Author Topic: CWS.svchost32 and CWS.bootconf help! (Read 4746 times)

agc8319 · « **on:** March 20, 2005, 04:34:07 PM »

I cannot get rid of these two things. Every time I run CWShredder it removes them but they come right back. Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 4:32:06 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xxcyfcbo.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/j1ybNsZSTT69WjQ5tt4.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:\foo.mht!http://t058.com/11cbbd47/x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04653b4824d567...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Kifibo32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

guestolo · « **Reply #1 on:** March 20, 2005, 05:01:58 PM »

Create a new folder on your desktop
Right click an empty spot on the desktop
Select NEW>>FOLDER
Name the new folder Locate
Download and save too desktop Locate.zip

UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat

Wait for the report and post it back here with a fresh Hijackthis log

agc8319 · « **Reply #2 on:** March 20, 2005, 05:17:54 PM »

I did what you said and created the folder as well as unzipping and running the file locate.bat. When I double click locate.bat I get a message that reads

C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Am I doing something wrong?

agc8319 · « **Reply #3 on:** March 20, 2005, 05:21:19 PM »

If I choose ignore, the program still closes and if I choose close it obviously closes.

guestolo · « **Reply #4 on:** March 20, 2005, 05:24:46 PM »

What happens it you navigate to the
C:\WINDOWS\REPAIR
folder
Copy Autoexec.nt from that folder and paste it too the
C:\WINDOWS\System32 folder

If no go
Go to this link and download the correct copy for your operating system
http://www.tech-forums.net/computer/topic/29806.html

If your not sure if you have XP home or pro
Go to START>>RUN>>type in winver
Hit Ok

You may have to restart your computer afterwards

I'll be back later to see how your doing

agc8319 · « **Reply #5 on:** March 20, 2005, 05:36:47 PM »

Copying the file from the Repair folder to the System32 folder worked, I think. I do not get a message preventing me from running locate.bat. When I click on locate.bat now, it opens a C prompt and then reports file not found, then automatically closes. Here is the updated HJT log as you requested I do after running locate.bat.

Logfile of HijackThis v1.99.1
Scan saved at 5:32:33 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
D:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xxcyfcbo.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/j1ybNsZSTT69WjQ5tt4.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:\foo.mht!http://t058.com/11cbbd47/x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04653b4824d567...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Kifibo32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

guestolo · « **Reply #6 on:** March 20, 2005, 05:39:11 PM »

Look in the folder Locate for Report.txt
If it's there post it back here, if not try running Locate.bat again

I need the hidden installers name or you will just keep getting reinfected
If you can't get this too work we will have to try other methods

Ensure you Unzipped Locate.zip to a folder of it's own

If you can't get the log to show
Can you follow these instructions
Click here and download Startdreck.zip http://www.niksoft.at/_data/startdreck.zip

UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here

agc8319 · « **Reply #7 on:** March 20, 2005, 06:36:59 PM »

In report.txt, this is what was written

C:\WINDOWS\SYSTEM32\DRIVERS\BDASUPI.SYS

agc8319 · « **Reply #8 on:** March 20, 2005, 08:08:48 PM »

In case that wasn't what you needed, here is a copy of the StartDreck log.

»Registry
»Files
»System/Drivers
»NT Services
*Alerter   Alerter   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service   ALG   -   on demand
`binary: C:\WINDOWS\System32\alg.exe
*Application Management   AppMgmt   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows Audio   AudioSrv   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*AVG7 Alert Manager Server   Avg7Alrt   running   auto
`binary: D:\AVG7~1.0\avgamsvr.exe
*AVG7 Update Service   Avg7UpdSvc   running   auto
`binary: D:\AVG7~1.0\avgupsvc.exe
*Background Intelligent Transfer Service   BITS   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser   Browser   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Indexing Service   cisvc   running   auto
`binary: C:\WINDOWS\System32\cisvc.exe
*ClipBook   ClipSrv   -   on demand
`binary: C:\WINDOWS\system32\clipsrv.exe
*COM+ System Application   COMSysApp   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services   CryptSvc   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client   Dhcp   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
`binary: C:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager   dmserver   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client   Dnscache   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service   ERSvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log   Eventlog   running   auto
`binary: C:\WINDOWS\system32\services.exe
*COM+ Event System   EventSystem   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility   FastUserSwitchingCom   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*GBPoll   GBPoll   running   auto
`binary: D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
*Help and Support   helpsvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Human Interface Device Access   HidServ   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service   ImapiService   -   on demand
`binary: C:\WINDOWS\System32\imapi.exe
*ISEXEng   ISEXEng   -   auto
`binary: C:\WINDOWS\System32\angelex.exe
*Server   lanmanserver   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation   lanmanworkstation   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper   LmHosts   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger   Messenger   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing   mnmsrvc   -   on demand
`binary: C:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator   MSDTC   -   on demand
`binary: C:\WINDOWS\System32\msdtc.exe
*Windows Installer   MSIServer   -   on demand
`binary: C:\windows\System32\msiexec.exe /V
*Network DDE   NetDDE   -   on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Network DDE DSDM   NetDDEdsdm   -   on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Net Logon   Netlogon   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Network Connections   Netman   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA)   Nla   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NT LM Security Support Provider   NtLmSsp   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Removable Storage   NtmsSvc   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*NVIDIA Driver Helper Service   NVSvc   running   auto
`binary: C:\WINDOWS\System32\nvsvc32.exe
*Plug and Play   PlugPlay   running   auto
`binary: C:\WINDOWS\system32\services.exe
*IPSEC Services   PolicyAgent   running   auto
`binary: C:\WINDOWS\System32\lsass.exe
*Protected Storage   ProtectedStorage   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager   RasAuto   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager   RasMan   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager   RDSessMgr   -   on demand
`binary: C:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access   RemoteAccess   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
`binary: C:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC)   RpcSs   running   auto
`binary: C:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP   RSVP   -   on demand
`binary: C:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager   SamSs   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*Smart Card Helper   SCardDrv   -   on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Smart Card   SCardSvr   -   on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler   Schedule   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon   seclogon   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification   SENS   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Internet Connection Firewall (ICF) / Internet C   SharedAccess   -   on demand
`onnection Sharing (ICS)
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection   ShellHWDetection   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Print Spooler   Spooler   running   auto
`binary: C:\WINDOWS\system32\spoolsv.exe
*Sony SPTI Service   SPTISRV   -   on demand
`binary: C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
*System Restore Service   srservice   -   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service   SSDPSRV   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA)   stisvc   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider   SwPrv   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{BA72BC4C-14AC-4B54-B08C-9E23DC869967}
*Performance Logs and Alerts   SysmonLog   -   on demand
`binary: C:\WINDOWS\system32\smlogsvc.exe
*Telephony   TapiSrv   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services   TermService   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes   Themes   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Distributed Link Tracking Client   TrkWks   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows User Mode Driver Framework   UMWdf   running   auto
`binary: C:\WINDOWS\System32\wdfmgr.exe
*Upload Manager   uploadmgr   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host   upnphost   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply   UPS   -   on demand
`binary: C:\WINDOWS\System32\ups.exe
*Volume Shadow Copy   VSS   -   on demand
`binary: C:\WINDOWS\System32\vssvc.exe
*Windows Time   W32Time   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WebClient   WebClient   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation   winmgmt   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter   WmiApSrv   -   on demand
`binary: C:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates   wuauserv   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration   WZCSVC   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*ZESOFT   ZESOFT   -   auto
`binary: C:\WINDOWS\zeta.exe
»NT Kernel- and FS-drivers
*Abiosdsk   Abiosdsk   -   disabled
`binary:
*abp480n5   abp480n5   -   disabled
`binary:
*Microsoft ACPI Driver   ACPI   running   boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC   ACPIEC   -   disabled
`binary:
*adpu160m   adpu160m   -   disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller   aec   -   on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment   AFD   running   auto
`binary: \SystemRoot\System32\drivers\afd.sys
*Intel AGP Bus Filter   agp440   running   boot
`binary: \SystemRoot\System32\DRIVERS\agp440.sys
*Aha154x   Aha154x   -   disabled
`binary:
*aic78u2   aic78u2   -   disabled
`binary:
*aic78xx   aic78xx   -   disabled
`binary:
*AliIde   AliIde   -   disabled
`binary:
*amsint   amsint   -   disabled
`binary:
*1394 ARP Client Protocol   Arp1394   running   on demand
`binary: System32\DRIVERS\arp1394.sys
*asc   asc   -   disabled
`binary:
*asc3350p   asc3350p   -   disabled
`binary:
*asc3550   asc3550   -   disabled
`binary:
*Aspi32   Aspi32   running   auto
`binary:
*RAS Asynchronous Media Driver   AsyncMac   -   on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller   atapi   running   boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk   Atdisk   -   disabled
`binary:
*ATM ARP Client Protocol   Atmarpc   -   on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver   audstub   running   on demand
`binary: System32\DRIVERS\audstub.sys
*AVG7 Kernel   Avg7Core   running   system
`binary: \SystemRoot\System32\Drivers\avg7core.sys
*AVG7 Wrap Driver   Avg7RsW   running   system
`binary: \SystemRoot\System32\Drivers\avg7rsw.sys
*AVG7 Rezident Driver   Avg7RsXP   running   system
`binary: \SystemRoot\System32\Drivers\avg7rsxp.sys
*AVG Network Redirector   AvgTdi   running   auto
`binary: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys
*Broadcom iLine10(tm) Network Adapter Driver   BCM42XX   -   on demand
`binary: System32\DRIVERS\bcm42xx5.sys
*BCM V.90 56K Modem   BCMModem   -   on demand
`binary: System32\DRIVERS\BCMDM.sys
*bdasupi   bdasupi   running   auto
`binary: \??\C:\WINDOWS\System32\drivers\bdasupi.sys
*Beep   Beep   running   system
`binary:
*MAC Bridge   Bridge   -   on demand
`binary: System32\DRIVERS\bridge.sys
*MAC Bridge Miniport   BridgeMP   running   on demand
`binary: System32\DRIVERS\bridge.sys
*cbidf2k   cbidf2k   -   disabled
`binary:
*cd20xrnt   cd20xrnt   -   disabled
`binary:
*Cdaudio   Cdaudio   -   system
`binary:
*Cdfs   Cdfs   running   disabled
`binary:
*CD-ROM Driver   Cdrom   running   system
`binary: System32\DRIVERS\cdrom.sys
*Changer   Changer   -   system
`binary:
*CmdIde   CmdIde   -   disabled
`binary:
*Cpqarray   Cpqarray   -   disabled
`binary:
*dac960nt   dac960nt   -   disabled
`binary:
*Disk Driver   Disk   running   boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot   dmboot   -   disabled
`binary: System32\drivers\dmboot.sys
*Sony DMI Call service   DMICall   running   system
`binary: System32\DRIVERS\DMICall.sys
*dmio   dmio   -   disabled
`binary: System32\drivers\dmio.sys
*dmload   dmload   -   disabled
`binary: System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer   DMusic   -   on demand
`binary: system32\drivers\DMusic.sys
*dpti2o   dpti2o   -   disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler   drmkaud   -   on demand
`binary: system32\drivers\drmkaud.sys
*Fastfat   Fastfat   running   disabled
`binary:
*Floppy Disk Controller Driver   Fdc   running   on demand
`binary: System32\DRIVERS\fdc.sys
*Fips   Fips   running   system
`binary:
*Floppy Disk Driver   Flpydisk   running   on demand
`binary: System32\DRIVERS\flpydisk.sys
*Volume Manager Driver   Ftdisk   running   boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*GBDevice   GBDevice   running   boot
`binary:
*GBFSHook   GBFSHook   running   auto
`binary:
*GoBack2K   GoBack2K   running   boot
`binary:
*Generic Packet Classifier   Gpc   running   on demand
`binary: System32\DRIVERS\msgpc.sys
*Microsoft HID Class Driver   HidUsb   -   on demand
`binary: System32\DRIVERS\hidusb.sys
*hpn   hpn   -   disabled
`binary:
*hpt3xx   hpt3xx   -   disabled
`binary:
*i2omgmt   i2omgmt   running   system
`binary:
*i2omp   i2omp   -   disabled
`binary:
*i8042 Keyboard and PS/2 Mouse Port Driver   i8042prt   running   system
`binary: System32\DRIVERS\i8042prt.sys
*Imapi   Imapi   running   system
`binary:
*ini910u   ini910u   -   disabled
`binary:
*IntelIde   IntelIde   running   boot
`binary: \SystemRoot\System32\DRIVERS\intelide.sys
*IP Traffic Filter Driver   IpFilterDriver   -   on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver   IpInIp   -   on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator   IpNat   -   on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver   IPSec   running   system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service   IRENUM   -   on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver   isapnp   running   boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver   Kbdclass   running   system
`binary: System32\DRIVERS\kbdclass.sys
*Microsoft Kernel Wave Audio Mixer   kmixer   running   on demand
`binary: system32\drivers\kmixer.sys
*KSecDD   KSecDD   running   boot
`binary:
*lbrtfdc   lbrtfdc   -   system
`binary:
*Lucent Modem Driver   ltmodem5   running   on demand
`binary: System32\DRIVERS\ltmdmnt.sys
*mnmdd   mnmdd   running   system
`binary:
*Modem   Modem   running   on demand
`binary:
*Unimodem Streaming Filter Device   MODEMCSA   -   on demand
`binary: system32\drivers\MODEMCSA.sys
*Mouse Class Driver   Mouclass   running   system
`binary: System32\DRIVERS\mouclass.sys
*Mouse HID Driver   mouhid   -   on demand
`binary: System32\DRIVERS\mouhid.sys
*Mount Point Manager   MountMgr   running   boot
`binary:
*mraid35x   mraid35x   -   disabled
`binary:
*WebDav Client Redirector   MRxDAV   running   on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb   MRxSmb   running   system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs   Msfs   running   system
`binary:
*Microsoft Streaming Service Proxy   MSKSSRV   -   on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy   MSPCLOCK   -   on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy   MSPQM   -   on demand
`binary: system32\drivers\MSPQM.sys
*Mup   Mup   running   boot
`binary:
*NDIS System Driver   NDIS   running   boot
`binary:
*Remote Access NDIS TAPI Driver   NdisTapi   running   on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol   Ndisuio   running   on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver   NdisWan   running   on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy   NDProxy   running   on demand
`binary:
*NetBIOS Interface   NetBIOS   running   system
`binary: System32\DRIVERS\netbios.sys
*NetBT   NetBT   running   system
`binary: System32\DRIVERS\netbt.sys
*1394 Net Driver   NIC1394   running   on demand
`binary: System32\DRIVERS\nic1394.sys
*Network Monitor Driver   nm   -   on demand
`binary: System32\DRIVERS\NMnt.sys
*Npfs   Npfs   running   system
`binary:
*Ntfs   Ntfs   running   disabled
`binary:
*Null   Null   running   system
`binary:
*nv   nv   running   on demand
`binary: System32\DRIVERS\nv4_mini.sys
*nv4   nv4   -   on demand
`binary: System32\DRIVERS\nv4_mini.sys
*IPX Traffic Filter Driver   NwlnkFlt   -   on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver   NwlnkFwd   -   on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*NWLink IPX/SPX/NetBIOS Compatible Transport Pro   NwlnkIpx   running   auto
`tocol
`binary: System32\DRIVERS\nwlnkipx.sys
*NWLink NetBIOS   NwlnkNb   running   auto
`binary: System32\DRIVERS\nwlnknb.sys
*NWLink SPX/SPXII Protocol   NwlnkSpx   running   auto
`binary: System32\DRIVERS\nwlnkspx.sys
*Texas Instruments OHCI Compliant IEEE 1394 Host   ohci1394   running   boot
` Controller
`binary: \SystemRoot\System32\DRIVERS\ohci1394.sys
*Parallel port driver   Parport   running   on demand
`binary: System32\DRIVERS\parport.sys
*Partition Manager   PartMgr   running   boot
`binary:
*ParVdm   ParVdm   running   auto
`binary:
*PCI Bus Driver   PCI   running   boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump   PCIDump   -   system
`binary:
*PCIIde   PCIIde   -   disabled
`binary:
*Pcmcia   Pcmcia   -   disabled
`binary:
*PDCOMP   PDCOMP   -   on demand
`binary:
*PDFRAME   PDFRAME   -   on demand
`binary:
*PDRELI   PDRELI   -   on demand
`binary:
*PDRFRAME   PDRFRAME   -   on demand
`binary:
*perc2   perc2   -   disabled
`binary:
*perc2hib   perc2hib   -   disabled
`binary:
*WAN Miniport (PPTP)   PptpMiniport   running   on demand
`binary: System32\DRIVERS\raspptp.sys
*Processor Driver   Processor   running   system
`binary: System32\DRIVERS\processr.sys
*QoS Packet Scheduler   PSched   running   on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver   Ptilink   running   on demand
`binary: System32\DRIVERS\ptilink.sys
*PxHelp20   PxHelp20   running   boot
`binary: \SystemRoot\System32\DRIVERS\PxHelp20.sys
*ql1080   ql1080   -   disabled
`binary:
*Ql10wnt   Ql10wnt   -   disabled
`binary:
*ql12160   ql12160   -   disabled
`binary:
*ql1240   ql1240   -   disabled
`binary:
*ql1280   ql1280   -   disabled
`binary:
*Remote Access Auto Connection Driver   RasAcd   running   system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP)   Rasl2tp   running   on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver   RasPppoe   running   on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel   Raspti   running   on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss   Rdbss   running   system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD   RDPCDD   running   system
`binary: System32\DRIVERS\RDPCDD.sys
*RDPWD   RDPWD   -   on demand
`binary:
*Digital CD Audio Playback Filter Driver   redbook   running   system
`binary: System32\DRIVERS\redbook.sys
*Realtek RTL8139(A/B/C)-based PCI Fast Ethernet    rtl8139   running   on demand
`Adapter NT Driver
`binary: System32\DRIVERS\RTL8139.SYS
*Secdrv   Secdrv   running   auto
`binary: System32\DRIVERS\secdrv.sys
*Serenum Filter Driver   serenum   running   on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver   Serial   running   system
`binary: System32\DRIVERS\serial.sys
*Sfloppy   Sfloppy   -   system
`binary:
*Simbad   Simbad   -   disabled
`binary:
*smwdm   smwdm   running   on demand
`binary: system32\drivers\smwdm.sys
*FAN Control Device Service   SonyFanC   running   system
`binary: System32\Drivers\SonyFanC.sys
*Sparrow   Sparrow   -   disabled
`binary:
*Microsoft Kernel Audio Splitter   splitter   -   on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver   sr   -   disabled
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv   Srv   running   on demand
`binary: System32\DRIVERS\srv.sys
*Software Bus Driver   swenum   running   on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer   swmidi   -   on demand
`binary: system32\drivers\swmidi.sys
*symc810   symc810   -   disabled
`binary:
*symc8xx   symc8xx   -   disabled
`binary:
*sym_hi   sym_hi   -   disabled
`binary:
*sym_u3   sym_u3   -   disabled
`binary:
*Microsoft Kernel System Audio Device   sysaudio   running   on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver   Tcpip   running   system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE   TDPIPE   -   on demand
`binary:
*TDTCP   TDTCP   -   on demand
`binary:
*Terminal Device Driver   TermDD   running   system
`binary: System32\DRIVERS\termdd.sys
*TosIde   TosIde   -   disabled
`binary:
*Udfs   Udfs   -   disabled
`binary:
*ultra   ultra   -   disabled
`binary:
*Microcode Update Driver   Update   running   on demand
`binary: System32\DRIVERS\update.sys
*USB2 Enabled Hub   usbhub   running   on demand
`binary: System32\DRIVERS\usbhub.sys
*USB Mass Storage Driver   USBSTOR   -   on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor   usbuhci   running   on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*V7   V7   running   auto
`binary:
*VGA Display Controller.   VgaSave   running   system
`binary: \SystemRoot\System32\drivers\vga.sys
*ViaIde   ViaIde   -   disabled
`binary:
*VolSnap   VolSnap   running   boot
`binary:
*Remote Access IP ARP Driver   Wanarp   running   on demand
`binary: System32\DRIVERS\wanarp.sys
*WDICA   WDICA   -   on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver   wdmaud   running   on demand
`binary: system32\drivers\wdmaud.sys
*Windows Socket 2.0 Non-IFS Service Provider Sup   WS2IFSL   -   on demand
`port Environment
`binary: \SystemRoot\System32\drivers\ws2ifsl.sys
»Application specific

guestolo · « **Reply #9 on:** March 20, 2005, 09:41:47 PM »

Good work agc8319, sorry for the delay, just walked back in

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- ISEXEng

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Do the same for this one
ZESOFT

Find and delete these files or folders if found
C:\WINDOWS\SYSTEM32\DRIVERS\BDASUPI.SYS <--file
C:\WINDOWS\stsheets.dat
C:\WINDOWS\zeta.exe
C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\System32\Kifibo32.dll
C:\Program Files\Internet Explorer\xxcyfcbo.exe
C:\foo.mht
c:\counter.cab

Stay in safe mode
Navigate to your temp folders and delete the whole contents, or whatever you can
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
# Empty your "Recycle Bin"

Open Hijackthis>>Open Misc tools section>>Open "Delete an NT service"
Copy and paste the next entry into the blank box and hit OK

ISEXEng

Do the same for this one
ZESOFT

Afterwards, Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=

O1 - Hosts: 1159680172 auto.search.msn.com

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xxcyfcbo.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/j1ybNsZSTT69WjQ5tt4.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:\foo.mht!http://t058.com/11cbbd47/x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04653b4824d567...ip/RdxIE601.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe

O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Kifibo32.dll (file missing)

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)

Post back with a fresh Hijackthis log afterwards

Guest · « **Reply #10 on:** March 20, 2005, 10:48:23 PM »

Thanks for all the help! Everything seems to be back to normal except for my yahoo! toolbar in internet explorer. It disappeared and I don't know how to enable it again. Here's the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 10:44:58 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Panorama\Panorama.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

guestolo · « **Reply #11 on:** March 21, 2005, 12:17:46 AM »

Still some cleanup
===Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

===Do another scan with Hijackthis and put a check next to these entries:

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab

O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer and post back a fresh hijackthis log

When did the problems start with the Yahoo toobar
The one entry we fixed related to Yahoo was also related too RedSheriff spyware
But should have no effect on the toolbar
Did you try any fixes beforehand
I haven't noticed the Toolbar in your log at all, I should of seen it from your first post

agc8319 · « **Reply #12 on:** March 21, 2005, 07:59:04 PM »

Sorry about the delay and for not mentioning the Yahoo! toolbar. I simply downloaded the toolbar again and it is working fine now. I forgot to check back in since everything seemed to be working fine. I will perform the changes you suggested and post back ASAP. Thanks and again sorry for the delay.

agc8319 · « **Reply #13 on:** March 21, 2005, 08:14:26 PM »

Here is my updated HJT log. By the way, I went to delete the following entries but they were not available to delete. I have no idea why. The other entries were deleted successfully.

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

Logfile of HijackThis v1.99.1
Scan saved at 8:09:21 PM, on 3/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

guestolo · « **Reply #14 on:** March 21, 2005, 08:22:40 PM »

Can you do me a favor please, we can replace these entries if needed later

Installing Yahoo Toolbar also sets entries related too RedSheriff spyware
The toobar itself is ok, but the settings are not

Can you do another scan with Hijackthis and with all other windows closed

Fix these entries related to Red Sheriff spyware

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

Restart your computer

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back one more log and let me know how things are running and if removing those entries have any effect on the Yahoo toolbar
This would be of some help as some users find those entries to cause troubles
Others don't

agc8319 · « **Reply #15 on:** March 22, 2005, 12:01:17 AM »

I removed the entries as you requested. Here is the HJT log file. Hope it helps. If there is anything else I can do to help, just let me know as I will be checking back periodically.

Logfile of HijackThis v1.99.1
Scan saved at 11:57:19 PM, on 3/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestbuy.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

guestolo · « **Reply #16 on:** March 22, 2005, 12:43:08 AM »

Looks good

If everything is running better

You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Why so far behind on Windows Updates?
This is important in keeping your system secure online too...

agc8319 · « **Reply #17 on:** March 23, 2005, 04:06:09 AM »

I downloaded the Spyware Blaster. I don't know if it is still working when I close the box though. Does it have to be open and running for me to be protected?

guestolo · « **Reply #18 on:** March 23, 2005, 11:34:19 PM »

Make sure you check for updates with SpywareBlaster every couple of weeks and enable all protection after every update

Here's a quote from the link I supplied

Quote

Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today.
By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!

The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.

# Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
# Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
# Restrict the actions of potentially dangerous sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.

And unlike other programs, SpywareBlaster does not have to remain running in the background.

agc8319 · « **Reply #19 on:** March 24, 2005, 01:48:26 AM »

Sorry for not catching that! That must make me look like a fool. I know it must be irritating to supply people with a link and then have them ask an unnecessary question simply because they are too lazy to read for themselves. I apologize.

I greatly appreciate all your help. I obviously would have been SOL without it!

News:

Author Topic: CWS.svchost32 and CWS.bootconf help! (Read 4746 times)

Guest