71,4d,24,33,35,27,06,1c,7c,50,68,20,3a,39,4f,79,08,06,22,71,\
  4d,32,23,30,7c,6a,2a,1e,19,40,72,35,0e,3f,5d,72,24,1a,25,5d,4c,35,0b,0a,48,\
  7a,23,00,34,71,4d,3a,31,12,56,72,3b,01,2e,5d,4c,2a,07,15,75,53,1b,3b,0c,40,\
  72,24,1e,26,5d,4c,36,0a,1b,75,53,1c,31,21,04,4f,79,0a,2a,06,0c,40,72,34,1e,\
  30,1a,41,44,1b,1e,3b,3a,56,7a,07,33,12,05,75,53,0b,3f,32,04,4f,79,03,25,1f,\
  05,5d,4c,2c,0c,0a,15,75,53,12,30,3f,04,4f,79,08,1c,3e,32,40,52,27,2c,0b,32,\
  48,7a,27,23,1f,1b,71,4d,24,07,20,32,40,52,22,38,08,34,48,7a,34,17,3f,28,40,\
  52,23,16,26,3c,56,7a,2f,2e,32,16,7c,6a,07,33,1a,01,71,4d,03,25,1a,1b,5d,4c,\
  35,0b,0f,3c,56,7a,25,2d,2c,16,7c,6a,35,31,37,09,75,53,1c,3b,25,1e,4f,79,13,\
  35,00,01,71,72,24,1e,26,3c,56,7a,3b,2f,3f,16,15,21,41,7b,5b,23,27,3c,7c,6a,\
  2a,16,3c,71,4d,20,2c,30,7c,6a,06,3e,0d,40,52,3f,38,18,6d,4d,08,27,2c,75,53,\
  08,31,21,75,53,1f,21,27,04,4f,79,18,2d,06,0c,75,53,0e,38,21,04,75,53,03,27,\
  1d,05,5d,4c,36,0a,19,3a,56,72,34,1e,26,3c,56,7a,3f,32,38,16,7c,6a,06,3e,0d,\
  1b,5d,4c,35,0d,09,1f,61,54,29,07,22,28,29,01,5e,45,67,14,30,1f,56,7a,17,37,\
  17,40,72,25,1a,39,5d,4c,38,04,01,56,7a,3a,2e,2d,4f,79,14,3a,01,56,7a,3b,2e,\
  3d,4f,79,0f,16,3c,32,40,52,32,24,05,32,48,7a,18,28,01,1b,71,4d,23,06,32,32,\
  40,52,3e,39,08,32,48,7a,37,16,3c,28,40,52,32,12,3f,3c,56,7a,31,25,3d,16,7c,\
  6a,03,27,11,01,71,4d,1c,24,0d,1b,36,1d,56,76,74,14,21,01,40,52,23,28,02,6d,\
  4d,0c,34,2b,75,53,0e,38,21,41,44,06,1e,2c,75,53,08,07,22,71,4d,1c,27,0d,40,\
  52,23,28,02,3a,56,7a,3f,32,38,0c,7c,6a,39,1d,22,32,40,52,3f,38,18,32,75,53,\
  08,3e,21,04,4f,79,0f,29,07,02,40,72,25,1a,39,04,75,53,0e,38,21,1e,4f,79,1b,\
  39,1d,02,75,53,08,3e,21,1e,6e,02,7c,50,68,20,3a,39,4f,79,0f,16,3c,75,53,0c,\
  2d,1e,56,7a,31,25,3d,4f,79,1b,06,32,71,4d,24,33,3b,7c,6a,3f,0e,25,40,72,34,\
  1e,26,1a,41,44,0b,0a,31,3a,56,7a,06,3e,0d,05,75,53,0b,31,31,04,4f,79,1c,24,\
  0d,05,5d,4c,29,1d,17,1f,75,53,0c,2d,26,1e,4f,79,1e,1d,22,28,40,52,3f,38,18,\
  34,48,7a,22,12,01,01,66,1c,44,73,41,0b,22,2a,41,3a,19,16,21,2d,42,73,41,0b,\
  22,2a,41,1c,24,01,4f,2d,5b,53,5e,35,1e,22,75,27,1d,22,66,1c,7c,50,68,3a,3b,\
  34,4f,06,1e,11,4f,2d,5b,53,5e,35,1e,22,48,1c,18,2d,6e,02,68,4a,44,3f,2d,31,\
  6d,35,05,33,66,21,41,7b,5b,03,38,02,40,3a,31,29,15,21,41,7b,5b,23,27,3c,7c,\
  08,3f,1d,4f,2d,5b,53,5e,35,1e,22,75,24,1e,26,36,1d,56,76,74,3e,03,1c,40,1c,\
  24,0b,29,01,7c,50,68,3a,3b,34,4f,0b,0a,31,28,30,21,41,7b,5b,23,27,0a,56,1c,\
  24,0d,1b,36,1d,56,76,74,03,38,0a,56,0e,38,01,01,66,1c,44,4f,56,06,13,0a,56,\
  0b,31,31,1e,20,28,74,4e,68,23,26,0a,56,1c,31,20,1e,20,28,74,4e,7c,20,13,0a,\
  56,12,30,12,01,66,1c,44,4f,56,06,1b,2b,71,25,2d,23,16,15,39,5f,73,41,0b,22,\
  2a,41,2a,07,15,3c,4f,2d,5b,53,5e,35,1e,22,48,0f,28,2a,3c,4f,2d,5b,53,7c,20,\
  13,35,5d,3e,39,06,34,21,2d,42,73,41,08,38,27,41,00,33,1e,4f,2d,5b,53,5e,36,\
  04,17,75,21,07,22,66,1c,7c,50,68,3b,25,3b,4f,0d,15,01,4f,2d,5b,53,5e,36,04,\
  17,48,0b,18,3c,6e,02,68,4a,44,3e,37,02,6d,2b,06,25,66,21,41,7b,5b,1c,3e,17,\
  40,3a,31,24,15,21,41,7b,5b,24,39,31,7c,12,38,17,4f,2d,5b,53,5e,36,04,17,75,\
  35,08,38,36,1d,56,76,74,3f,09,2f,40,07,37,17,29,01,7c,50,68,3b,25,3b,4f,07,\
  1f,3e,16,05,7c,50,68,3b,25,3b,75,25,12,3f,28,29,01,5e,45,67,14,1d,3c,75,21,\
  0f,3c,3c,4f,2d,5b,53,5e,36,04,17,75,27,09,3c,04,28,1b,67,6b,5f,08,21,2a,75,\
  20,0e,2c,04,28,1b,67,6b,5f,1c,3e,17,75,35,0e,3f,3c,4f,2d,5b,53,5e,36,04,1f,\
  56,12,30,32,1e,20,28,74,4e,7c,21,09,26,5d,24,3f,1a,34,6e,02,68,4a,44,3e,37,\
  02,6d,2b,08,21,09,6e,02,68,4a,44,1c,3e,17,40,2f,20,31,27,06,1c,68,53,7c,21,\
  09,26,5d,3e,07,20,3c,4f,2d,5b,53,5e,2e,07,1d,75,25,12,3f,66,1c,7c,50,68,23,\
  24,31,4f,07,1f,01,4f,2d,5b,53,5e,2e,07,1d,48,0e,21,2c,6e,02,68,4a,44,26,36,\
  0c,6d,3e,06,32,66,21,41,7b,5b,14,21,01,40,30,30,3a,15,21,41,7b,5b,3c,3e,3f,\
  7c,12,38,12,4f,2d,5b,53,5e,2e,07,1d,75,3b,01,2e,36,1d,56,76,74,37,08,19,40,\
  10,21,09,29,01,7c,50,68,23,24,31,4f,0a,0e,32,16,05,7c,50,68,23,24,31,75,21,\
  07,20,66,1c,44,4f,56,1f,14,05,56,00,33,16,1b,6e,02,68,4a,44,26,36,0c,6d,1c,\
  24,0d,1b,36,1d,56,76,74,37,08,19,40,06,3e,0d,1b,36,1d,56,76,74,37,1c,26,71,\
  03,27,1d,1b,6e,02,68,4a,44,26,36,0c,75,35,0e,3f,04,28,1b,67,6b,5f,14,21,01,\
  40,3a,31,24,27,06,21,41,7b,5b,3c,3e,3f,7c,12,38,1f,02,3b,21,41,7b,5b,3c,1c,\
  26,71,2f,24,39,16,15,39,5f,7b,42,14,21,01,40,2f,20,1f,01,6e,02,68,4a,44,26,\
  36,0c,6d,1c,24,03,01,66,1c,7c,50,68,20,3a,39,4f,0b,0a,1e,4f,2d,5b,53,5e,2f,\
  01,15,48,08,27,2c,6e,02,68,4a,44,21,2c,04,6d,39,1d,22,66,21,41,7b,5b,15,3b,\
  09,40,23,30,2b,15,21,41,7b,5b,3d,24,37,7c,08,39,00,4f,2d,5b,53,5e,2f,01,15,\
  75,3b,01,2d,36,1d,56,76,74,28,02,21,40,1a,26,1f,29,01,7c,50,68,20,3a,39,4f,\
  1b,14,30,16,05,7c,50,68,20,3a,39,75,24,16,3c,66,1c,44,4f,56,1c,12,1d,56,1c,\
  24,0b,29,21,41,7b,5b,3d,24,37,7c,18,12,3f,28,29,01,5e,45,67,0d,35,09,49,29,\
  07,22,28,29,01,5e,45,67,0d,35,1d,56,0e,1d,22,28,29,21,41,7b,5b,3d,24,37,7c,\
  03,27,1d,1b,36,1d,56,76,74,28,1a,3e,71,2f,2e,32,16,15,39,7c,50,68,20,3a,39,\
  4f,01,1d,2d,28,30,0c,7c,50,68,20,3a,1d,56,12,30,3f,1e,20,28,74,4e,68,29,1a,\
  3e,71,2f,24,39,3c,4f,21,41,7b,5b,3d,24,37,7c,1f,16,3c,3c,4f,2d,5b,73,41,11,\
  25,25,41,36,0a,1b,3c,4f,2d,5b,53,5e,20,39,74
"1206"=dword:00000000
"2001"=dword:00000000
"2004"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
@=""
"DisplayName"="Restricted sites"
"Description"="This zone contains Web sites that could potentially damage your computer or data."
"Icon"="inetcpl.cpl#00004481"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00012000
"RecommendedLevel"=dword:00012000
"Flags"=dword:00000003
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000003
"1405"=dword:00000003
"1406"=dword:00000003
"1407"=dword:00000003
"1601"=dword:00000000
"1604"=dword:00000001
"1605"=dword:00000000
"1606"=dword:00000003
"1607"=dword:00000003
"1608"=dword:00000003
"1609"=dword:00000001
"1800"=dword:00000003
"1802"=dword:00000003
"1803"=dword:00000003
"1804"=dword:00000003
"1805"=dword:00000001
"1A00"=dword:00010000
"1A02"=dword:00000003
"1A03"=dword:00000003
"1A04"=dword:00000003
"1A05"=dword:00000003
"1A06"=dword:00000003
"1A10"=dword:00000003
"1C00"=dword:00000000
"1E05"=dword:00010000
"{AEBA21FA-782A-4A90-978D-B72164C80120}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,13,37,13,12,14,1a,15,39
"{A8A88C49-5EB2-4990-A1A2-0876022C854F}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,13,37,13,12,14,1a,15,39

Title: Computer infected
Post by: Guest_irish-paddy_* on April 11, 2005, 07:01:11 AM

Downloaded and Unziped Cleanbube.zip

allowed it to merge to the registry

 /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />  but still cant get into custom in security options

Title: Computer infected
Post by: guestolo on April 11, 2005, 02:09:54 PM

One more request, I want to see what else was changed in the registry

Since you've merged cleanbube.reg
Can you now Double click on Export.bat and post back the findings

Also
Can you also Download and unzip to desktop Find.zip
So you have Find.bat on your desktop
Double click on Find.bat and post back the findings
I would ask you too upload the findings but you can't login to the site
I'll edit out the list after so I can compare your settings to mine

Title: Computer infected
Post by: irish-paddy on April 11, 2005, 04:36:15 PM

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />  finally got logged on!!!!

but the computer is getting far worse, programs are not responding all the time  /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

cant download that cuz it just keeps not responding.

my microsoft firewall has been turned off and it wont let me turn it back on again!!!  exportbat slao keeps saying program not responding.

have done scans with everything in safe mode but computer keeps gettin worse

Title: Computer infected
Post by: irish-paddy on April 11, 2005, 04:48:04 PM

got it workin, heres a hijackthis log if its any use?

Logfile of HijackThis v1.99.0
Scan saved at 22:42:42, on 11/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Deepsight Extractor - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe





HERES EXPORTBAT

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
@=""
"SelfHealCount"=dword:00000001
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
@=""
"DisplayName"="My Computer"
"Description"="Your computer"
"Icon"="explorer.exe#0100"
"CurrentLevel"=dword:00000000
"Flags"=dword:00000021
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000000
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=hex:00,00,00,00
"1E05"=dword:00030000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
@=""
"DisplayName"="Local intranet"
"Description"="This zone contains all Web sites that are on your organization's intranet."
"Icon"="shell32.dll#0018"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00010500
"Flags"=dword:000000db
"1001"=dword:00000000
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=hex:00,00,03,00
"1E05"=dword:00020000
"{7839DA25-F5FE-11D0-883B-0080C726DCBB}"=hex:30,82,01,fc,03,02,00,00,30,82,01,\
  f4,30,81,cc,06,0a,2b,06,01,04,01,82,37,0f,03,01,30,81,bd,06,09,2b,06,01,04,\
  01,82,37,0f,01,31,81,af,30,81,ac,03,01,00,30,81,a6,a0,20,30,1e,06,09,2b,06,\
  01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,70,6c,65,74,30,00,30,\
  00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,03,02,00,01,03,02,00,\
  02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,00,02,a0,21,30,1f,06,\
  09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,01,01,00,01,01,00,01,\
  01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,02,30,08,01,01,00,\
  01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,04,03,30,0b,01,01,00,\
  01,01,00,02,01,00,14,00,30,81,fe,06,0a,2b,06,01,04,01,82,37,0f,03,02,30,81,\
  ef,06,09,2b,06,01,04,01,82,37,0f,01,31,81,e1,30,81,de,03,01,00,30,81,d8,a0,\
  20,30,1e,06,09,2b,06,01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,\
  70,6c,65,74,30,00,30,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,\
  03,02,00,01,03,02,00,02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,\
  00,02,a0,21,30,1f,06,09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,\
  01,01,00,01,01,00,01,01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,\
  04,02,30,08,01,01,00,01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,\
  04,03,30,0b,01,01,00,01,01,00,02,01,00,14,00,a0,11,30,0f,06,09,2b,06,01,04,\
  01,82,37,04,0e,03,02,00,03,a0,1d,30,1b,06,09,2b,06,01,04,01,82,37,04,0f,30,\
  0e,30,08,02,01,00,02,03,10,00,00,03,02,00,00,30,22,06,0a,2b,06,01,04,01,82,\
  37,0f,03,03,30,14,06,09,2b,06,01,04,01,82,37,0f,01,31,07,30,05,03,01,00,30,\
  00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
@=""
"DisplayName"="Trusted sites"
"Description"="This zone contains Web sites that you trust not to damage your computer or data."
"Icon"="inetcpl.cpl#00004480"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00010000
"Flags"=dword:00000047
"1001"=dword:00000000
"1004"=dword:00000001
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000000
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=hex:00,00,02,00
"1E05"=dword:00030000
"{7839DA25-F5FE-11D0-883B-0080C726DCBB}"=hex:30,82,01,fc,03,02,00,00,30,82,01,\
  f4,30,81,cc,06,0a,2b,06,01,04,01,82,37,0f,03,01,30,81,bd,06,09,2b,06,01,04,\
  01,82,37,0f,01,31,81,af,30,81,ac,03,01,00,30,81,a6,a0,20,30,1e,06,09,2b,06,\
  01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,70,6c,65,74,30,00,30,\
  00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,03,02,00,01,03,02,00,\
  02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,00,02,a0,21,30,1f,06,\
  09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,01,01,00,01,01,00,01,\
  01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,02,30,08,01,01,00,\
  01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,04,03,30,0b,01,01,00,\
  01,01,00,02,01,00,14,00,30,81,fe,06,0a,2b,06,01,04,01,82,37,0f,03,02,30,81,\
  ef,06,09,2b,06,01,04,01,82,37,0f,01,31,81,e1,30,81,de,03,01,00,30,81,d8,a0,\
  20,30,1e,06,09,2b,06,01,04,01,82,37,04,04,30,11,01,01,00,30,08,14,06,61,70,\
  70,6c,65,74,30,00,30,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,04,07,30,08,\
  03,02,00,01,03,02,00,02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,04,0c,03,02,\
  00,02,a0,21,30,1f,06,09,2b,06,01,04,01,82,37,04,01,30,12,01,01,ff,01,01,00,\
  01,01,00,01,01,00,01,01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,\
  04,02,30,08,01,01,00,01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,04,01,82,37,\
  04,03,30,0b,01,01,00,01,01,00,02,01,00,14,00,a0,11,30,0f,06,09,2b,06,01,04,\
  01,82,37,04,0e,03,02,00,03,a0,1d,30,1b,06,09,2b,06,01,04,01,82,37,04,0f,30,\
  0e,30,08,02,01,00,02,03,10,00,00,03,02,00,00,30,22,06,0a,2b,06,01,04,01,82,\
  37,0f,03,03,30,14,06,09,2b,06,01,04,01,82,37,0f,01,31,07,30,05,03,01,00,30,\
  00
"1005"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
@=""
"DisplayName"="Internet"
"Description"="This zone contains all Web sites you haven't placed in other zones"
"Icon"="inetcpl.cpl#001313"
"CurrentLevel"=dword:00011000
"MinLevel"=dword:00011000
"RecommendedLevel"=dword:00011000
"Flags"=dword:00000000
"1001"=dword:00000000
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000000
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000003
"1A05"=dword:00000001
"1A06"=dword:00000000
"1A10"=dword:00000001
"1C00"=dword:00010000
"1E05"=dword:00020000
"{AEBA21FA-782A-4A90-978D-B72164C80120}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,1e,28,1a,04,1b,0c,3b,c2,21,27,53,0d,36,05,2c,05,\
  04,3d,4f,3a,4a,44,33,3a,0a,06,12,68,53,7c,20,13,35,5d,4c,10,27,01,56,7a,2d,\
  3f,38,4f,79,0f,16,26,75,53,1c,31,00,56,7a,3e,32,24,4f,79,1b,00,33,71,4d,23,\
  32,29,7c,6a,35,31,34,40,72,3b,01,2e,5d,4c,2a,07,15,48,72,38,12,00,56,7a,3e,\
  16,3c,71,4d,24,33,35,7c,72,35,0e,3c,1a,41,44,19,0f,31,3a,56,7a,2e,3e,31,0c,\
  7c,6a,10,27,0c,05,5d,4c,39,19,12,15,61,54,2e,00,33,32,40,52,03,25,1f,05,5d,\
  4c,2c,0c,0a,15,61,54,1a,26,1f,05,5d,4c,10,21,1d,1b,71,4d,3b,24,3a,21,6d,72,\
  24,16,3c,32,40,72,21,0f,3a,1a,41,44,1b,1e,01,01,71,4d,32,23,30,27,6d,4d,1f,\
  28,10,3c,56,7a,2f,2e,32,16,7c,6a,3a,12,3b,28,75,53,0b,3f,12,01,71,4d,23,32,\
  29,27,75,53,12,30,32,1e,4f,79,12,38,17,01,71,4d,30,3e,37,27,6d,72,38,12,3f,\
  04,41,44,0a,0e,32,28,49,5f,1c,24,0b,1b,36,21,41,7b,5b,24,39,31,7c,6a,2b,0e,\
  25,75,53,1a,2e,26,41,72,34,16,26,71,4d,30,30,3a,7c,6a,07,33,1a,56,7a,3a,00,\
  33,71,4d,23,32,29,7c,6a,1a,26,1a,40,52,24,3f,1a,6d,4d,1c,22,28,75,53,13,25,\
  20,41,44,0a,0e,32,75,53,08,07,20,71,4d,10,27,0d,05,5d,4c,24,1a,1e,1b,71,4d,\
  3f,20,3f,21,6d,4d,10,27,0c,05,5d,4c,39,19,12,3a,56,7a,3a,20,2c,0c,7c,6a,3e,\
  0c,37,07,75,53,12,30,32,3a,56,7a,25,2d,23,0c,7c,6a,2b,08,21,3a,56,7a,22,3a,\
  32,3a,56,72,24,1e,26,1a,41,44,07,1f,03,1b,75,53,1c,31,01,01,71,4d,32,23,30,\
  27,6d,72,34,1e,30,04,41,44,1b,1e,3b,28,49,5f,07,33,12,1b,5d,4c,35,0b,0a,1f,\
  75,53,0b,00,34,28,40,72,3b,01,2d,04,41,44,01,05,34,28,40,52,22,36,04,34,48,\
  72,38,12,3f,04,41,44,0a,0e,1f,01,71,4d,24,33,35,27,06,1c,68,53,49,14,21,01,\
  40,52,10,27,0d,40,52,2c,29,05,6d,4d,1f,28,05,56,7a,2f,2e,32,75,53,07,33,12,\
  40,52,3f,3a,19,6d,72,20,00,34,71,4d,1a,26,1a,40,52,24,3f,1a,6d,72,35,08,38,\
  5d,4c,2d,01,18,48,7a,27,23,1f,56,7a,3b,2f,3f,4f,79,08,39,01,1b,71,72,33,1f,\
  39,3a,56,7a,2e,3e,31,0c,7c,72,35,0e,3f,1a,41,44,0a,0a,35,3a,56,7a,3a,20,2c,\
  0c,7c,6a,03,25,1f,05,5d,4c,2c,0c,0a,15,61,54,27,05,34,32,40,52,10,21,09,05,\
  5d,4c,2d,01,18,15,61,54,07,37,17,05,5d,4c,1c,24,03,1b,71,4d,30,30,3b,27,6d,\
  72,33,17,3f,28,40,72,34,1e,30,04,41,44,1b,1e,00,01,71,4d,2f,2c,2c,27,6d,4d,\
  0b,26,3f,3c,56,7a,3a,20,23,16,7c,6a,35,05,33,28,75,53,12,30,17,01,71,4d,30,\
  3e,37,27,75,53,13,25,20,1e,4f,79,1f,29,1f,01,71,4d,24,33,35,27,06,21,41,7b,\
  5b,3d,24,37,7c,6a,2b,0e,25,40,72,33,1f,39,5d,72,34,1e,30,5d,4c,2a,0d,18,48,\
  7a,27,12,3b,71,4d,23,32,12,56,72,20,0c,2e,5d,4c,2c,0c,0a,75,53,1a,26,1f,40,\
  72,35,08,38,5d,4c,2d,01,18,75,53,0f,21,27,41,44,07,1f,3e,61,54,3d,06,22,32,\
  40,52,2c,29,05,32,48,72,34,1e,05,1b,71,4d,10,27,0c,05,5d,4c,39,19,1a,1b,71,\
  4d,23,32,24,21,6d,4d,03,25,1f,05,5d,4c,2c,0c,0a,3a,56,7a,25,2d,23,0c,7c,6a,\
  2b,08,21,07,75,53,13,25,20,3a,56,7a,3e,3e,3b,0c,7c,6a,3f,0f,23,3a,56,7a,2f,\
  2e,3d,3c,56,72,33,1f,39,04,41,44,1a,0e,05,01,75,53,1c,31,00,01,71,4d,2f,2c,\
  2c,27,6d,72,20,0c,2d,04,41,44,06,18,2a,28,49,5f,1a,26,1a,1b,5d,4c,2c,0c,0f,\
  1f,75,53,1c,1c,3e,28,40,72,38,12,3f,04,41,44,0a,16,3c,28,40,52,3e,39,06,34,\
  21,21,41,7b,5b,23,27,3c,7c,6a,17,37,17,40,52,32,24,05,6d,4d,0e,21,2c,75,53,\
  0b,31,31,75,53,08,3e,21,41,44,07,1e,3c,61,54,17,37,17,05,5d,4c,00,33,1e,1b,\
  71,4d,2e,39,3b,21,6d,72,20,06,32,32,40,72,21,0f,3c,1a,41,44,1a,0e,1f,01,71,\
  4d,20,2c,30,27,6d,4d,0e,21,2c,3c,56,7a,3a,2e,2d,16,7c,6a,3f,07,22,28,6e,02,\
  68,4a,7c,21,09,26,5d,4c,29,1d,1f,56,7a,3f,32,38,4f,79,1e,30,01,56,7a,3a,2e,\
  2d,4f,79,14,07,22,71,4d,24,30,3b,7c,6a,2a,1e,2f,07,75,53,0c,2d,26,3a,56,7a,\
  31,25,3d,0c,7c,6a,3e,0e,35,3a,56,7a,3b,2f,3d,3a,56,72,34,1e,26,04,41,44,0b,\
  0a,1e,01,75,53,0e,38,01,01,71,4d,23,30,2b,27,6d,72,21,0f,3c,04,28,1b,67,6b,\
  5f,00,22,10,75,53,1f,21,27,41,44,0b,0a,31,75,53,0e,1d,22,71,4d,03,27,1d,40,\
  52,3e,39,08,75,53,08,31,21,41,44,1a,0e,32,3a,56,7a,3f,32,38,0c,7c,6a,06,3e,\
  0d,05,5d,4c,35,0d,09,15,61,54,29,07,22,32,40,52,17,37,17,1b,5d,4c,3a,19,16,\
  1f,61,54,06,3e,0d,1b,5d,4c,03,27,11,01,71,4d,24,33,3b,27,06,21,41,73,41,11,\
  25,1d,56,7a,2e,3e,3b,4f,79,18,12,3f,71,4d,2e,39,3b,7c,6a,3e,0e,35,40,72,21,\
  0f,3c,5d,4c,36,0d,19,48,72,34,1e,1f,1b,71,4d,00,33,16,05,5d,4c,38,04,01,1b,\
  71,4d,23,30,2b,21,6d,4d,1c,24,0d,05,5d,4c,29,1d,17,3c,56,7a,3f,32,38,16,7c,\
  6a,39,09,25,09,75,53,0b,31,31,3c,56,7a,3b,2f,3d,16,15,39,5f,7b,42,03,38,02,\
  40,20,2c,1e,4f,21,41,7b,5b,23,27,3c,7c,14,07,22,6e,02,68,4a,7c,20,13,35,5d,\
  30,37,08,06,21,41,7b,5b,23,27,3c,7c,1b,39,1d,30,0c,7c,50,68,3a,3b,34,4f,1b,\
  1e,3b,6e,02,68,73,41,0b,22,0a,56,12,30,32,28,1b,67,73,41,0b,22,2a,41,2c,0c,\
  0f,21,21,41,7b,5b,23,27,3c,7c,08,1c,3e,66,1c,44,4f,56,06,13,05,61,27,23,1f,\
  4f,2d,5b,53,7c,20,13,35,5d,3e,39,06,06,1c,68,53,7c,21,09,26,5d,32,12,3f,6e,\
  02,68,4a,44,3e,37,02,6d,1c,24,01,4f,2d,5b,73,41,08,38,27,41,38,04,19,6e,02,\
  68,4a,44,3e,37,02,6d,3e,0e,35,3b,21,41,7b,5b,24,39,31,7c,08,39,00,4f,2d,7c,\
  50,68,3b,1d,3c,71,25,2d,2c,20,28,7c,50,68,3b,25,3b,4f,01,1d,2a,6e,02,68,4a,\
  44,3e,37,02,6d,10,21,09,29,01,5e,45,67,14,30,07,49,12,16,3c,66,1c,44,73,41,\
  08,38,27,41,36,0a,1b,21,2d,42,73,41,10,3b,2d,41,00,33,1e,4f,2d,5b,53,5e,2e,\
  07,1d,75,21,07,22,66,1c,7c,50,68,23,24,31,4f,0d,15,01,4f,2d,5b,53,5e,2e,07,\
  1d,48,0b,18,3c,6e,02,68,4a,44,26,36,0c,6d,2b,06,25,66,21,41,7b,5b,14,21,01,\
  40,3a,31,24,15,21,41,7b,5b,3c,3e,3f,7c,12,38,17,4f,2d,5b,53,5e,2e,07,1d,75,\
  35,08,38,36,1d,56,76,74,37,08,19,40,07,37,17,29,01,7c,50,68,23,24,31,4f,07,\
  1f,3e,16,05,7c,50,68,20,3a,39,75,25,12,3f,66,1c,44,4f,56,1c,12,1d,56,1c,24,\
  0d,29,21,41,7b,5b,3d,24,37,7c,1e,1d,22,66,1c,44,4f,56,1c,12,30,61,23,13,11,\
  4f,2d,5b,53,5e,2f,01,15,48,10,27,0c,6e,02,68,4a,7c,36,12,38,5d,24,3f,19,6e,\
  02,68,4a,44,21,2c,04,6d,35,05,34,66,1c,44,4f,56,1c,12,1d,56,1c,3b,25,28,1b,\
  67,6b,5f,01,2c,28,75,24,1e,26,36,21,41,7b,5b,3d,24,37,7c,14,3a,0b,30,21,41,\
  7b,5b,36,0c,7c
"{A8A88C49-5EB2-4990-A1A2-0876022C854F}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,41,0f,3f,2f,28,1b,67,6b,10,28,03,09,3f,1b,3c,15,\
  36,21,50,68,3a,3b,34,4f,79,08,39,0d,49,72,33,1f,39,5d,4c,17,37,05,56,7a,2f,\
  2e,32,4f,79,1f,12,3b,75,53,0b,3f,12,56,7a,3a,20,23,4f,79,12,05,33,71,4d,3a,\
  31,29,7c,6a,2b,08,21,40,72,38,12,3f,5d,4c,39,1d,17,48,72,21,0f,03,56,7a,2f,\
  06,22,32,40,52,2c,29,05,3a,56,7a,2e,3e,31,0c,7c,6a,2b,06,25,32,40,52,33,24,\
  01,32,75,53,0b,3f,32,04,4f,79,1b,3b,1f,0c,40,72,3b,01,2d,1a,75,53,12,30,3f,\
  04,4f,79,08,3f,09,0c,75,53,13,25,20,04,75,53,07,37,17,05,5d,4c,36,0a,1b,3a,\
  56,72,35,0e,3c,3c,56,7a,2d,3f,38,16,7c,6a,17,37,01,1b,5d,4c,2a,0d,18,1f,61,\
  54,12,12,3b,28,40,52,3f,3a,19,34,48,72,20,0c,17,01,71,4d,1a,26,1a,1b,5d,4c,\
  2c,0c,17,01,71,4d,30,3e,37,27,6d,4d,1b,3b,0c,1b,5d,4c,39,1d,17,3c,56,7a,3b,\
  2f,3f,16,15,39,5f,7b,42,29,1d,3c,71,4d,30,06,22,71,4d,32,23,30,7c,6a,2a,1e,\
  19,75,53,1c,31,20,41,72,24,12,3b,71,4d,23,32,24,7c,6a,03,25,17,56,7a,25,05,\
  33,71,4d,3a,31,29,7c,6a,10,21,09,40,52,27,2c,0b,6d,4d,0f,28,2a,75,53,08,3e,\
  23,41,44,1b,1e,3c,3a,56,7a,12,34,16,05,75,53,1f,21,2d,04,4f,79,10,27,0c,05,\
  5d,4c,39,19,12,15,75,53,0b,3f,32,04,4f,79,1b,00,34,32,40,52,24,3f,19,32,48,\
  7a,2c,10,17,1b,71,4d,30,1c,3e,32,40,52,27,2c,0b,32,48,7a,27,16,3c,32,40,52,\
  3e,07,20,3a,56,7a,2f,2e,3d,16,7c,6a,12,34,1e,01,71,4d,17,37,01,1b,5d,4c,2a,\
  0d,18,3c,56,7a,3e,32,24,16,7c,6a,3e,0c,34,09,75,53,0b,3f,3f,1e,4f,79,12,38,\
  12,01,71,72,3b,01,2e,3c,56,7a,2f,24,39,16,7c,72,38,12,3f,04,41,44,0a,0e,32,\
  3c,56,7a,3b,2f,3f,16,15,39,7c,50,68,23,24,31,4f,79,08,39,0d,49,5f,12,34,16,\
  40,52,17,37,01,40,52,22,38,0b,6d,4d,0f,34,1a,56,7a,3a,20,2c,75,53,03,25,1f,\
  40,52,24,3f,19,6d,72,3b,05,34,71,4d,10,21,09,40,52,27,2c,0b,6d,72,24,1e,26,\
  5d,4c,36,0a,1b,48,7a,36,13,01,1b,71,4d,32,23,30,21,6d,4d,17,37,01,3a,56,7a,\
  2f,06,25,32,40,52,33,24,01,3a,56,7a,3a,20,2c,0c,7c,6a,3e,00,34,32,40,52,24,\
  3f,19,32,75,53,12,30,3f,04,4f,79,08,3f,09,0c,40,72,38,12,3f,1a,75,53,0f,21,\
  27,04,4f,79,14,3a,0b,0c,75,53,1c,31,21,1e,75,53,12,34,16,1b,5d,4c,29,1d,1d,\
  3c,56,72,35,0e,3f,3c,56,7a,3e,32,24,16,7c,6a,03,25,1a,1b,5d,4c,35,0b,0f,1f,\
  61,54,27,05,33,28,40,52,24,3f,1a,34,48,72,35,08,1d,01,71,4d,1b,3b,0c,1b,5d,\
  4c,39,1d,1f,01,71,4d,24,33,35,27,06,1c,7c,50,68,20,3a,39,4f,79,08,06,22,71,\
  4d,32,23,30,7c,6a,2a,1e,19,40,72,35,0e,3f,5d,72,24,1a,25,5d,4c,35,0b,0a,48,\
  7a,23,00,34,71,4d,3a,31,12,56,72,3b,01,2e,5d,4c,2a,07,15,75,53,1b,3b,0c,40,\
  72,24,1e,26,5d,4c,36,0a,1b,75,53,1c,31,21,04,4f,79,0a,2a,06,0c,40,72,34,1e,\
  30,1a,41,44,1b,1e,3b,3a,56,7a,07,33,12,05,75,53,0b,3f,32,04,4f,79,03,25,1f,\
  05,5d,4c,2c,0c,0a,15,75,53,12,30,3f,04,4f,79,08,1c,3e,32,40,52,27,2c,0b,32,\
  48,7a,27,23,1f,1b,71,4d,24,07,20,32,40,52,22,38,08,34,48,7a,34,17,3f,28,40,\
  52,23,16,26,3c,56,7a,2f,2e,32,16,7c,6a,07,33,1a,01,71,4d,03,25,1a,1b,5d,4c,\
  35,0b,0f,3c,56,7a,25,2d,2c,16,7c,6a,35,31,37,09,75,53,1c,3b,25,1e,4f,79,13,\
  35,00,01,71,72,24,1e,26,3c,56,7a,3b,2f,3f,16,15,21,41,7b,5b,23,27,3c,7c,6a,\
  2a,16,3c,71,4d,20,2c,30,7c,6a,06,3e,0d,40,52,3f,38,18,6d,4d,08,27,2c,75,53,\
  08,31,21,75,53,1f,21,27,04,4f,79,18,2d,06,0c,75,53,0e,38,21,04,75,53,03,27,\
  1d,05,5d,4c,36,0a,19,3a,56,72,34,1e,26,3c,56,7a,3f,32,38,16,7c,6a,06,3e,0d,\
  1b,5d,4c,35,0d,09,1f,61,54,29,07,22,28,29,01,5e,45,67,14,30,1f,56,7a,17,37,\
  17,40,72,25,1a,39,5d,4c,38,04,01,56,7a,3a,2e,2d,4f,79,14,3a,01,56,7a,3b,2e,\
  3d,4f,79,0f,16,3c,32,40,52,32,24,05,32,48,7a,18,28,01,1b,71,4d,23,06,32,32,\
  40,52,3e,39,08,32,48,7a,37,16,3c,28,40,52,32,12,3f,3c,56,7a,31,25,3d,16,7c,\
  6a,03,27,11,01,71,4d,1c,24,0d,1b,36,1d,56,76,74,14,21,01,40,52,23,28,02,6d,\
  4d,0c,34,2b,75,53,0e,38,21,41,44,06,1e,2c,75,53,08,07,22,71,4d,1c,27,0d,40,\
  52,23,28,02,3a,56,7a,3f,32,38,0c,7c,6a,39,1d,22,32,40,52,3f,38,18,32,75,53,\
  08,3e,21,04,4f,79,0f,29,07,02,40,72,25,1a,39,04,75,53,0e,38,21,1e,4f,79,1b,\
  39,1d,02,75,53,08,3e,21,1e,6e,02,7c,50,68,20,3a,39,4f,79,0f,16,3c,75,53,0c,\
  2d,1e,56,7a,31,25,3d,4f,79,1b,06,32,71,4d,24,33,3b,7c,6a,3f,0e,25,40,72,34,\
  1e,26,1a,41,44,0b,0a,31,3a,56,7a,06,3e,0d,05,75,53,0b,31,31,04,4f,79,1c,24,\
  0d,05,5d,4c,29,1d,17,1f,75,53,0c,2d,26,1e,4f,79,1e,1d,22,28,40,52,3f,38,18,\
  34,48,7a,22,12,01,01,66,1c,44,73,41,0b,22,2a,41,3a,19,16,21,2d,42,73,41,0b,\
  22,2a,41,1c,24,01,4f,2d,5b,53,5e,35,1e,22,75,27,1d,22,66,1c,7c,50,68,3a,3b,\
  34,4f,06,1e,11,4f,2d,5b,53,5e,35,1e,22,48,1c,18,2d,6e,02,68,4a,44,3f,2d,31,\
  6d,35,05,33,66,21,41,7b,5b,03,38,02,40,3a,31,29,15,21,41,7b,5b,23,27,3c,7c,\
  08,3f,1d,4f,2d,5b,53,5e,35,1e,22,75,24,1e,26,36,1d,56,76,74,3e,03,1c,40,1c,\
  24,0b,29,01,7c,50,68,3a,3b,34,4f,0b,0a,31,28,30,21,41,7b,5b,23,27,0a,56,1c,\
  24,0d,1b,36,1d,56,76,74,03,38,0a,56,0e,38,01,01,66,1c,44,4f,56,06,13,0a,56,\
  0b,31,31,1e,20,28,74,4e,68,23,26,0a,56,1c,31,20,1e,20,28,74,4e,7c,20,13,0a,\
  56,12,30,12,01,66,1c,44,4f,56,06,1b,2b,71,25,2d,23,16,15,39,5f,73,41,0b,22,\
  2a,41,2a,07,15,3c,4f,2d,5b,53,5e,35,1e,22,48,0f,28,2a,3c,4f,2d,5b,53,7c,20,\
  13,35,5d,3e,39,06,34,21,2d,42,73,41,08,38,27,41,00,33,1e,4f,2d,5b,53,5e,36,\
  04,17,75,21,07,22,66,1c,7c,50,68,3b,25,3b,4f,0d,15,01,4f,2d,5b,53,5e,36,04,\
  17,48,0b,18,3c,6e,02,68,4a,44,3e,37,02,6d,2b,06,25,66,21,41,7b,5b,1c,3e,17,\
  40,3a,31,24,15,21,41,7b,5b,24,39,31,7c,12,38,17,4f,2d,5b,53,5e,36,04,17,75,\
  35,08,38,36,1d,56,76,74,3f,09,2f,40,07,37,17,29,01,7c,50,68,3b,25,3b,4f,07,\
  1f,3e,16,05,7c,50,68,3b,25,3b,75,25,12,3f,28,29,01,5e,45,67,14,1d,3c,75,21,\
  0f,3c,3c,4f,2d,5b,53,5e,36,04,17,75,27,09,3c,04,28,1b,67,6b,5f,08,21,2a,75,\
  20,0e,2c,04,28,1b,67,6b,5f,1c,3e,17,75,35,0e,3f,3c,4f,2d,5b,53,5e,36,04,1f,\
  56,12,30,32,1e,20,28,74,4e,7c,21,09,26,5d,24,3f,1a,34,6e,02,68,4a,44,3e,37,\
  02,6d,2b,08,21,09,6e,02,68,4a,44,1c,3e,17,40,2f,20,31,27,06,1c,68,53,7c,21,\
  09,26,5d,3e,07,20,3c,4f,2d,5b,53,5e,2e,07,1d,75,25,12,3f,66,1c,7c,50,68,23,\
  24,31,4f,07,1f,01,4f,2d,5b,53,5e,2e,07,1d,48,0e,21,2c,6e,02,68,4a,44,26,36,\
  0c,6d,3e,06,32,66,21,41,7b,5b,14,21,01,40,30,30,3a,15,21,41,7b,5b,3c,3e,3f,\
  7c,12,38,12,4f,2d,5b,53,5e,2e,07,1d,75,3b,01,2e,36,1d,56,76,74,37,08,19,40,\
  10,21,09,29,01,7c,50,68,23,24,31,4f,0a,0e,32,16,05,7c,50,68,23,24,31,75,21,\
  07,20,66,1c,44,4f,56,1f,14,05,56,00,33,16,1b,6e,02,68,4a,44,26,36,0c,6d,1c,\
  24,0d,1b,36,1d,56,76,74,37,08,19,40,06,3e,0d,1b,36,1d,56,76,74,37,1c,26,71,\
  03,27,1d,1b,6e,02,68,4a,44,26,36,0c,75,35,0e,3f,04,28,1b,67,6b,5f,14,21,01,\
  40,3a,31,24,27,06,21,41,7b,5b,3c,3e,3f,7c,12,38,1f,02,3b,21,41,7b,5b,3c,1c,\
  26,71,2f,24,39,16,15,39,5f,7b,42,14,21,01,40,2f,20,1f,01,6e,02,68,4a,44,26,\
  36,0c,6d,1c,24,03,01,66,1c,7c,50,68,20,3a,39,4f,0b,0a,1e,4f,2d,5b,53,5e,2f,\
  01,15,48,08,27,2c,6e,02,68,4a,44,21,2c,04,6d,39,1d,22,66,21,41,7b,5b,15,3b,\
  09,40,23,30,2b,15,21,41,7b,5b,3d,24,37,7c,08,39,00,4f,2d,5b,53,5e,2f,01,15,\
  75,3b,01,2d,36,1d,56,76,74,28,02,21,40,1a,26,1f,29,01,7c,50,68,20,3a,39,4f,\
  1b,14,30,16,05,7c,50,68,20,3a,39,75,24,16,3c,66,1c,44,4f,56,1c,12,1d,56,1c,\
  24,0b,29,21,41,7b,5b,3d,24,37,7c,18,12,3f,28,29,01,5e,45,67,0d,35,09,49,29,\
  07,22,28,29,01,5e,45,67,0d,35,1d,56,0e,1d,22,28,29,21,41,7b,5b,3d,24,37,7c,\
  03,27,1d,1b,36,1d,56,76,74,28,1a,3e,71,2f,2e,32,16,15,39,7c,50,68,20,3a,39,\
  4f,01,1d,2d,28,30,0c,7c,50,68,20,3a,1d,56,12,30,3f,1e,20,28,74,4e,68,29,1a,\
  3e,71,2f,24,39,3c,4f,21,41,7b,5b,3d,24,37,7c,1f,16,3c,3c,4f,2d,5b,73,41,11,\
  25,25,41,36,0a,1b,3c,4f,2d,5b,53,5e,20,39,74
"1206"=dword:00000000
"2001"=dword:00000000
"2004"=dword:00000000
"1005"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
@=""
"DisplayName"="Restricted sites"
"Description"="This zone contains Web sites that could potentially damage your computer or data."
"Icon"="inetcpl.cpl#00004481"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00012000
"RecommendedLevel"=dword:00012000
"Flags"=dword:00000003
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000003
"1405"=dword:00000003
"1406"=dword:00000003
"1407"=dword:00000003
"1601"=dword:00000000
"1604"=dword:00000001
"1605"=dword:00000000
"1606"=dword:00000003
"1607"=dword:00000003
"1608"=dword:00000003
"1609"=dword:00000001
"1800"=dword:00000003
"1802"=dword:00000003
"1803"=dword:00000003
"1804"=dword:00000003
"1805"=dword:00000001
"1A00"=dword:00010000
"1A02"=dword:00000003
"1A03"=dword:00000003
"1A04"=dword:00000003
"1A05"=dword:00000003
"1A06"=dword:00000003
"1A10"=dword:00000003
"1C00"=dword:00000000
"1E05"=dword:00010000
"{AEBA21FA-782A-4A90-978D-B72164C80120}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,13,37,13,12,14,1a,15,39
"{A8A88C49-5EB2-4990-A1A2-0876022C854F}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
  17,2f,1e,1a,19,0e,2b,01,73,13,37,13,12,14,1a,15,39

Title: Computer infected
Post by: guestolo on April 11, 2005, 06:38:10 PM

Is this happening with All users on the computer?
I'm starting to think it may be best to create a new user account and copy whatever you need to that account and rid yourself of this one  /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />

If you would like to try the following however
I would like to take a look at this

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Find.bat

Code: [Select]

@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txt
Double click on Find.bat and a log should open, copy and paste that back here
or use the Browse button at the bottom of the reply box and add it as an attachment
You must be logged into the forum

Title: Computer infected
Post by: irish-paddy on April 12, 2005, 08:51:53 AM

/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />   yeah its happenin with all user.

cant get find.bat to work, its just saying  ''cannot access file C;\temp.reg''

Title: Computer infected
Post by: guestolo on April 12, 2005, 10:30:10 AM

Try this>>delete your copy of Find.bat
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Find.bat

Code: [Select]

regedit /e Find.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones"
Double click on Find.bat
Find.reg should be placed on the desktop
Right click on it and choose Edit
Copy and paste back the contents

Title: Computer infected
Post by: Guest_irish-paddy_* on April 15, 2005, 09:55:23 AM

having trouble doing that.  havnt been able to get on to the internet for a couple of days cuz of all these viruses on my computer.  /mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

i delete them in safe mode or watever but they just keep cumming back, have tried turning offf system restore but it doesnt do anything.


still cant get my firewall on, softperfect is crap, everytime i go on internet that microsoft antispyware thing has to delete the viruses that keep trying to get onto my computer.

heres a hijack this log if it helps,

Logfile of HijackThis v1.99.0
Scan saved at 12:59:32, on 15/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PAT DESKTOP\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [mzolqn] C:\WINDOWS\mzolqn.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKLM\..\Run: [lwfut] C:\WINDOWS\lwfut.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\gah32.exe
O4 - HKLM\..\RunServices: [PPPOEOE] winlite.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\RunServices: [MotherBoard Sounds] sounds.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKCU\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct2_x.cab\")
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pt3_x.cab\")
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O23 - Service: Deepsight Extractor - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Title: Computer infected
Post by: irish-paddy on April 18, 2005, 07:23:45 PM

i got find.bat working but when i open it, it just closes straight away so cant get the results unfortunately  /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

whatever i delete through ad-aware or microsoft antispyware just comes back again. have tried everything but still find.bat wont open, not even in safe mode.

done a scan with mwav, it found all these. is there any way i can get my computer fixed?? please?   /rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\2366.reg infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Gavin Deighan\Local Settings\Temporary Internet Files\Content.IE5\UGT9DZCP\11[3].exe infected by "IM-Worm.Win32.Prex.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\16DC1B64-6F33-491A-A46C-022523\B0434FE3-A0BF-4380-9621-399A4A infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\7028A7A4-90A1-4479-8161-0A228D\28B1625D-AADD-431D-976A-0ACE50 infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\8602EE2B-06A6-4E2A-8DEE-440A55\CD4A3027-5320-46B1-AA3F-B31505 infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\AB68FF90-C1D4-4921-BACD-A43870\754745A2-37E2-4C50-AFAC-8D3E10 infected by "not-a-virus:AdWare.WebSearch.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\BF13A4D6-8F48-489C-A452-B65875\5EF2EA92-BD4B-425A-ABBE-EACD57 infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc198 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc200 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc211 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc214 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc220 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc225 infected by "Trojan.Win32.TopAntiSpyware.j" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc226 infected by "Trojan.Win32.TopAntiSpyware.h" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc227 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc228 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc243 infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1555509878-2172021702-756012807-500\Dc245 infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\2366.reg infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\11[1].exe infected by "IM-Worm.Win32.Prex.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\dd[1].exe infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\2366.reg infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: No Action Taken.

Title: Computer infected
Post by: guestolo on April 18, 2005, 10:45:45 PM

Access your Add/Remove Programs and remove
180 solutions or similiar

Allow internet connection, careful on the removal procedure, just keep clicking uninstall if prompted

Back in Windows

Save the rest of these instructions too a Notepad file and save it too desktop
Close down all other windows, disconnect from the Internet

Disable System Restore

Run Windows CleanUp!
After cleaning all files don't log off yet

Instead
Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [mzolqn] C:\WINDOWS\mzolqn.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKLM\..\Run: [lwfut] C:\WINDOWS\lwfut.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\gah32.exe
O4 - HKLM\..\RunServices: [PPPOEOE] winlite.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\RunServices: [MotherBoard Sounds] sounds.exe

O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKCU\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivrs] copq.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\2366.reg

Select the radio botton to
Delete on reboot afterwards
Then click the Delete button
The Red circle and a white X
When prompted to Delete on Reboot>>Click YES
If prompted to Reboot Now>>Click NO
Do the same for the below entries

C:\WINDOWS\lwfut.exe
C:\gah32.exe
C:\WINDOWS\System32\navapqwa.exe
C:\WINDOWS\System32\copq.exe
C:\WINDOWS\System32\winlite.exe
C:\WINDOWS\System32\veritas.exe
C:\WINDOWS\System32\sounds.exe
C:\WINDOWS\System32\wdrk32.exe
C:\WINDOWS\System32\swwhost.exe
C:\WINDOWS\System32\mssw32.exe
C:\WINDOWS\System32\navprotect.exe
C:\WINDOWS\System32\n3vasap23.exe
C:\WINDOWS\System32\crmss.exe
C:\WINDOWS\System32\SDK0mCORE.exe


After you have entered the last path to the file name
Allow the computer to Reboot

Back in Windows
Reenable system restore

Download and save too desktop
Zonefix.exe (http://\"http://www.jayloden.com/zone_fix.exe\")
double click to Run

Post a fresh Hijackthis log

Also, try and navigate too this entry in your registry
START>>RUN>>type regedit
Hit OK
Navigate to this key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones

Right click on Lockdown Zones and choose Export
Name it and save it
Close the registry editor>>Navigate to the file you exported
Right click on it and choose EDIT
Copy and paste back the contents

We have to get some Critical updates installed on your computer from Windows Updates after your clean, your open for reinfection
For now, excluding Service pack 2, go to Windows updates and get all other Critical Updates installed

Title: Computer infected
Post by: irish-paddy on April 19, 2005, 05:06:07 PM

copuldnt find ANY 180 solutions or anything in the add/remove programs

Disabled System Restore

Ran Windows CleanUp!

Done another scan with Hijackthis and put a check next to all the entries:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [mzolqn] C:\WINDOWS\mzolqn.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKLM\..\Run: [lwfut] C:\WINDOWS\lwfut.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\gah32.exe
O4 - HKLM\..\RunServices: [PPPOEOE] winlite.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\RunServices: [MotherBoard Sounds] sounds.exe

O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKCU\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivrs] copq.exe

soon as i done this the computer froze, had to restart, also wouldnt let me download Zonefix.exe, had to log on as another user and copy and paste it to my desktop.

deleted everything on reboot with pocket killbox
Reenabled system restore


went into regedit, for some reason this key wasnt there
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones


think this might be a virus is it???
hiberfil.sys
it is in my c:\

Title: Computer infected
Post by: irish-paddy on April 19, 2005, 05:08:38 PM

heres the log, cheers for all ur help.

p.s. how do i get windows updates?


Logfile of HijackThis v1.99.0
Scan saved at 23:03:07, on 19/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SCardClnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\PAT DESKTOP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Deepsight Extractor - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card Client - Unknown - C:\WINDOWS\SYSTEM32\SCardClnt.exe

Title: Computer infected
Post by: guestolo on April 19, 2005, 09:17:56 PM

Do you have the full version of Trojan Hunter installed on your computer?

If you do please check for updates and run a full system scan

Do get to Windows Updates>>Open IE and click on TOOLS>>Windows updates

Are you sure you can't find this entry in the registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones

Also, I see entries in your log related too Symantec, but I don't see the virus scanner running
Are you having problems with it???

Did you remove it?
If you have and need a free Anti-Virus, let me know

Title: Computer infected
Post by: irish-paddy on April 20, 2005, 04:39:48 AM

the norton anti-virus wasnt working, had to remove it. tried to download it but it didnt work. yeah need an anti-virus please  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
since my microsoft one seems to have been deleted.


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones
this definately isnt there, dont know why, tried to look for it in another user account but its not there!!!


im in work now, but ill do the windows update and trojan hunter when i get home and then get back to u!!!

Title: Computer infected
Post by: guestolo on April 20, 2005, 07:00:16 PM

At the top of this forum you will see a link to Preventive and Removal tools

Open the post and look for the free AV's listed near the top
I prefer AVG or AVAST
Choose only ONE, you don't need more than one running

When downloading ensure you are downloading the free version and not the trial version
After installation, make sure it is fully updated and run a full system scan
Let it fix whatever it finds

Restart your computer afterwards and post a fresh hijackthis log, let me know how everything's running

Title: Computer infected
Post by: irish-paddy on April 22, 2005, 07:19:38 AM

computer is running a bit better.
its still freezing all the time and i have no firewall. still cant get my built in microsft firewall to work.

downloaded sygate but it was really really slow and wouldnt let me onto the internet. My trojan hunter is out of date so thats not much use to me.


i downloaded and updated AVAST but it didnt find anything, so i downloaded AVG it found a couple of trojans but it couldnt fix them so i manually deleted them.

Computer still doesnt feel too safe cuz adaware only works in safe mode and still cant open find.bat, it opens for half a second and then closes again.

sorry to be sounding so glum, gona try to get a different firewall but heres my hijack this log    /rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />



Logfile of HijackThis v1.99.0
Scan saved at 13:08:23, on 22/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SCardClnt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PAT DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows TM] rundlI32.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Deepsight Extractor - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card Client - Unknown - C:\WINDOWS\SYSTEM32\SCardClnt.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Title: Computer infected
Post by: irish-paddy on April 22, 2005, 07:22:23 AM

p.s. i know u said to only download one but AVAST keeps blocking things when im on the computer,
but it didnt detect any viruses!!

and AVG found the viruses,

so i dont know which one to delete/use wat do u think?

Title: Computer infected
Post by: irish-paddy on April 22, 2005, 07:28:07 AM

everytime i try to download another firewall the download just freezes and i get kicked off the internet   /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

Title: Computer infected
Post by: irish-paddy on April 22, 2005, 08:01:56 PM

avg found these viruses but it cant fix them,

C:\WINDOWS\SYSTEM32\c.bat           virus found   IRC/Backdoor.flood

C:\WINDOWS\SYSTEM32\SCardClnt.exe     Trojan Horse   IRC/Backdoor.SdBot.182.AF

is it ok for me to manually delete these?

Title: Computer infected
Post by: guestolo on April 23, 2005, 01:44:28 PM

Yes, go ahead and delete those files

Did you make it too windows updates?

Make sure you apply this recommended patch
http://www.microsoft.com/technet/security/...n/MS04-011.mspx (http://\"http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx\")

Title: Computer infected
Post by: irish-paddy on April 25, 2005, 05:22:23 AM

cant get on to download anything of that site, i always get kicked off the internet after about 4 or 5 mins

and my computer always turns itself off after about 7 or 8 mins, which is why im sure there is still a pretty serious virus on my comp.


my hijack this log is on the previous page if u wana have a look

Title: Computer infected
Post by: irish-paddy on April 25, 2005, 05:24:24 AM

p.s. i always get msgs from avast saying it is blocking an ataack from 1.33.453.879 or sumfin, wat does that mean?

Title: Computer infected
Post by: guestolo on April 25, 2005, 10:07:42 AM

Well Irish, you still are open to infections
I'm not sure which way to go with this
You seem to have Sygates Firewall installed now, that's good
Is it working properly???

With all other windows closed, do another scan with hijackthis and fix checked this entry

O4 - HKCU\..\Run: [Windows TM] rundlI32.exe

Restart your computer

I asked you to do this before
If Trojan Hunter is outdated
Shutdown Trojan Guard and then uninstall Trojan Hunter
Make sure you shut down Trojan Guard first

I like AVG and Avast, decide which one you like and remove the other, this can cause conflicts

Go to this link and download DCOMbobulator
http://www.grc.com/dcom/ (http://\"http://www.grc.com/dcom/\")
Save it to desktop and disable Dcom

Post back a fresh Hijackthis log after doing the above
Could you also
Download GetServices.zip (http://\"http://www.bleepingcomputer.com/files/spyware/getservices.zip\")
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Post the getservices.txt

Title: Computer infected
Post by: irish-paddy on April 26, 2005, 06:52:47 AM

sygate was really really slow, had to uninstall it. gona try and download it again.

gona go do everything nw b4 i get shutdwn again,

wish me luck

Title: Computer infected
Post by: irish-paddy on April 26, 2005, 07:12:30 AM

tried to do Pandas Active Scan

a warning and alarm came up in avast saying it contained malware/worm and gave the name of the worm, i disconnected it. Should i be worried about this

Title: Computer infected
Post by: irish-paddy on April 26, 2005, 08:26:17 AM

tried to install sygate again but its just far far too slow so uninstalled it and im using outpost, but i dont really like it.

disabled DCOM everything seems to be running a lot lot better. the computer had only shut itself down once or twice in the last hour. cheers.


heres the hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 14:23:27, on 26/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Internet Explorer\iexplore.exe
C:\PAT DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Deepsight Extractor - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe





and heres the other one


PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: 6to4
Offers IPv6 connectivity over an IPv4 network
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : 6to4
   DEPENDENCIES     : RpcSS
           : tcpip6
           : winmgmt
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Alerter
   DEPENDENCIES     : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\alg.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Application Layer Gateway Service
   DEPENDENCIES     :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Application Management
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aswUpdSv
Provides automatic updating for the avast! antivirus.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! iAVS4 Control Service
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : AudioGroup
   TAG        : 0
   DISPLAY_NAME     : Windows Audio
   DEPENDENCIES     : PlugPlay
           : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: avast! Antivirus
Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! Antivirus
   DEPENDENCIES     : aswMon2
           : RpcSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: avast! Mail Scanner
Implements mail scanning for avast! antivirus.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! Mail Scanner
   DEPENDENCIES     : avast! Antivirus
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: avast! Web Scanner
Implements web (HTTP) scanning for avast! antivirus.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! Web Scanner
   DEPENDENCIES     : avast! Antivirus
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7Alrt
(null)
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : AVG7 Alert Manager Server
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7UpdSvc
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : AVG7 Update Service
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Uses idle network bandwidth to transfer data.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Background Intelligent Transfer Service
   DEPENDENCIES     : Rpcss
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Computer Browser
   DEPENDENCIES     : LanmanWorkstation
           : LanmanServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\cisvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Indexing Service
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\clipsrv.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : ClipBook
   DEPENDENCIES     : NetDDE
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : COM+ System Application
   DEPENDENCIES     : rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 30 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 1000 seconds
           : Restart   DELAY: 5000 seconds
           : None   DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Cryptographic Services
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DeepsightExtractor
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Deepsight Extractor
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : DHCP Client
   DEPENDENCIES     : Tcpip
           : Afd
           : NetBT
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\dmadmin.exe /com
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Logical Disk Manager Administrative Service
   DEPENDENCIES     : RpcSs
           : PlugPlay
           : DmServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Logical Disk Manager
   DEPENDENCIES     : RpcSs
           : PlugPlay
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k NetworkService
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : DNS Client
   DEPENDENCIES     : Tcpip
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Error Reporting Service
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP  : Event log
   TAG        : 0
   DISPLAY_NAME     : Event Log
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : Network
   TAG        : 0
   DISPLAY_NAME     : COM+ Event System
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ExtractorServiceNPF03
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : DeepSight Extractor Service for NPF03
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ExtractorServiceNPF04
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : DeepSight Extractor Service for NPF04
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Fast User Switching Compatibility
   DEPENDENCIES     : TermService
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Help and Support
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 100 seconds
           : Restart   DELAY: 100 seconds
           : None   DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Human Interface Device Access
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\imapi.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : IMAPI CD-Burning COM Service
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Server
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : NetworkProvider
   TAG        : 0
   DISPLAY_NAME     : Workstation
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : TCP/IP NetBIOS Helper
   DEPENDENCIES     : NetBT
           : Afd
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Messenger
   DEPENDENCIES     : LanmanWorkstation
           : NetBIOS
           : PlugPlay
           : RpcSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\mnmsrvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : NetMeeting Remote Desktop Sharing
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\msdtc.exe
   LOAD_ORDER_GROUP  : MS Transactions
   TAG        : 0
   DISPLAY_NAME     : Distributed Transaction Coordinator
   DEPENDENCIES     : RPCSS
           : SamSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\msiexec.exe /V
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Installer
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP  : NetDDEGroup
   TAG        : 0
   DISPLAY_NAME     : Network DDE
   DEPENDENCIES     : NetDDEDSDM
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Network DDE DSDM
   DEPENDENCIES     :
           : EGrLocalSystem
           : Network DDE DSDM
           : etwork DDE
           : ributed Transaction Coordinator
           : r
           : rvice for NPF04
           : n
           : \Karen Dp
           : 
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP  : RemoteValidation
   TAG        : 0
   DISPLAY_NAME     : Net Logon
   DEPENDENCIES     : LanmanWorkstation
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Network Connections
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetSvc
(null)
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\Program Files\Intel\NCS\Sync\NetSvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Intel NCS NetService
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Network Location Awareness (NLA)
   DEPENDENCIES     : Tcpip
           : Afd
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : NT LM Security Support Provider
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Removable Storage
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NVSvc
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\nvsvc32.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : NVIDIA Driver Helper Service
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: OutpostFirewall
(null)
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /service
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Outpost Firewall Service
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP  : PlugPlay
   TAG        : 0
   DISPLAY_NAME     : Plug and Play
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : IPSEC Services
   DEPENDENCIES     : RPCSS
           : Tcpip
           : IPSec
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Protected Storage
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Access Auto Connection Manager
   DEPENDENCIES     : RasMan
           : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Access Connection Manager
   DEPENDENCIES     : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\sessmgr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Desktop Help Session Manager
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Routing and Remote Access
   DEPENDENCIES     : RpcSS
           : +NetBIOSGroup
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\locator.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Procedure Call (RPC) Locator
   DEPENDENCIES     : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost -k rpcss
   LOAD_ORDER_GROUP  : COM Infrastructure
   TAG        : 0
   DISPLAY_NAME     : Remote Procedure Call (RPC)
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS     : Reboot   DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\rsvp.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : QoS RSVP
   DEPENDENCIES     : TcpIp
           : Afd
           : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP  : LocalValidation
   TAG        : 0
   DISPLAY_NAME     : Security Accounts Manager
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardClnt
Enables support for legacy non-plug and play smart-card readers used by this computer.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\SYSTEM32\SCardClnt.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Smart Card Client
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 5 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 1 seconds

SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Smart Card Helper
   DEPENDENCIES     : +Smart Card Reader
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Smart Card
   DEPENDENCIES     : PlugPlay
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : SchedulerGroup
   TAG        : 0
   DISPLAY_NAME     : Task Scheduler
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Secondary Logon
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : Network
   TAG        : 0
   DISPLAY_NAME     : System Event Notification
   DEPENDENCIES     : EventSystem
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : ShellSvcGroup
   TAG        : 0
   DISPLAY_NAME     : Shell Hardware Detection
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\spoolsv.exe
   LOAD_ORDER_GROUP  : SpoolerGroup
   TAG        : 0
   DISPLAY_NAME     : Print Spooler
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 60000 seconds
           : Restart   DELAY: 60000 seconds
           : None   DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : System Restore Service
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : SSDP Discovery Service
   DEPENDENCIES     :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k imgsvc
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Image Acquisition (WIA)
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3}
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : MS Software Shadow Copy Provider
   DEPENDENCIES     : rpcss
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\smlogsvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Performance Logs and Alerts
   DEPENDENCIES     :
   SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Telephony
   DEPENDENCIES     : PlugPlay
           : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Terminal Services
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : UIGroup
   TAG        : 0
   DISPLAY_NAME     : Themes
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 60000 seconds
           : Restart   DELAY: 60000 seconds
           : None   DELAY: 0 seconds

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Distributed Link Tracking Client
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: uploadmgr
Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Upload Manager
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 100 seconds
           : Restart   DELAY: 100 seconds
           : None   DELAY: 100 seconds

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Universal Plug and Play Device Host
   DEPENDENCIES     : SSDPSRV
   SERVICE_START_NAME: NT AUTHORITY\LocalService
   FAIL_RESET_PERIOD : -1 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\ups.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Uninterruptible Power Supply
   DEPENDENCIES     :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\vssvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Volume Shadow Copy
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: w32time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Time
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  : NetworkProvider
   TAG        : 0
   DISPLAY_NAME     : WebClient
   DEPENDENCIES     : MRxDAV
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Management Instrumentation
   DEPENDENCIES     : RPCSS
           : Eventlog
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 60000 seconds
           : Restart   DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSp
Retrieves the serial number of any portable music player connected to your computer
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Portable Media Serial Number
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\wbem\wmiapsrv.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : WMI Performance Adapter
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Automatic Updates
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : Wireless Zero Configuration
   DEPENDENCIES     : RpcSs
           : Ndisuio
   SERVICE_START_NAME: LocalSystem










once again guestolo thanks very much 4all ur help.
much appreciated   /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: Computer infected
Post by: guestolo on April 26, 2005, 02:53:45 PM

Did you check out that link to Windows update and apply the patch to your machine????

With the installation and uninstallation of the security software your installing, it's hard to follow along with this log

You have AVG and AVAST installed on the computer
You only need and only want one running on your machine, more than one will cause conflicts

I also see Norton's Deepsight Extractor services running on your computer
What made you need to install this???
From my understanding from this link it is used in conjunction with Norton Internet software
I'm not sure if I totally understand it yet
http://analyzer.securityfocus.com/downloadnis.asp (http://\"http://analyzer.securityfocus.com/downloadnis.asp\")

Keep the virus software your happiest with and unstall the other
I still don't know if your system is clean, this has been a long post
I've kind of lost track of what is going on with all the changes you have made

Post back a fresh log later and let me know if you visited Windows updates

Title: Computer infected
Post by: irish-paddy on May 05, 2005, 08:20:58 AM

Just back from a holiday  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  so ive not been on the internet.

anyways, ive uninstalled AVG and im using AVAST. Im also using Kerio Personal Firewall.

ive visited the website and got all the updates.

i know its been a long post but hopefully im nw clean and heres me new hijackthis log.

cheers guestolo

Logfile of HijackThis v1.99.0
Scan saved at 14:15:34, on 05/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PAT DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Deepsight Extractor - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 - Unknown - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Title: Computer infected
Post by: spy_war on May 05, 2005, 04:34:22 PM

follow instructions to remove mentioned viruses:

SideFind removal (http://\"http://www.spyware-removal-guideline.com/sidefind-removal\")
180Solutions removal (http://\"http://www.spyware-removal-guideline.com/180solutions-removal\")
VX2 removal (http://\"http://www.spyware-removal-guideline.com/vx2-removal\")
Ezula removal (http://\"http://www.spyware-removal-guideline.com/ezula-removal\")
Backdoor.Win32.Rbot.gen removal (http://\"http://www.spyware-removal-guideline.com/backdoor-win32-rbot-gen-removal\")

Title: Computer infected
Post by: Guest on May 06, 2005, 06:06:42 AM

I can find the virus,but i can't clear these virus!
HELP!
The viru's name:not-a-virus:adware.winad.i
Melody-- a chinese girl /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

Title: Computer infected
Post by: irish-paddy on May 06, 2005, 08:54:16 AM

Dont mean this to sound cheecky or anything but who r u spy war?   /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

i just dont wana click on them links incase they give me viruses or anything, but if u r genuine cheers 4the help.

Where is guestolo anyway?

Title: Computer infected
Post by: guestolo on May 06, 2005, 05:43:12 PM

Let's me do some catching up on this thread, not sure where we stand right now
Your log looks good, but lets see what we uncover

Let's try the following Irish

This a free trojan scanner, yours to keep
Fully functional for 14 days, afterwards it's limited, but no worries, it still performs well
==Download and then Install
Ewido Trojan Scanner (http://\"http://www.ewido.net/en/download/\")

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
We'll need it later

Next:
=Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report


Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt

Restart back to Normal mode and post back a fresh Hijackthis log and the log from Rkfiles.bat and the report from Ewidos

Could you also update your version of Hijackthis, you can download the latest version from my signature below
Post back a log from this version

Title: Computer infected
Post by: Guest_Tom_* on May 07, 2005, 05:23:22 AM

You might want to consider doing a Clean Install.  Format your hard drive and reload Windows and all other software.

www.consumermethods.info

Title: Computer infected
Post by: irish-paddy on May 07, 2005, 10:48:11 AM

Done everything, computer seems to be working alot better now.

Forgot to save the report  /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />  but heres the infections it found,

         ORIGIN                                     INFECTED WITH
C:\WINDOWS\SYSTEM32\dust         TrojanDwonloader.Ftp.i
C:\WINDOWS\bbchk.exe                Spyware.Bargainbuddy


Heres what Rkfiles.bat found,

C:\Documents and Settings\Karen Deighan\Desktop\New Folder\rkfiles
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\alk.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye



And heres the hijackthis log (i got the newer one)

Logfile of HijackThis v1.99.1
Scan saved at 16:12:45, on 07/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Karen Deighan\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Title: Computer infected
Post by: guestolo on May 07, 2005, 01:30:41 PM

Can you run a scan for me, I'm pretty sure it's a bad file, just want to double check
I also want to double check a few other things

Go to this link
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")

Use the browse button and navigate to these  files in on your hard drive
C:\WINDOWS\alk.exe <-this file
Right click on each  file individually  and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results for each file

Could you also
Download and UNZIP to desktop Export.zip
So you now have Export.bat on the desktop
Double click on Export.bat
If a new text file is placed on the desktop>>Export.txt
Can you copy and paste that info back here
[attachment=205:attachment]

Another check
Can you also download this file
http://www.sysinternals.com/files/rootkitrevealer.zip (http://\"http://www.sysinternals.com/files/rootkitrevealer.zip\")
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Copy and paste the log file here.

One last check
Download SilentRunners.vbs (http://\"http://www.silentrunners.org/Silent%20Runners.zip\")
Unzip it to a permanent folder.
Start SilentRunners.vbs
If your antivirus is gives you an alert, don't  block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.
You will be notified when it is Done, so wait till it has finished

Title: Computer infected
Post by: irish-paddy on May 09, 2005, 09:43:13 AM

Heres Jottis Online Malware Scanner results,

Scanner results  
AntiVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found W32/AdClicker.CG  
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
mks_vir  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
VBA32  Found nothing


Once again Export.bat isnt working. It opens for less than a second and closes it, so there must be something on the computer closing it evertyime i try to open it   /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />


Anyway heres wat the other two found,

ROOTKITREVEALER (The results wouldnt save but it found this)
PATH                        
HKLM\SOFTWARE\Ahead\NeroVision\Effects\{e9523f94f971422578d5aea1696}          
TIMESTAMP                    SIZE        DESCRIPTION
06/04/2004 18.54        25 bytes      Data mismatch  between Windows API and raw hive data.



SILENTRUNNERS
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/ (http://\"http://www.silentrunners.org/\")
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"DiTask.exe" = ""C:\Program Files\Eicon\Diva\DiTask.exe"" ["Eicon Networks Corporation"]
"Divamon.exe" = ""C:\Program Files\Eicon\Diva\Divamon.exe"" [null data]
"Eicon TechnologyLAN_DAEMON" = ""C:\Program Files\Eicon\Diva\watch.exe"" ["Eicon Networks Corporation"]
"CGServer" = ""C:\Program Files\Eicon\Diva\cgserver.exe"" ["Eicon Networks Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{4979E1C2-EBFE-11D1-BC30-00C04FC976B6}" = "Log Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eicon\Diva\dlfshell.dll" ["Eicon Networks Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\LOGON.SCR" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karen Deighan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Karen Deighan" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 1" -> launches: "C:\WINDOWS\System32\OOBE\OOBEBALN.EXE /sys /i /n:1" [MS]
"PCHPantispyPatrick Deighan" -> launches: "C:\Program Files\PC Health Plan\PC Health Plan.exe sscan" [file not found]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

6to4, 6to4, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Deepsight Extractor, DeepsightExtractor, "C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"" ["Kerio Technologies"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


Cheers Guestolo

Title: Computer infected
Post by: irish-paddy on May 09, 2005, 01:18:24 PM

ohh just another quick question,

ive been trying to go onto 888.com, and partypoker.com to try and play poker but they are blocked by my security settings. Do you know if they r blocked by spywareblaster and how would i get onto these sites?

or would i just be better staying off them?   /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Computer infected
Post by: j.j on May 11, 2005, 06:45:48 AM

j.j

Title: Computer infected
Post by: Guest on May 11, 2005, 02:10:48 PM

i got this nasty virus too you can stop your machine from shutting down by typing: shutdown-a in the run box,good luck

Title: Computer infected
Post by: guestolo on May 11, 2005, 10:50:31 PM

Sorry for the late reply Irish
Both those sites are on IE-Spyad's restricted list
That's not good
I would stay away from them

Please check out IE-Spyad if you haven't yet
But yes, chances are if the site is on the restricted list, you will have that prompt about Security settings
Especially sites of that nature
They are most likely trying to download and install a bad Active X
or Whatever

You know the consequences

Title: Computer infected
Post by: irish-paddy on May 14, 2005, 06:38:04 AM

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  no probs ill be staying well away from them sites!!!  You seem to be very busy these days helping loads and loads of people with all their problems, i hope they r payin u 4this  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Anyway hows my computer lookin? all good?

Title: Computer infected
Post by: guestolo on May 14, 2005, 02:49:13 PM

Thanks for posting back, I'll lock up this tennis match Irish  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Stay safe

EDIT>>Before I lock it up can I see one last Hijackthis log
Let's make sure your still clean

Title: Computer infected
Post by: irish-paddy on May 15, 2005, 04:08:14 PM

Logfile of HijackThis v1.99.1
Scan saved at 22:07:03, on 15/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karen Deighan\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




CHEERS 4ALL UR HELP, HOPEFULLY THATS ME CLEAN

STAY SAFE FELLA

Title: Computer infected
Post by: guestolo on May 15, 2005, 04:21:13 PM

Looks good Irish, I'll lock it up

Take care  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />