|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
02-22-2009, 11:18 AM
|
#1 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Trojan, and other problems?
Just got a computer from relatives. Running Win XP Pro. Went to install Kaspersky Internet Security, first had to install Windows Service Pack 2 (a tedious process on dial up to say the least). After a few days, that finally worked, and it got a few other windows updates too. Finally got to install KIS and it found a trojan-proxy.win32\slaper.n in explorer. Disinfected, per KIS. Now internet won't display pages. Can't download updates from KIS (probably because of dialup, but perhaps not). Have tried all the standard stuff I know - pinging the modem, checking the modem, pinging a website, defragging (was in bad shape), chkdsk, deleting cookies, history, temporary files, resetting IE to default, registering .dll files (I don't think it ever found msjava.dll). All of which, except maybe that one .dll file, indicated no problem. Definitely not a connection problem. Finally went to scannow and that went through. Still nothing. When it connects to a webpage, it will look for the www.xxx.com and you can see on the bar at the bottom it's looking for xxx.com.com then xxx.com.org then xxx.com.edu - really weird. Always get the "This Page Cannot Be Displayed". Can't download the newer version of KIS because I can't get to the website. Any ideas on what else to do? Websites connected fine before downloading the Service Pack 2 and any other updates and installing KIS. Also, restored to previous but there were only two dates to choose from (One windows update and when KIS was installed). Trojan showed up again and still wouldn't connect to a web page, so have started the whole process all over again. When I unblocked explorer.exe on the Windows Firewall (before reinstalling KIS after restoring) it did actually show the home page, but wouldn't show any pages beyond that. And that page had an error on it but was readable.
Here are the logs - sorry I missed this whole process the first time around! I wondered why everybody else was adding these huge logs to their posts...oops... :) Thanks so much for your help! I hope the logs worked correctly... DDS (Ver_09-02-01.01) - NTFSx86 Run by Al at 12:20:33.53 on Sun 02/22/2009 Internet Explorer: 6.0.2900.2180 ============== Pseudo HJT Report =============== uStart Page = hxxp://freeart1cile.com uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html uDefault_Page_URL = hxxp://start.earthlink.net uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html uSearch Bar = hxxp://start.earthlink.net/AL/Search mSearchAssistant = hxxp://start.earthlink.net/AL/Search uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll uURLSearchHooks: H - No File BHO: PnIEBrowserHelperObj Class: {4b5f2e08-6f39-479a-b547-b2026e4c7edf} - c:\program files\earthlink totalaccess\PnEL.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll TB: EarthLink Toolbar: {d7f30b62-8269-41af-9539-b2697fa7d77e} - c:\program files\earthlink totalaccess\PnEL.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [Microsoft Msn Messenger] c:\windows\system32\msmsgs.exe uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart mRun: [PCTVOICE] pctspk.exe mRun: [AtiPTA] Atiptaxx.exe mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER mRun: [DSS] c:\windows\bbstore\dss\DSSAGENT.EXE mRun: [Microsoft Msn Messenger] c:\windows\system32\msmsgs.exe mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" dRun: [Microsoft Msn Messenger] c:\windows\system32\msmsgs.exe IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234899633131 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Notify: klogon - c:\windows\system32\klogon.dll AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-02-22 02:23 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll 2009-02-22 02:23 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll 2009-02-22 02:22 17,408 ac------ c:\windows\system32\dllcache\xrxscnui.dll 2009-02-22 02:22 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe 2009-02-22 02:22 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe 2009-02-22 02:21 99,865 ac------ c:\windows\system32\dllcache\xlog.exe 2009-02-22 02:21 28,288 ac------ c:\windows\system32\dllcache\OLD921.tmp 2009-02-22 02:21 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys 2009-02-22 02:21 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys 2009-02-22 02:21 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys 2009-02-22 02:21 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll 2009-02-22 02:20 8,832 ac------ c:\windows\system32\dllcache\wmiacpi.sys 2009-02-22 02:20 154,624 ac------ c:\windows\system32\dllcache\wlluc48.sys 2009-02-22 02:20 34,890 ac------ c:\windows\system32\dllcache\wlandrv2.sys 2009-02-22 02:20 156,672 ac------ c:\windows\system32\dllcache\OLD910.tmp 2009-02-22 02:20 156,672 ac------ c:\windows\system32\dllcache\OLD90D.tmp 2009-02-22 02:20 156,672 ac------ c:\windows\system32\dllcache\OLD90A.tmp 2009-02-22 02:20 65,536 ac------ c:\windows\system32\dllcache\OLD907.tmp 2009-02-22 02:20 69,120 ac------ c:\windows\system32\dllcache\OLD904.tmp 2009-02-22 02:20 79,360 ac------ c:\windows\system32\dllcache\OLD901.tmp 2009-02-22 02:20 771,581 ac------ c:\windows\system32\dllcache\winacisa.sys 2009-02-22 02:19 53,760 ac------ c:\windows\system32\dllcache\wiamsmud.dll 2009-02-22 02:19 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll 2009-02-22 02:19 31,232 ac------ c:\windows\system32\dllcache\OLD8F8.tmp 2009-02-22 02:19 41,600 ac------ c:\windows\system32\dllcache\OLD8F5.tmp 2009-02-22 02:19 701,386 ac------ c:\windows\system32\dllcache\wdhaalba.sys 2009-02-22 02:19 23,615 ac------ c:\windows\system32\dllcache\wch7xxnt.sys 2009-02-22 02:19 31,744 ac------ c:\windows\system32\dllcache\wceusbsh.sys 2009-02-22 02:19 35,871 ac------ c:\windows\system32\dllcache\wbfirdma.sys 2009-02-22 02:19 33,599 ac------ c:\windows\system32\dllcache\watv04nt.sys 2009-02-22 02:19 19,551 ac------ c:\windows\system32\dllcache\watv02nt.sys 2009-02-22 02:19 29,311 ac------ c:\windows\system32\dllcache\watv01nt.sys 2009-02-22 02:19 9,216 ac------ c:\windows\system32\dllcache\OLD8E3.tmp 2009-02-22 02:17 5,376 ac------ c:\windows\system32\dllcache\viaide.sys 2009-02-22 02:17 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll 2009-02-22 02:17 687,999 ac------ c:\windows\system32\dllcache\usrwdxjs.sys 2009-02-22 02:17 765,884 ac------ c:\windows\system32\dllcache\usrti.sys 2009-02-22 02:17 113,762 ac------ c:\windows\system32\dllcache\usrpda.sys 2009-02-22 02:17 7,556 ac------ c:\windows\system32\dllcache\usroslba.sys 2009-02-22 02:17 224,802 ac------ c:\windows\system32\dllcache\usr1807a.sys 2009-02-22 02:17 794,399 ac------ c:\windows\system32\dllcache\usr1806v.sys 2009-02-22 02:17 793,598 ac------ c:\windows\system32\dllcache\usr1806.sys 2009-02-22 02:17 794,654 ac------ c:\windows\system32\dllcache\usr1801.sys 2009-02-22 02:17 25,600 ac------ c:\windows\system32\dllcache\usbser.sys 2009-02-22 02:17 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys 2009-02-22 02:17 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys 2009-02-22 02:15 14,336 ac------ c:\windows\system32\dllcache\OLD86F.tmp 2009-02-22 02:14 571,392 ac------ c:\windows\system32\dllcache\OLD842.tmp 2009-02-22 02:13 10,240 ac------ c:\windows\system32\dllcache\swpidflt.dll 2009-02-22 02:12 20,752 ac------ c:\windows\system32\dllcache\sonync.sys 2009-02-22 02:11 35,913 ac------ c:\windows\system32\dllcache\smcirda.sys 2009-02-22 02:10 91,294 ac------ c:\windows\system32\dllcache\skfpwin.sys 2009-02-22 02:09 6,784 ac------ c:\windows\system32\dllcache\serscan.sys 2009-02-22 02:08 182,272 ac------ c:\windows\system32\dllcache\s3mt3d.dll 2009-02-22 02:07 79,104 ac------ c:\windows\system32\dllcache\rocket.sys 2009-02-22 02:06 45,312 ac------ c:\windows\system32\dllcache\ql12160.sys 2009-02-22 02:05 67,584 ac------ c:\windows\system32\dllcache\OLD6AE.tmp 2009-02-22 02:04 27,904 ac------ c:\windows\system32\dllcache\perm2.sys 2009-02-22 02:03 39,424 ac------ c:\windows\system32\dllcache\ovcoms.exe 2009-02-22 02:02 51,552 ac------ c:\windows\system32\dllcache\ntgrip.sys 2009-02-22 02:02 38,912 ac------ c:\windows\system32\dllcache\OLD634.tmp 2009-02-22 02:02 9,344 ac------ c:\windows\system32\dllcache\ntapm.sys 2009-02-22 02:02 7,552 ac------ c:\windows\system32\dllcache\nsmmc.sys 2009-02-22 02:02 28,672 ac------ c:\windows\system32\dllcache\nscirda.sys 2009-02-22 02:02 87,040 ac------ c:\windows\system32\dllcache\nm6wdm.sys 2009-02-22 02:02 126,080 ac------ c:\windows\system32\dllcache\nm5a2wdm.sys 2009-02-22 02:02 32,840 ac------ c:\windows\system32\dllcache\ngrpci.sys 2009-02-22 02:02 53,248 ac------ c:\windows\system32\dllcache\OLD623.tmp 2009-02-22 02:02 132,695 ac------ c:\windows\system32\dllcache\netwlan5.sys 2009-02-22 02:02 65,278 ac------ c:\windows\system32\dllcache\netflx3.sys 2009-02-22 02:00 49,024 ac------ c:\windows\system32\dllcache\mstape.sys 2009-02-22 02:00 12,416 ac------ c:\windows\system32\dllcache\msriffwv.sys 2009-02-22 02:00 2,944 ac------ c:\windows\system32\dllcache\msmpu401.sys 2009-02-22 02:00 22,016 ac------ c:\windows\system32\dllcache\msircomm.sys 2009-02-22 02:00 1,875,968 ac------ c:\windows\system32\dllcache\OLD5EA.tmp 2009-02-22 02:00 98,304 ac------ c:\windows\system32\dllcache\OLD5E7.tmp 2009-02-22 02:00 35,200 ac------ c:\windows\system32\dllcache\msgame.sys 2009-02-22 01:59 6,016 ac------ c:\windows\system32\dllcache\msfsio.sys 2009-02-22 01:59 17,280 ac------ c:\windows\system32\dllcache\mraid35x.sys 2009-02-22 01:59 6,528 ac------ c:\windows\system32\dllcache\miniqic.sys 2009-02-22 01:59 34,304 ac------ c:\windows\system32\dllcache\OLD5DB.tmp 2009-02-22 01:59 320,384 ac------ c:\windows\system32\dllcache\mgaum.sys 2009-02-22 01:59 235,648 ac------ c:\windows\system32\dllcache\mgaud.dll 2009-02-22 01:59 92,416 ac------ c:\windows\system32\dllcache\OLD5D4.tmp 2009-02-22 01:59 92,032 ac------ c:\windows\system32\dllcache\OLD5D1.tmp 2009-02-22 01:59 26,112 ac------ c:\windows\system32\dllcache\memstpci.sys 2009-02-22 01:59 47,616 ac------ c:\windows\system32\dllcache\memgrp.dll 2009-02-22 01:57 4,992 ac------ c:\windows\system32\dllcache\loop.sys 2009-02-22 01:56 5,632 ac------ c:\windows\system32\dllcache\OLD577.tmp 2009-02-22 01:55 5,120 ac------ c:\windows\system32\dllcache\OLD52F.tmp 2009-02-22 01:54 87,424 ac------ c:\windows\system32\dllcache\irda.sys 2009-02-22 01:53 155,705 ac------ c:\windows\system32\dllcache\OLD4B9.tmp 2009-02-22 01:52 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll 2009-02-22 01:51 8,192 ac------ c:\windows\system32\dllcache\i2omgmt.sys 2009-02-22 01:51 10,129,408 ac------ c:\windows\system32\dllcache\OLD454.tmp 2009-02-22 01:51 13,463,552 ac------ c:\windows\system32\dllcache\OLD451.tmp 2009-02-22 01:50 10,096,640 ac------ c:\windows\system32\dllcache\OLD44E.tmp 2009-02-22 01:50 488,383 ac------ c:\windows\system32\dllcache\hsf_v124.sys 2009-02-22 01:50 50,751 ac------ c:\windows\system32\dllcache\hsf_tone.sys 2009-02-22 01:50 73,279 ac------ c:\windows\system32\dllcache\hsf_spkp.sys 2009-02-22 01:50 44,863 ac------ c:\windows\system32\dllcache\hsf_soar.sys 2009-02-22 01:50 57,471 ac------ c:\windows\system32\dllcache\hsf_samp.sys 2009-02-22 01:50 542,879 ac------ c:\windows\system32\dllcache\hsf_msft.sys 2009-02-22 01:50 391,199 ac------ c:\windows\system32\dllcache\hsf_k56k.sys 2009-02-22 01:50 9,759 ac------ c:\windows\system32\dllcache\hsf_inst.dll 2009-02-22 01:50 115,807 ac------ c:\windows\system32\dllcache\hsf_fsks.sys 2009-02-22 01:48 28,288 ac------ c:\windows\system32\dllcache\grserial.sys 2009-02-22 01:48 82,304 ac------ c:\windows\system32\dllcache\grclass.sys 2009-02-22 01:48 17,408 ac------ c:\windows\system32\dllcache\gpr400.sys 2009-02-22 01:48 59,136 ac------ c:\windows\system32\dllcache\gckernel.sys 2009-02-22 01:48 322,432 ac------ c:\windows\system32\dllcache\g400m.sys 2009-02-22 01:48 1,733,120 ac------ c:\windows\system32\dllcache\g400d.dll 2009-02-22 01:48 320,384 ac------ c:\windows\system32\dllcache\g200m.sys 2009-02-22 01:48 470,144 ac------ c:\windows\system32\dllcache\g200d.dll 2009-02-22 01:48 454,912 ac------ c:\windows\system32\dllcache\fxusbase.sys 2009-02-22 01:48 11,264 ac------ c:\windows\system32\dllcache\OLD3E3.tmp 2009-02-22 01:48 31,744 ac------ c:\windows\system32\dllcache\OLD3E0.tmp 2009-02-22 01:46 43,520 ac------ c:\windows\system32\dllcache\OLD3A3.tmp 2009-02-22 01:45 347,550 ac------ c:\windows\system32\dllcache\es56tpi.sys 2009-02-22 01:44 44,103 ac------ c:\windows\system32\dllcache\el515.sys 2009-02-22 01:43 26,698 ac------ c:\windows\system32\dllcache\dlh5xnd5.sys 2009-02-22 01:42 7,424 ac------ c:\windows\system32\dllcache\ddsmc.sys 2009-02-22 01:41 42,112 ac------ c:\windows\system32\dllcache\crtaud.sys 2009-02-22 01:40 45,696 ac------ c:\windows\system32\dllcache\cirrus.sys 2009-02-22 01:39 27,164 ac------ c:\windows\system32\dllcache\ce3n5.sys 2009-02-22 01:38 66,082 ac------ c:\windows\system32\dllcache\OLD1F2.tmp 2009-02-22 01:37 66,082 ac------ c:\windows\system32\dllcache\OLD174.tmp 2009-02-22 01:36 102,400 ac------ c:\windows\system32\dllcache\binlsvc.dll 2009-02-22 01:35 19,456 ac------ c:\windows\system32\dllcache\ativttxx.sys 2009-02-22 01:34 77,568 ac------ c:\windows\system32\dllcache\ati.sys 2009-02-22 01:33 19,456 ac------ c:\windows\system32\dllcache\OLD85.tmp 2009-02-22 01:32 38,400 ac------ c:\windows\system32\dllcache\8514a.dll 2009-02-22 01:32 48,128 ac------ c:\windows\system32\dllcache\61883.sys 2009-02-22 01:32 12,288 ac------ c:\windows\system32\dllcache\4mmdat.sys 2009-02-22 01:32 148,352 ac------ c:\windows\system32\dllcache\3dfxvsm.sys 2009-02-22 01:32 689,216 ac------ c:\windows\system32\dllcache\3dfxvs.dll 2009-02-22 01:32 762,780 ac------ c:\windows\system32\dllcache\3cwmcru.sys 2009-02-22 01:32 11,264 ac------ c:\windows\system32\dllcache\1394vdbg.sys 2009-02-22 01:32 53,248 ac------ c:\windows\system32\dllcache\1394bus.sys 2009-02-22 01:32 7,168 ac------ c:\windows\system32\dllcache\OLD47.tmp 2009-02-22 01:31 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll 2009-02-22 01:31 2,148,352 ac------ c:\windows\system32\dllcache\ntkrnlmp.exe 2009-02-22 01:30 19,968 ac------ c:\windows\system32\dllcache\OLD37.tmp 2009-02-22 01:30 7,680 ac------ c:\windows\system32\dllcache\OLD34.tmp 2009-02-22 01:30 169,984 ac------ c:\windows\system32\dllcache\OLD30.tmp 2009-02-22 01:30 5,632 ac------ c:\windows\system32\dllcache\OLD2B.tmp 2009-02-22 01:30 14,336 ac------ c:\windows\system32\dllcache\OLD28.tmp 2009-02-22 01:30 6,144 ac------ c:\windows\system32\dllcache\OLD23.tmp 2009-02-22 01:29 94,720 ac------ c:\windows\system32\dllcache\OLDC.tmp 2009-02-21 21:34 28,288 ac------ c:\windows\system32\dllcache\xjis.nls 2009-02-21 21:16 83,748 ac------ c:\windows\system32\dllcache\prcp.nls 2009-02-21 21:16 83,748 ac------ c:\windows\system32\dllcache\prc.nls 2009-02-21 21:06 47,066 ac------ c:\windows\system32\dllcache\ksc.nls 2009-02-21 20:44 66,082 ac------ c:\windows\system32\dllcache\c_20290.nls 2009-02-21 20:43 82,172 ac------ c:\windows\system32\dllcache\bopomofo.nls 2009-02-21 20:43 66,728 ac------ c:\windows\system32\dllcache\big5.nls 2009-02-21 19:49 <DIR> --d----- c:\windows\network diagnostic 2009-02-21 19:43 <DIR> --d----- c:\program files\ACW 2009-02-21 02:38 96,645 a------- c:\windows\system32\drivers\klin.dat 2009-02-21 02:38 87,941 a------- c:\windows\system32\drivers\klick.dat 2009-02-21 02:34 1,071,648 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-02-21 02:34 221,216 a--sh--- c:\windows\system32\drivers\fidbox2.dat 2009-02-21 02:34 9,452 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-02-21 02:34 1,836 a--sh--- c:\windows\system32\drivers\fidbox2.idx 2009-02-21 02:34 <DIR> --d----- c:\program files\Kaspersky Lab 2009-02-21 02:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-02-21 01:49 221,184 a------- c:\windows\system32\wmpns.dll 2009-02-21 01:38 <DIR> --d----- c:\windows\peernet 2009-02-21 01:38 <DIR> --d----- c:\windows\provisioning 2009-02-21 01:25 <DIR> --d----- c:\windows\ServicePackFiles 2009-02-21 01:05 <DIR> --d----- c:\windows\system32\ReinstallBackups 2009-02-21 01:01 15,872 a------- c:\windows\system32\spupdsvc.exe 2009-02-21 00:42 <DIR> --d----- c:\windows\EHome 2009-02-20 23:56 <DIR> --d----- C:\e15d5632bf0790a24d74 2009-02-20 23:56 <DIR> --ds---- c:\windows\system32\Microsoft 2009-02-20 22:43 48,551 a------- c:\windows\system32\a.exe 2009-02-20 21:11 11,776 ac------ c:\windows\system32\dllcache\spnpinst.exe 2009-02-20 21:11 11,776 -------- c:\windows\system32\spnpinst.exe 2009-02-20 21:11 7,208 ac------ c:\windows\system32\dllcache\secupd.sig 2009-02-20 21:11 4,569 ac------ c:\windows\system32\dllcache\secupd.dat 2009-02-20 21:11 7,208 -------- c:\windows\system32\secupd.sig 2009-02-20 21:11 4,569 -------- c:\windows\system32\secupd.dat 2009-02-20 05:00 48,551 a------- c:\windows\system32\msmsgs.exe 2009-02-17 15:31 <DIR> --d----- c:\windows\system32\bits 2009-02-17 15:24 438,784 ac------ c:\windows\system32\dllcache\xpob2res.dll 2009-02-17 15:24 351,232 ac------ c:\windows\system32\dllcache\winhttp.dll 2009-02-17 15:24 18,944 ac------ c:\windows\system32\dllcache\qmgrprxy.dll 2009-02-17 15:24 8,192 ac------ c:\windows\system32\dllcache\bitsprx2.dll 2009-02-17 15:24 7,168 ac------ c:\windows\system32\dllcache\bitsprx3.dll 2009-02-17 15:24 351,232 a------- c:\windows\system32\winhttp.dll 2009-02-17 15:24 18,944 a------- c:\windows\system32\qmgrprxy.dll 2009-02-17 15:24 438,784 -------- c:\windows\system32\xpob2res.dll 2009-02-17 15:24 8,192 -------- c:\windows\system32\bitsprx2.dll 2009-02-17 15:24 7,168 -------- c:\windows\system32\bitsprx3.dll 2009-02-17 14:50 23,576 a------- c:\windows\system32\wuapi.dll.mui 2009-02-17 14:39 <DIR> --ds---- c:\documents and settings\al\UserData 2009-02-17 14:18 34 a------- c:\windows\AuthMgr.INI 2009-02-17 13:34 <DIR> --d----- c:\docume~1\al\applic~1\EarthLink Toolbar 2009-02-17 13:20 <DIR> --d----- c:\docume~1\al\applic~1\Earthlink 2009-02-17 13:17 <DIR> --d----- c:\program files\EarthLink TotalAccess 2009-02-17 12:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2009-02-09 21:10 <DIR> --d----- c:\program files\Mindscape 2009-02-04 20:23 1,636 a------- c:\windows\system32\d3d9caps.dat 2009-02-04 20:23 <DIR> --d----- c:\docume~1\al\applic~1\Atari 2009-02-04 20:17 316,640 a------- c:\windows\WMSysPr9.prx 2009-02-04 20:15 <DIR> --d----- c:\windows\RegisteredPackages 2009-02-04 20:10 197,120 a------- c:\windows\patchw32.dll 2009-02-04 20:10 <DIR> --d----- c:\program files\common files\PocketSoft 2009-02-04 20:00 <DIR> --d----- c:\program files\Atari ==================== Find3M ==================== 2009-02-22 00:44 1,524 a------- c:\windows\system32\d3d8caps.dat 2009-02-21 01:58 195,704 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat 2009-02-21 01:57 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat ============= FINISH: 12:24:26.04 =============== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
02-22-2009, 11:58 AM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan, and other problems?
Greetings doc1628 and Welcome to the forums,
I can't yet tell from those logs, but from your description it sounds to me like you may have a search hijacker...we'll see. Meantime, please uninstall these: Adobe Acrobat 4.0 Out of date and exploited. We will install the latest version when the system is clean Java 2 Runtime Environment Standard Edition v1.3.1_02 Likewise, WAYYY out of date...by about six years I think. Again, we will install the latest version when the system is clean Macromedia Flash Player 8 Also out of date. Ditto once more regarding the latest version Viewpoint Media Player (Remove Only) ...and this one is Foistware Please reboot the system when finished uninstalling. Download Getservices.zip and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called getservice. Inside the C:\getservice directory will be a file called getservice.bat. Simply double-click on the getservice.bat file and when it is completed a notepad will open. Please copy the entire contents of that notepad and post back here on your next reply. Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978  Windows XP Performance and Maintenance Windows Vista Performance and Maintenance 
|
|
|
|
|
02-22-2009, 12:21 PM
|
#3 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Thanks, 1972vet (and thanks for being a vet too!).
It wouldn't uninstall Macromedia Flash Player 8. Hit the remove/change button and nothing happened. Did successfully uninstall the others, though. Guess I have to educate the in-laws about keeping their programs UTD! :) You know, something else it was doing before removing the trojan was 1) a popup for renewreg.com and I would get a dialer that some program (various ones, didn't recognize any) were attempting to contact some website, and which dialer did I want to use. Ignored all of those. Here's the file you requested: SERVICE_NAME: ALG DISPLAY_NAME: Application Layer Gateway Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1328 FLAGS : DESCRIPTION : Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Application Layer Gateway Service SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: Ati HotKey Poller DISPLAY_NAME: Ati HotKey Poller TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1524 FLAGS : DESCRIPTION : TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\ati2plxx.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Ati HotKey Poller SERVICE_START_NAME : LocalSystem SERVICE_NAME: AudioSrv DISPLAY_NAME: Windows Audio TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : AudioGroup TAG : 0 DISPLAY_NAME : Windows Audio DEPENDENCIES : PlugPlay : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: AVP DISPLAY_NAME: Kaspersky Internet Security TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1584 FLAGS : DESCRIPTION : Provides computer protection against viruses, dangerous software, hacker attacks, internet fraud and spam. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Kaspersky Internet Security SERVICE_START_NAME : LocalSystem SERVICE_NAME: Browser DISPLAY_NAME: Computer Browser TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Computer Browser DEPENDENCIES : LanmanWorkstation : LanmanServer SERVICE_START_NAME : LocalSystem SERVICE_NAME: CryptSvc DISPLAY_NAME: Cryptographic Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cryptographic Services DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: DcomLaunch DISPLAY_NAME: DCOM Server Process Launcher TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 804 FLAGS : DESCRIPTION : Provides launch functionality for DCOM services. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch LOAD_ORDER_GROUP : Event Log TAG : 0 DISPLAY_NAME : DCOM Server Process Launcher SERVICE_START_NAME : LocalSystem SERVICE_NAME: Dhcp DISPLAY_NAME: DHCP Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Manages network configuration by registering and updating IP addresses and DNS names. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : DHCP Client DEPENDENCIES : Tcpip : Afd : NetBT SERVICE_START_NAME : LocalSystem SERVICE_NAME: dmserver DISPLAY_NAME: Logical Disk Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Logical Disk Manager DEPENDENCIES : RpcSs : PlugPlay SERVICE_START_NAME : LocalSystem SERVICE_NAME: ERSvc DISPLAY_NAME: Error Reporting Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Allows error reporting for services and applictions running in non-standard environments. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Error Reporting Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: Eventlog DISPLAY_NAME: Event Log TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 644 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe LOAD_ORDER_GROUP : Event log TAG : 0 DISPLAY_NAME : Event Log SERVICE_START_NAME : LocalSystem SERVICE_NAME: EventSystem DISPLAY_NAME: COM+ Event System TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : COM+ Event System DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: FastUserSwitchingCompatibility DISPLAY_NAME: Fast User Switching Compatibility TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Provides management for applications that require assistance in a multiple user environment. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Fast User Switching Compatibility DEPENDENCIES : TermService SERVICE_START_NAME : LocalSystem SERVICE_NAME: helpsvc DISPLAY_NAME: Help and Support TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Help and Support DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: HidServ DISPLAY_NAME: HID Input Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HID Input Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: lanmanserver DISPLAY_NAME: Server TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Server SERVICE_START_NAME : LocalSystem SERVICE_NAME: lanmanworkstation DISPLAY_NAME: Workstation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : NetworkProvider TAG : 0 DISPLAY_NAME : Workstation SERVICE_START_NAME : LocalSystem SERVICE_NAME: LmHosts DISPLAY_NAME: TCP/IP NetBIOS Helper TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : TCP/IP NetBIOS Helper DEPENDENCIES : NetBT : Afd SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: Netman DISPLAY_NAME: Network Connections TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Network Connections DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: Nla DISPLAY_NAME: Network Location Awareness (NLA) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Collects and stores network configuration and location information, and notifies applications when this information changes. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Network Location Awareness (NLA) DEPENDENCIES : Tcpip : Afd SERVICE_START_NAME : LocalSystem SERVICE_NAME: PlugPlay DISPLAY_NAME: Plug and Play TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 644 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe LOAD_ORDER_GROUP : PlugPlay TAG : 0 DISPLAY_NAME : Plug and Play SERVICE_START_NAME : LocalSystem SERVICE_NAME: PolicyAgent DISPLAY_NAME: IPSEC Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 656 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IPSEC Services DEPENDENCIES : RPCSS : Tcpip : IPSec SERVICE_START_NAME : LocalSystem SERVICE_NAME: ProtectedStorage DISPLAY_NAME: Protected Storage TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 656 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Protected Storage DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: RasMan DISPLAY_NAME: Remote Access Connection Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Creates a network connection. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Access Connection Manager DEPENDENCIES : Tapisrv SERVICE_START_NAME : LocalSystem SERVICE_NAME: RemoteRegistry DISPLAY_NAME: Remote Registry TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Registry DEPENDENCIES : RPCSS SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: RpcSs DISPLAY_NAME: Remote Procedure Call (RPC) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 932 FLAGS : DESCRIPTION : Provides the endpoint mapper and other miscellaneous RPC services. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss LOAD_ORDER_GROUP : COM Infrastructure TAG : 0 DISPLAY_NAME : Remote Procedure Call (RPC) SERVICE_START_NAME : NT Authority\NetworkService SERVICE_NAME: SamSs DISPLAY_NAME: Security Accounts Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 656 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Stores security information for local user accounts. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe LOAD_ORDER_GROUP : LocalValidation TAG : 0 DISPLAY_NAME : Security Accounts Manager DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: Schedule DISPLAY_NAME: Task Scheduler TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : SchedulerGroup TAG : 0 DISPLAY_NAME : Task Scheduler DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: seclogon DISPLAY_NAME: Secondary Logon TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Secondary Logon SERVICE_START_NAME : LocalSystem SERVICE_NAME: SENS DISPLAY_NAME: System Event Notification TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : System Event Notification DEPENDENCIES : EventSystem SERVICE_START_NAME : LocalSystem SERVICE_NAME: SharedAccess DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS) DEPENDENCIES : Netman : WinMgmt SERVICE_START_NAME : LocalSystem SERVICE_NAME: ShellHWDetection DISPLAY_NAME: Shell Hardware Detection TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : Shell Hardware Detection DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: Spooler DISPLAY_NAME: Print Spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1372 FLAGS : DESCRIPTION : Loads files to memory for later printing. TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe LOAD_ORDER_GROUP : SpoolerGroup TAG : 0 DISPLAY_NAME : Print Spooler DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: srservice DISPLAY_NAME: System Restore Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Restore Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: SSDPSRV DISPLAY_NAME: SSDP Discovery Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables discovery of UPnP devices on your home network. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SSDP Discovery Service DEPENDENCIES : HTTP SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: TapiSrv DISPLAY_NAME: Telephony TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Telephony DEPENDENCIES : PlugPlay : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: TermService DISPLAY_NAME: Terminal Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 804 FLAGS : DESCRIPTION : Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Terminal Services DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: Themes DISPLAY_NAME: Themes TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Provides user experience theme management. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : UIGroup TAG : 0 DISPLAY_NAME : Themes SERVICE_START_NAME : LocalSystem SERVICE_NAME: TrkWks DISPLAY_NAME: Distributed Link Tracking Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Maintains links between NTFS files within a computer or across computers in a network domain. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Distributed Link Tracking Client DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: W32Time DISPLAY_NAME: Windows Time TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Time SERVICE_START_NAME : LocalSystem SERVICE_NAME: WebClient DISPLAY_NAME: WebClient TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : NetworkProvider TAG : 0 DISPLAY_NAME : WebClient DEPENDENCIES : MRxDAV SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: winmgmt DISPLAY_NAME: Windows Management Instrumentation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Management Instrumentation DEPENDENCIES : RPCSS : Eventlog SERVICE_START_NAME : LocalSystem SERVICE_NAME: wscsvc DISPLAY_NAME: Security Center TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Monitors system security settings and configurations. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Security Center DEPENDENCIES : RpcSs : winmgmt SERVICE_START_NAME : LocalSystem SERVICE_NAME: wuauserv DISPLAY_NAME: Automatic Updates TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Automatic Updates SERVICE_START_NAME : LocalSystem SERVICE_NAME: WZCSVC DISPLAY_NAME: Wireless Zero Configuration TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 988 FLAGS : DESCRIPTION : Provides automatic configuration for the 802.11 adapters TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : Wireless Zero Configuration DEPENDENCIES : RpcSs : Ndisuio SERVICE_START_NAME : LocalSystem Thanks again! |
|
|
|
|
02-22-2009, 11:42 PM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan, and other problems?
The service wscsvc is added by a password stealing Banker Trojan...
If that computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer...not the infected one. If not, an attacker WILL get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?" Your present situation is compounded by having updated to the Service Pack 2 while the system is infected. Let's try to stop and delete the offending service. Boot the system into safe mode. Once in safe mode and logged on as "Administrator", please continue with the instructions below: Please click start-->run...then type CMD and click "OK". At the command prompt, copy and paste: sc stop wscsvc...then hit your enter key. You should receive a "Successful" message. Next, at the command prompt, copy and paste: sc delete wscsvc...then hit your enter key. Again, you should receive a "Successful" message. At this point, please reboot the computer. When the system comes up, please try to connect to this forum and post your results. Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
02-23-2009, 09:46 AM
|
#5 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Thanks, 1972vet. Is there any way to know when it became infected? I've told my in-laws just in case, but could it be that it was clean when we got it and then became infected while we were connected without AV protection to install the Service Pack 2 so we could install the AV protection...I don't think they've used the machine in a year.
I'll do what you've listed above and get back. Thanks! Last edited by doc1628; 02-23-2009 at 09:48 AM. Reason: typo |
|
|
|
|
02-23-2009, 10:26 AM
|
#6 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Update: At the command prompt, it said, in response to the stop command, that "this service has not been started." I then did the delete command above and it said SUCCESS.
So, I've restarted...now what should I do? :) Thanks! |
|
|
|
|
02-23-2009, 11:54 AM
|
#7 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Here's the new Get Service log after removal.
Do I risk infecting this machine by using a flash drive to transport these logs? I did connect to the internet and it *acts* like it's going to a webpage OK, but is painfully slow...and I mean more painfully slow than dialup usually is. I finally canceled it. Didn't act weird on the way, though, like it had been. I'm attempting the KIS updates and they keep failing. The CPU usage is running between 90and 100%.... Well, forget the above. KIS won't update (error connecting to download site), and I refreshed the webpage and got the same DNS/Cannot Display This Page I had been all along... SERVICE_NAME: ALG DISPLAY_NAME: Application Layer Gateway Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1732 FLAGS : DESCRIPTION : Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Application Layer Gateway Service SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: Ati HotKey Poller DISPLAY_NAME: Ati HotKey Poller TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1528 FLAGS : DESCRIPTION : TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\ati2plxx.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Ati HotKey Poller SERVICE_START_NAME : LocalSystem SERVICE_NAME: AudioSrv DISPLAY_NAME: Windows Audio TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : AudioGroup TAG : 0 DISPLAY_NAME : Windows Audio DEPENDENCIES : PlugPlay : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: AVP DISPLAY_NAME: Kaspersky Internet Security TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1596 FLAGS : DESCRIPTION : Provides computer protection against viruses, dangerous software, hacker attacks, internet fraud and spam. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Kaspersky Internet Security SERVICE_START_NAME : LocalSystem SERVICE_NAME: Browser DISPLAY_NAME: Computer Browser TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Computer Browser DEPENDENCIES : LanmanWorkstation : LanmanServer SERVICE_START_NAME : LocalSystem SERVICE_NAME: CryptSvc DISPLAY_NAME: Cryptographic Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cryptographic Services DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: DcomLaunch DISPLAY_NAME: DCOM Server Process Launcher TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 792 FLAGS : DESCRIPTION : Provides launch functionality for DCOM services. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch LOAD_ORDER_GROUP : Event Log TAG : 0 DISPLAY_NAME : DCOM Server Process Launcher SERVICE_START_NAME : LocalSystem SERVICE_NAME: Dhcp DISPLAY_NAME: DHCP Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Manages network configuration by registering and updating IP addresses and DNS names. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : DHCP Client DEPENDENCIES : Tcpip : Afd : NetBT SERVICE_START_NAME : LocalSystem SERVICE_NAME: dmserver DISPLAY_NAME: Logical Disk Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Logical Disk Manager DEPENDENCIES : RpcSs : PlugPlay SERVICE_START_NAME : LocalSystem SERVICE_NAME: ERSvc DISPLAY_NAME: Error Reporting Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Allows error reporting for services and applictions running in non-standard environments. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Error Reporting Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: Eventlog DISPLAY_NAME: Event Log TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 636 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe LOAD_ORDER_GROUP : Event log TAG : 0 DISPLAY_NAME : Event Log SERVICE_START_NAME : LocalSystem SERVICE_NAME: EventSystem DISPLAY_NAME: COM+ Event System TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : COM+ Event System DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: FastUserSwitchingCompatibility DISPLAY_NAME: Fast User Switching Compatibility TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Provides management for applications that require assistance in a multiple user environment. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Fast User Switching Compatibility DEPENDENCIES : TermService SERVICE_START_NAME : LocalSystem SERVICE_NAME: helpsvc DISPLAY_NAME: Help and Support TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Help and Support DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: HidServ DISPLAY_NAME: HID Input Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HID Input Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: lanmanserver DISPLAY_NAME: Server TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Server SERVICE_START_NAME : LocalSystem SERVICE_NAME: lanmanworkstation DISPLAY_NAME: Workstation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : NetworkProvider TAG : 0 DISPLAY_NAME : Workstation SERVICE_START_NAME : LocalSystem SERVICE_NAME: LmHosts DISPLAY_NAME: TCP/IP NetBIOS Helper TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : TCP/IP NetBIOS Helper DEPENDENCIES : NetBT : Afd SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: Netman DISPLAY_NAME: Network Connections TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Network Connections DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: Nla DISPLAY_NAME: Network Location Awareness (NLA) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Collects and stores network configuration and location information, and notifies applications when this information changes. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Network Location Awareness (NLA) DEPENDENCIES : Tcpip : Afd SERVICE_START_NAME : LocalSystem SERVICE_NAME: PlugPlay DISPLAY_NAME: Plug and Play TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 636 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe LOAD_ORDER_GROUP : PlugPlay TAG : 0 DISPLAY_NAME : Plug and Play SERVICE_START_NAME : LocalSystem SERVICE_NAME: PolicyAgent DISPLAY_NAME: IPSEC Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 648 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IPSEC Services DEPENDENCIES : RPCSS : Tcpip : IPSec SERVICE_START_NAME : LocalSystem SERVICE_NAME: ProtectedStorage DISPLAY_NAME: Protected Storage TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 648 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Protected Storage DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: RasMan DISPLAY_NAME: Remote Access Connection Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Creates a network connection. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Access Connection Manager DEPENDENCIES : Tapisrv SERVICE_START_NAME : LocalSystem SERVICE_NAME: RemoteRegistry DISPLAY_NAME: Remote Registry TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Registry DEPENDENCIES : RPCSS SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: RpcSs DISPLAY_NAME: Remote Procedure Call (RPC) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 900 FLAGS : DESCRIPTION : Provides the endpoint mapper and other miscellaneous RPC services. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss LOAD_ORDER_GROUP : COM Infrastructure TAG : 0 DISPLAY_NAME : Remote Procedure Call (RPC) SERVICE_START_NAME : NT Authority\NetworkService SERVICE_NAME: SamSs DISPLAY_NAME: Security Accounts Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 648 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Stores security information for local user accounts. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe LOAD_ORDER_GROUP : LocalValidation TAG : 0 DISPLAY_NAME : Security Accounts Manager DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: Schedule DISPLAY_NAME: Task Scheduler TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : SchedulerGroup TAG : 0 DISPLAY_NAME : Task Scheduler DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: seclogon DISPLAY_NAME: Secondary Logon TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Secondary Logon SERVICE_START_NAME : LocalSystem SERVICE_NAME: SENS DISPLAY_NAME: System Event Notification TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : System Event Notification DEPENDENCIES : EventSystem SERVICE_START_NAME : LocalSystem SERVICE_NAME: SharedAccess DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS) DEPENDENCIES : Netman : WinMgmt SERVICE_START_NAME : LocalSystem SERVICE_NAME: ShellHWDetection DISPLAY_NAME: Shell Hardware Detection TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : Shell Hardware Detection DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: Spooler DISPLAY_NAME: Print Spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1352 FLAGS : DESCRIPTION : Loads files to memory for later printing. TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe LOAD_ORDER_GROUP : SpoolerGroup TAG : 0 DISPLAY_NAME : Print Spooler DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: srservice DISPLAY_NAME: System Restore Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Restore Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: SSDPSRV DISPLAY_NAME: SSDP Discovery Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables discovery of UPnP devices on your home network. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SSDP Discovery Service DEPENDENCIES : HTTP SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: TapiSrv DISPLAY_NAME: Telephony TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Telephony DEPENDENCIES : PlugPlay : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: TermService DISPLAY_NAME: Terminal Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 792 FLAGS : DESCRIPTION : Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Terminal Services DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem SERVICE_NAME: Themes DISPLAY_NAME: Themes TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Provides user experience theme management. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : UIGroup TAG : 0 DISPLAY_NAME : Themes SERVICE_START_NAME : LocalSystem SERVICE_NAME: TrkWks DISPLAY_NAME: Distributed Link Tracking Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Maintains links between NTFS files within a computer or across computers in a network domain. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Distributed Link Tracking Client DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem SERVICE_NAME: W32Time DISPLAY_NAME: Windows Time TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Time SERVICE_START_NAME : LocalSystem SERVICE_NAME: WebClient DISPLAY_NAME: WebClient TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1104 FLAGS : DESCRIPTION : Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : NetworkProvider TAG : 0 DISPLAY_NAME : WebClient DEPENDENCIES : MRxDAV SERVICE_START_NAME : NT AUTHORITY\LocalService SERVICE_NAME: winmgmt DISPLAY_NAME: Windows Management Instrumentation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Management Instrumentation DEPENDENCIES : RPCSS : Eventlog SERVICE_START_NAME : LocalSystem SERVICE_NAME: wuauserv DISPLAY_NAME: Automatic Updates TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Automatic Updates SERVICE_START_NAME : LocalSystem SERVICE_NAME: WZCSVC DISPLAY_NAME: Wireless Zero Configuration TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 980 FLAGS : DESCRIPTION : Provides automatic configuration for the 802.11 adapters TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : Wireless Zero Configuration DEPENDENCIES : RpcSs : Ndisuio SERVICE_START_NAME : LocalSystem Last edited by doc1628; 02-23-2009 at 12:18 PM. Reason: added info |
|
|
|
|
02-23-2009, 12:32 PM
|
#8 (permalink) | |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan, and other problems?
Quote:
Please download combofix from This Webpage...and read through the instructions there for running the tool. ***Important Note*** Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED. If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems. The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments. Once installed, a blue screen prompt should appear that reads as follows: The Recovery Console was successfully installed. When you see that screen, please continue as follows:
When the tool is finished, it will produce a report for you. Please post back the following on your next reply: C:\ComboFix.txt New HijackThis log.
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
|
02-23-2009, 02:14 PM
|
#9 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Hi there!
 Here's the latest log from ComboFix. Pretty cool program. :)Thanks so much! ComboFix 09-02-21.01 - Al 2009-02-23 15:41:05.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.127.19 [GMT -5:00] Running from: c:\documents and settings\Al\Desktop\ComboFix.exe AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) FW: Kaspersky Internet Security *disabled* . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\a.exe c:\windows\system32\msmsgs.exe . ((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 ))))))))))))))))))))))))))))))) . 2009-02-23 12:15 . 2009-02-23 12:15 <DIR> d-------- c:\documents and settings\Administrator 2009-02-22 12:39 . 2009-02-22 12:39 250 --a------ c:\windows\gmer.ini 2009-02-22 02:23 . 2004-08-04 02:56 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll 2009-02-22 02:23 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll 2009-02-22 02:22 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe 2009-02-22 02:22 . 2001-08-17 22:36 17,408 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll 2009-02-22 02:22 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe 2009-02-22 02:21 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe 2009-02-22 02:21 . 2004-08-04 00:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys 2009-02-22 02:21 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys 2009-02-22 02:21 . 2004-08-04 00:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys 2009-02-22 02:21 . 2004-08-04 02:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll 2009-02-22 02:20 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys 2009-02-22 02:20 . 2004-08-04 00:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys 2009-02-22 02:20 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys 2009-02-22 02:20 . 2004-08-04 01:07 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys 2009-02-22 02:19 . 2001-08-17 13:28 701,386 --a--c--- c:\windows\system32\dllcache\wdhaalba.sys 2009-02-22 02:19 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll 2009-02-22 02:19 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\wiamsmud.dll 2009-02-22 02:19 . 2001-08-17 12:10 35,871 --a--c--- c:\windows\system32\dllcache\wbfirdma.sys 2009-02-22 02:19 . 2004-08-04 00:29 33,599 --a--c--- c:\windows\system32\dllcache\watv04nt.sys 2009-02-22 02:19 . 2004-08-04 01:08 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys 2009-02-22 02:19 . 2004-08-04 00:29 29,311 --a--c--- c:\windows\system32\dllcache\watv01nt.sys 2009-02-22 02:19 . 2004-08-04 00:29 23,615 --a--c--- c:\windows\system32\dllcache\wch7xxnt.sys 2009-02-22 02:19 . 2004-08-04 00:29 19,551 --a--c--- c:\windows\system32\dllcache\watv02nt.sys 2009-02-22 02:18 . 2001-08-17 12:14 249,402 --a--c--- c:\windows\system32\dllcache\vinwm.sys 2009-02-22 02:18 . 2001-08-17 13:49 24,576 --a--c--- c:\windows\system32\dllcache\viairda.sys 2009-02-22 02:18 . 2001-08-17 12:13 19,528 --a--c--- c:\windows\system32\dllcache\w840nd.sys 2009-02-22 02:18 . 2001-08-17 12:13 19,016 --a--c--- c:\windows\system32\dllcache\w926nd.sys 2009-02-22 02:18 . 2001-08-17 12:13 16,925 --a--c--- c:\windows\system32\dllcache\w940nd.sys 2009-02-22 02:18 . 2004-08-04 00:29 12,415 --a--c--- c:\windows\system32\dllcache\wadv01nt.sys 2009-02-22 02:18 . 2004-08-04 00:29 12,127 --a--c--- c:\windows\system32\dllcache\wadv02nt.sys 2009-02-22 02:18 . 2004-08-04 00:29 11,775 --a--c--- c:\windows\system32\dllcache\wadv05nt.sys 2009-02-22 02:16 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll 2009-02-22 02:15 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll 2009-02-22 02:14 . 2001-08-17 14:56 172,768 --a--c--- c:\windows\system32\dllcache\t2r4disp.dll 2009-02-22 02:13 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys 2009-02-22 02:12 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll 2009-02-22 02:12 . 2001-08-17 12:51 58,368 --a--c--- c:\windows\system32\dllcache\smiminib.sys 2009-02-22 02:12 . 2001-08-17 12:12 25,034 --a--c--- c:\windows\system32\dllcache\smcpwr2n.sys 2009-02-22 02:12 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys 2009-02-22 02:12 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys 2009-02-22 02:12 . 2004-08-04 01:00 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys 2009-02-22 02:12 . 2001-08-17 13:53 7,040 --a--c--- c:\windows\system32\dllcache\snyaitmc.sys 2009-02-22 02:11 . 2004-08-04 00:31 63,547 --a--c--- c:\windows\system32\dllcache\sla30nd5.sys 2009-02-22 02:11 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\smb3w.dll 2009-02-22 02:11 . 2001-08-17 12:10 35,913 --a--c--- c:\windows\system32\dllcache\smcirda.sys 2009-02-22 02:11 . 2001-08-17 22:36 33,792 --a--c--- c:\windows\system32\dllcache\smb0w.dll 2009-02-22 02:11 . 2001-08-17 22:36 28,672 --a--c--- c:\windows\system32\dllcache\sma0w.dll 2009-02-22 02:11 . 2001-08-17 22:36 28,160 --a--c--- c:\windows\system32\dllcache\sm91w.dll 2009-02-22 02:11 . 2001-08-17 12:12 24,576 --a--c--- c:\windows\system32\dllcache\smc8000n.sys 2009-02-22 02:11 . 2004-08-04 01:07 16,128 --a--c--- c:\windows\system32\dllcache\smbbatt.sys 2009-02-22 02:11 . 2004-08-04 01:07 6,912 --a--c--- c:\windows\system32\dllcache\smbclass.sys 2009-02-22 02:11 . 2001-08-17 13:57 6,784 --a--c--- c:\windows\system32\dllcache\smbhc.sys 2009-02-22 02:09 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll 2009-02-22 02:08 . 2001-08-17 14:56 182,272 --a--c--- c:\windows\system32\dllcache\s3mt3d.dll 2009-02-22 02:08 . 2001-08-17 12:50 166,720 --a--c--- c:\windows\system32\dllcache\s3m.sys 2009-02-22 02:08 . 2001-08-17 22:36 82,432 --a--c--- c:\windows\system32\dllcache\rwia450.dll 2009-02-22 02:08 . 2001-08-17 22:36 79,872 --a--c--- c:\windows\system32\dllcache\rwia430.dll 2009-02-22 02:08 . 2001-08-17 13:57 65,664 --a--c--- c:\windows\system32\dllcache\s3legacy.sys 2009-02-22 02:08 . 2001-08-17 12:19 30,720 --a--c--- c:\windows\system32\dllcache\rthwcls.sys 2009-02-22 02:08 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\rw450ext.dll 2009-02-22 02:08 . 2001-08-17 22:36 24,576 --a--c--- c:\windows\system32\dllcache\rw430ext.dll 2009-02-22 02:08 . 2004-08-04 00:31 20,992 --a--c--- c:\windows\system32\dllcache\rtl8139.sys 2009-02-22 02:08 . 2001-08-17 12:12 19,017 --a--c--- c:\windows\system32\dllcache\rtl8029.sys 2009-02-22 02:08 . 2001-08-17 22:36 9,216 --a--c--- c:\windows\system32\dllcache\rsmgrstr.dll 2009-02-22 02:08 . 2001-08-17 12:19 3,840 --a--c--- c:\windows\system32\dllcache\rpfun.sys 2009-02-22 02:07 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys 2009-02-22 02:07 . 2001-08-17 13:28 714,762 --a--c--- c:\windows\system32\dllcache\r2mdmkxx.sys 2009-02-22 02:07 . 2001-08-17 22:36 86,097 --a--c--- c:\windows\system32\dllcache\reslog32.dll 2009-02-22 02:07 . 2004-08-04 00:59 79,104 --a--c--- c:\windows\system32\dllcache\rocket.sys 2009-02-22 02:07 . 2001-08-17 13:52 49,024 --a--c--- c:\windows\system32\dllcache\ql1280.sys 2009-02-22 02:07 . 2001-08-17 22:36 41,472 --a--c--- c:\windows\system32\dllcache\qvusd.dll 2009-02-22 02:07 . 2001-08-17 13:52 40,448 --a--c--- c:\windows\system32\dllcache\ql1240.sys 2009-02-22 02:07 . 2001-08-17 12:12 37,563 --a--c--- c:\windows\system32\dllcache\rlnet5.sys 2009-02-22 02:07 . 2001-08-17 13:51 19,584 --a--c--- c:\windows\system32\dllcache\rasirda.sys 2009-02-22 02:07 . 2001-08-17 13:53 3,328 --a--c--- c:\windows\system32\dllcache\qv2kux.sys 2009-02-22 02:05 . 2004-08-04 02:56 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll 2009-02-22 02:05 . 2004-08-04 02:56 211,712 --a--c--- c:\windows\system32\dllcache\perm2dll.dll 2009-02-22 02:05 . 2001-08-17 14:04 173,696 --a--c--- c:\windows\system32\dllcache\philcam2.sys 2009-02-22 02:05 . 2001-08-17 22:36 121,344 --a--c--- c:\windows\system32\dllcache\phvfwext.dll 2009-02-22 02:05 . 2001-08-17 22:37 105,984 --a--c--- c:\windows\system32\dllcache\phdsext.ax 2009-02-22 02:05 . 2001-08-17 14:04 92,416 --a--c--- c:\windows\system32\dllcache\phildec.sys 2009-02-22 02:05 . 2001-08-17 14:04 75,776 --a--c--- c:\windows\system32\dllcache\philcam1.sys 2009-02-22 02:05 . 2004-08-04 01:06 28,032 --a--c--- c:\windows\system32\dllcache\perm3.sys 2009-02-22 02:05 . 2001-08-17 14:07 19,840 --a--c--- c:\windows\system32\dllcache\philtune.sys 2009-02-22 02:05 . 2001-08-17 22:36 16,384 --a--c--- c:\windows\system32\dllcache\philcam1.dll 2009-02-22 02:03 . 2004-08-04 00:59 2,015,232 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe 2009-02-22 02:02 . 2004-08-04 00:31 132,695 --a--c--- c:\windows\system32\dllcache\netwlan5.sys 2009-02-22 02:02 . 2001-08-17 12:20 126,080 --a--c--- c:\windows\system32\dllcache\nm5a2wdm.sys 2009-02-22 02:02 . 2001-08-17 12:20 87,040 --a--c--- c:\windows\system32\dllcache\nm6wdm.sys 2009-02-22 02:02 . 2001-08-17 12:11 65,278 --a--c--- c:\windows\system32\dllcache\netflx3.sys 2009-02-22 02:02 . 2001-08-17 12:49 51,552 --a--c--- c:\windows\system32\dllcache\ntgrip.sys 2009-02-22 02:02 . 2001-08-17 12:12 32,840 --a--c--- c:\windows\system32\dllcache\ngrpci.sys 2009-02-22 02:02 . 2004-08-04 01:00 28,672 --a--c--- c:\windows\system32\dllcache\nscirda.sys 2009-02-22 02:02 . 2001-08-17 13:47 9,344 --a--c--- c:\windows\system32\dllcache\ntapm.sys 2009-02-22 02:02 . 2001-08-17 13:53 7,552 --a--c--- c:\windows\system32\dllcache\nsmmc.sys 2009-02-22 02:00 . 2004-08-04 01:09 49,024 --a--c--- c:\windows\system32\dllcache\mstape.sys 2009-02-22 02:00 . 2001-08-17 14:02 35,200 --a--c--- c:\windows\system32\dllcache\msgame.sys 2009-02-22 02:00 . 2004-08-04 01:00 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys 2009-02-22 02:00 . 2001-08-17 13:48 12,416 --a--c--- c:\windows\system32\dllcache\msriffwv.sys 2009-02-22 02:00 . 2001-08-17 14:00 2,944 --a--c--- c:\windows\system32\dllcache\msmpu401.sys 2009-02-22 01:59 . 2001-08-17 12:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys 2009-02-22 01:59 . 2001-08-17 14:56 235,648 --a--c--- c:\windows\system32\dllcache\mgaud.dll 2009-02-22 01:59 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\memgrp.dll 2009-02-22 01:59 . 2004-08-04 01:00 26,112 --a--c--- c:\windows\system32\dllcache\memstpci.sys 2009-02-22 01:59 . 2001-08-17 13:52 17,280 --a--c--- c:\windows\system32\dllcache\mraid35x.sys 2009-02-22 01:59 . 2001-08-17 13:52 6,528 --a--c--- c:\windows\system32\dllcache\miniqic.sys 2009-02-22 01:59 . 2001-08-17 13:48 6,016 --a--c--- c:\windows\system32\dllcache\msfsio.sys 2009-02-22 01:57 . 2001-08-17 22:36 242,176 --a--c--- c:\windows\system32\dllcache\kdsusd.dll 2009-02-22 01:57 . 2001-08-17 12:12 70,730 --a--c--- c:\windows\system32\dllcache\lne100tx.sys 2009-02-22 01:57 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\kdsui.dll 2009-02-22 01:57 . 2001-08-17 22:36 37,376 --a--c--- c:\windows\system32\dllcache\kousd.dll 2009-02-22 01:57 . 2004-08-04 00:59 34,688 --a--c--- c:\windows\system32\dllcache\lbrtfdc.sys 2009-02-22 01:57 . 2001-08-17 12:12 26,442 --a--c--- c:\windows\system32\dllcache\lanepic5.sys 2009-02-22 01:57 . 2001-08-17 12:11 25,065 --a--c--- c:\windows\system32\dllcache\lmndis3.sys 2009-02-22 01:57 . 2001-08-17 12:12 20,573 --a--c--- c:\windows\system32\dllcache\lne100.sys 2009-02-22 01:57 . 2001-08-17 12:12 19,016 --a--c--- c:\windows\system32\dllcache\ktc111.sys 2009-02-22 01:57 . 2001-08-17 13:51 15,744 --a--c--- c:\windows\system32\dllcache\lit220p.sys 2009-02-22 01:57 . 2001-08-17 13:53 4,992 --a--c--- c:\windows\system32\dllcache\loop.sys 2009-02-22 01:56 . 2004-08-04 00:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys 2009-02-22 01:56 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll 2009-02-22 01:56 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll 2009-02-22 01:55 . 2004-08-04 02:56 152,576 --a--c--- c:\windows\system32\dllcache\irftp.exe 2009-02-22 01:55 . 2004-08-04 02:56 27,136 --a--c--- c:\windows\system32\dllcache\irmon.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-17 18:17 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-17 18:17 --------- d-----w c:\program files\Common Files\InstallShield 2008-12-30 22:27 --------- d-----w c:\program files\LeapFrog 2008-12-29 23:34 --------- d-----w c:\program files\The Learning Company 2008-12-29 19:00 --------- d-----w c:\program files\QuickTime 2008-12-29 18:59 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime 2008-12-25 18:37 --------- d-----w c:\program files\ICQ . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584] "E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2004-08-04 921600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-17 26112] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992] "PCTVOICE"="pctspk.exe" [2001-08-17 c:\windows\system32\pctspk.exe] "AtiPTA"="Atiptaxx.exe" [2000-09-05 c:\windows\system32\atiptaxx.exe] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160] S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] S3 ati2mpad;ati2mpad;c:\windows\system32\DRIVERS\ati2mpad.sys [2000-10-05 264576] S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\DRIVERS\HSFHWCD2.sys [2005-01-25 212736] S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592] --- Other Services/Drivers In Memory --- *Deregistered* - AFD *Deregistered* - ALG *Deregistered* - ASCTRM *Deregistered* - Ati HotKey Poller *Deregistered* - AudioSrv *Deregistered* - audstub *Deregistered* - AVP *Deregistered* - Beep *Deregistered* - Browser *Deregistered* - Cdfs *Deregistered* - CryptSvc *Deregistered* - DcomLaunch *Deregistered* - Dhcp *Deregistered* - dmio *Deregistered* - dmload *Deregistered* - dmserver *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - FastUserSwitchingCompatibility *Deregistered* - Fips *Deregistered* - FltMgr *Deregistered* - Ftdisk *Deregistered* - Gpc *Deregistered* - helpsvc *Deregistered* - HidServ *Deregistered* - HTTP *Deregistered* - IpNat *Deregistered* - IPSec *Deregistered* - kl1 *Deregistered* - klbg *Deregistered* - KLIF *Deregistered* - klim5 *Deregistered* - KSecDD *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - mdmxsdk *Deregistered* - mnmdd *Deregistered* - MountMgr *Deregistered* - MRxDAV *Deregistered* - MRxSmb *Deregistered* - Msfs *Deregistered* - mssmbios *Deregistered* - Mup *Deregistered* - NDIS *Deregistered* - NdisTapi *Deregistered* - Ndisuio *Deregistered* - NdisWan *Deregistered* - NDProxy *Deregistered* - NetBIOS *Deregistered* - NetBT *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - Npfs *Deregistered* - Ntfs *Deregistered* - Null *Deregistered* - PartMgr *Deregistered* - ParVdm *Deregistered* - PolicyAgent *Deregistered* - PptpMiniport *Deregistered* - ProtectedStorage *Deregistered* - PSched *Deregistered* - RasAcd *Deregistered* - Rasl2tp *Deregistered* - RasMan *Deregistered* - RasPppoe *Deregistered* - Raspti *Deregistered* - Rdbss *Deregistered* - RDPCDD *Deregistered* - rdpdr *Deregistered* - RDPWD *Deregistered* - RemoteRegistry *Deregistered* - RpcSs *Deregistered* - SamSs *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - Spooler *Deregistered* - sr *Deregistered* - srservice *Deregistered* - Srv *Deregistered* - SSDPSRV *Deregistered* - swenum *Deregistered* - TapiSrv *Deregistered* - Tcpip *Deregistered* - TDTCP *Deregistered* - TermDD *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - TrkWks *Deregistered* - Update *Deregistered* - VgaSave *Deregistered* - Vmodem *Deregistered* - VolSnap *Deregistered* - Vpctcom *Deregistered* - Vvoice *Deregistered* - W32Time *Deregistered* - Wanarp *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wuauserv *Deregistered* - WZCSVC [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aeeca1e0-fea2-11dd-a07e-a22e5a32f664}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . - - - - ORPHANS REMOVED - - - - URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) HKCU-Run-Microsoft Msn Messenger - c:\windows\system32\msmsgs.exe HKU-Default-Run-Microsoft Msn Messenger - c:\windows\System32\msmsgs.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.freeart1cile.com uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-23 15:57:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(600) c:\windows\system32\klogon.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2plxx.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-02-23 16  47 - machine was rebootedComboFix-quarantined-files.txt 2009-02-23 21 34Pre-Run: 1,356,181,504 bytes free Post-Run: 1,322,840,064 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 329 --- E O F --- 2009-02-21 07:05:44 |
|
|
|
|
02-23-2009, 05:43 PM
|
#10 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan, and other problems?
That's looking better. Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK". Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe Combofix will run again automatically. Please post back the new log that will be generated. Thanks! File: E:\LaunchU3.exe Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aeeca1e0-fea2-11dd-a07e-a22e5a32f664}]
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
02-23-2009, 06:03 PM
|
#11 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Thank you! I'm not sure it's doing what you expected, though. When I dragged the .txt file to the combofix.exe, it started running as last time (or at least appears to be), with no text in the blue box that I had put in the notepad. ? Did I mess something up? I figured I'd see the text there once I dragged it...but it ain't there! I dragged it to the blue box after I double clicked the Combofix icon to start the program...
Here's the log, for what it's worth. I hope it worked correctly! ComboFix 09-02-21.01 - Al 2009-02-23 20:02:45.2 - NTFSx86 Running from: c:\documents and settings\Al\Desktop\ComboFix.exe AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) FW: Kaspersky Internet Security *disabled* . ((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))))) . 2009-02-23 19:59 . 2009-02-23 20:00 <DIR> d-------- C:\32788R22FWJFW 2009-02-23 19:58 . 2009-02-23 19:58 <DIR> d--h----- c:\windows\PIF 2009-02-23 12:15 . 2009-02-23 12:15 <DIR> d-------- c:\documents and settings\Administrator 2009-02-22 12:39 . 2009-02-22 12:39 250 --a------ c:\windows\gmer.ini 2009-02-22 02:23 . 2004-08-04 02:56 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll 2009-02-22 02:23 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll 2009-02-22 02:22 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe 2009-02-22 02:22 . 2001-08-17 22:36 17,408 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll 2009-02-22 02:22 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe 2009-02-22 02:21 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe 2009-02-22 02:21 . 2004-08-04 00:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys 2009-02-22 02:21 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys 2009-02-22 02:21 . 2004-08-04 00:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys 2009-02-22 02:21 . 2004-08-04 02:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll 2009-02-22 02:20 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys 2009-02-22 02:20 . 2004-08-04 00:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys 2009-02-22 02:20 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys 2009-02-22 02:20 . 2004-08-04 01:07 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys 2009-02-22 02:19 . 2001-08-17 13:28 701,386 --a--c--- c:\windows\system32\dllcache\wdhaalba.sys 2009-02-22 02:19 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll 2009-02-22 02:19 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\wiamsmud.dll 2009-02-22 02:19 . 2001-08-17 12:10 35,871 --a--c--- c:\windows\system32\dllcache\wbfirdma.sys 2009-02-22 02:19 . 2004-08-04 00:29 33,599 --a--c--- c:\windows\system32\dllcache\watv04nt.sys 2009-02-22 02:19 . 2004-08-04 01:08 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys 2009-02-22 02:19 . 2004-08-04 00:29 29,311 --a--c--- c:\windows\system32\dllcache\watv01nt.sys 2009-02-22 02:19 . 2004-08-04 00:29 23,615 --a--c--- c:\windows\system32\dllcache\wch7xxnt.sys 2009-02-22 02:19 . 2004-08-04 00:29 19,551 --a--c--- c:\windows\system32\dllcache\watv02nt.sys 2009-02-22 02:18 . 2001-08-17 12:14 249,402 --a--c--- c:\windows\system32\dllcache\vinwm.sys 2009-02-22 02:18 . 2001-08-17 13:49 24,576 --a--c--- c:\windows\system32\dllcache\viairda.sys 2009-02-22 02:18 . 2001-08-17 12:13 19,528 --a--c--- c:\windows\system32\dllcache\w840nd.sys 2009-02-22 02:18 . 2001-08-17 12:13 19,016 --a--c--- c:\windows\system32\dllcache\w926nd.sys 2009-02-22 02:18 . 2001-08-17 12:13 16,925 --a--c--- c:\windows\system32\dllcache\w940nd.sys 2009-02-22 02:18 . 2004-08-04 00:29 12,415 --a--c--- c:\windows\system32\dllcache\wadv01nt.sys 2009-02-22 02:18 . 2004-08-04 00:29 12,127 --a--c--- c:\windows\system32\dllcache\wadv02nt.sys 2009-02-22 02:18 . 2004-08-04 00:29 11,775 --a--c--- c:\windows\system32\dllcache\wadv05nt.sys 2009-02-22 02:16 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll 2009-02-22 02:15 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll 2009-02-22 02:14 . 2001-08-17 14:56 172,768 --a--c--- c:\windows\system32\dllcache\t2r4disp.dll 2009-02-22 02:13 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys 2009-02-22 02:12 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll 2009-02-22 02:12 . 2001-08-17 12:51 58,368 --a--c--- c:\windows\system32\dllcache\smiminib.sys 2009-02-22 02:12 . 2001-08-17 12:12 25,034 --a--c--- c:\windows\system32\dllcache\smcpwr2n.sys 2009-02-22 02:12 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys 2009-02-22 02:12 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys 2009-02-22 02:12 . 2004-08-04 01:00 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys 2009-02-22 02:12 . 2001-08-17 13:53 7,040 --a--c--- c:\windows\system32\dllcache\snyaitmc.sys 2009-02-22 02:11 . 2004-08-04 00:31 63,547 --a--c--- c:\windows\system32\dllcache\sla30nd5.sys 2009-02-22 02:11 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\smb3w.dll 2009-02-22 02:11 . 2001-08-17 12:10 35,913 --a--c--- c:\windows\system32\dllcache\smcirda.sys 2009-02-22 02:11 . 2001-08-17 22:36 33,792 --a--c--- c:\windows\system32\dllcache\smb0w.dll 2009-02-22 02:11 . 2001-08-17 22:36 28,672 --a--c--- c:\windows\system32\dllcache\sma0w.dll 2009-02-22 02:11 . 2001-08-17 22:36 28,160 --a--c--- c:\windows\system32\dllcache\sm91w.dll 2009-02-22 02:11 . 2001-08-17 12:12 24,576 --a--c--- c:\windows\system32\dllcache\smc8000n.sys 2009-02-22 02:11 . 2004-08-04 01:07 16,128 --a--c--- c:\windows\system32\dllcache\smbbatt.sys 2009-02-22 02:11 . 2004-08-04 01:07 6,912 --a--c--- c:\windows\system32\dllcache\smbclass.sys 2009-02-22 02:11 . 2001-08-17 13:57 6,784 --a--c--- c:\windows\system32\dllcache\smbhc.sys 2009-02-22 02:09 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll 2009-02-22 02:08 . 2001-08-17 14:56 182,272 --a--c--- c:\windows\system32\dllcache\s3mt3d.dll 2009-02-22 02:08 . 2001-08-17 12:50 166,720 --a--c--- c:\windows\system32\dllcache\s3m.sys 2009-02-22 02:08 . 2001-08-17 22:36 82,432 --a--c--- c:\windows\system32\dllcache\rwia450.dll 2009-02-22 02:08 . 2001-08-17 22:36 79,872 --a--c--- c:\windows\system32\dllcache\rwia430.dll 2009-02-22 02:08 . 2001-08-17 13:57 65,664 --a--c--- c:\windows\system32\dllcache\s3legacy.sys 2009-02-22 02:08 . 2001-08-17 12:19 30,720 --a--c--- c:\windows\system32\dllcache\rthwcls.sys 2009-02-22 02:08 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\rw450ext.dll 2009-02-22 02:08 . 2001-08-17 22:36 24,576 --a--c--- c:\windows\system32\dllcache\rw430ext.dll 2009-02-22 02:08 . 2004-08-04 00:31 20,992 --a--c--- c:\windows\system32\dllcache\rtl8139.sys 2009-02-22 02:08 . 2001-08-17 12:12 19,017 --a--c--- c:\windows\system32\dllcache\rtl8029.sys 2009-02-22 02:08 . 2001-08-17 22:36 9,216 --a--c--- c:\windows\system32\dllcache\rsmgrstr.dll 2009-02-22 02:08 . 2001-08-17 12:19 3,840 --a--c--- c:\windows\system32\dllcache\rpfun.sys 2009-02-22 02:07 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys 2009-02-22 02:07 . 2001-08-17 13:28 714,762 --a--c--- c:\windows\system32\dllcache\r2mdmkxx.sys 2009-02-22 02:07 . 2001-08-17 22:36 86,097 --a--c--- c:\windows\system32\dllcache\reslog32.dll 2009-02-22 02:07 . 2004-08-04 00:59 79,104 --a--c--- c:\windows\system32\dllcache\rocket.sys 2009-02-22 02:07 . 2001-08-17 13:52 49,024 --a--c--- c:\windows\system32\dllcache\ql1280.sys 2009-02-22 02:07 . 2001-08-17 22:36 41,472 --a--c--- c:\windows\system32\dllcache\qvusd.dll 2009-02-22 02:07 . 2001-08-17 13:52 40,448 --a--c--- c:\windows\system32\dllcache\ql1240.sys 2009-02-22 02:07 . 2001-08-17 12:12 37,563 --a--c--- c:\windows\system32\dllcache\rlnet5.sys 2009-02-22 02:07 . 2001-08-17 13:51 19,584 --a--c--- c:\windows\system32\dllcache\rasirda.sys 2009-02-22 02:07 . 2001-08-17 13:53 3,328 --a--c--- c:\windows\system32\dllcache\qv2kux.sys 2009-02-22 02:05 . 2004-08-04 02:56 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll 2009-02-22 02:05 . 2004-08-04 02:56 211,712 --a--c--- c:\windows\system32\dllcache\perm2dll.dll 2009-02-22 02:05 . 2001-08-17 14:04 173,696 --a--c--- c:\windows\system32\dllcache\philcam2.sys 2009-02-22 02:05 . 2001-08-17 22:36 121,344 --a--c--- c:\windows\system32\dllcache\phvfwext.dll 2009-02-22 02:05 . 2001-08-17 22:37 105,984 --a--c--- c:\windows\system32\dllcache\phdsext.ax 2009-02-22 02:05 . 2001-08-17 14:04 92,416 --a--c--- c:\windows\system32\dllcache\phildec.sys 2009-02-22 02:05 . 2001-08-17 14:04 75,776 --a--c--- c:\windows\system32\dllcache\philcam1.sys 2009-02-22 02:05 . 2004-08-04 01:06 28,032 --a--c--- c:\windows\system32\dllcache\perm3.sys 2009-02-22 02:05 . 2001-08-17 14:07 19,840 --a--c--- c:\windows\system32\dllcache\philtune.sys 2009-02-22 02:05 . 2001-08-17 22:36 16,384 --a--c--- c:\windows\system32\dllcache\philcam1.dll 2009-02-22 02:03 . 2004-08-04 00:59 2,015,232 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe 2009-02-22 02:02 . 2004-08-04 00:31 132,695 --a--c--- c:\windows\system32\dllcache\netwlan5.sys 2009-02-22 02:02 . 2001-08-17 12:20 126,080 --a--c--- c:\windows\system32\dllcache\nm5a2wdm.sys 2009-02-22 02:02 . 2001-08-17 12:20 87,040 --a--c--- c:\windows\system32\dllcache\nm6wdm.sys 2009-02-22 02:02 . 2001-08-17 12:11 65,278 --a--c--- c:\windows\system32\dllcache\netflx3.sys 2009-02-22 02:02 . 2001-08-17 12:49 51,552 --a--c--- c:\windows\system32\dllcache\ntgrip.sys 2009-02-22 02:02 . 2001-08-17 12:12 32,840 --a--c--- c:\windows\system32\dllcache\ngrpci.sys 2009-02-22 02:02 . 2004-08-04 01:00 28,672 --a--c--- c:\windows\system32\dllcache\nscirda.sys 2009-02-22 02:02 . 2001-08-17 13:47 9,344 --a--c--- c:\windows\system32\dllcache\ntapm.sys 2009-02-22 02:02 . 2001-08-17 13:53 7,552 --a--c--- c:\windows\system32\dllcache\nsmmc.sys 2009-02-22 02:00 . 2004-08-04 01:09 49,024 --a--c--- c:\windows\system32\dllcache\mstape.sys 2009-02-22 02:00 . 2001-08-17 14:02 35,200 --a--c--- c:\windows\system32\dllcache\msgame.sys 2009-02-22 02:00 . 2004-08-04 01:00 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys 2009-02-22 02:00 . 2001-08-17 13:48 12,416 --a--c--- c:\windows\system32\dllcache\msriffwv.sys 2009-02-22 02:00 . 2001-08-17 14:00 2,944 --a--c--- c:\windows\system32\dllcache\msmpu401.sys 2009-02-22 01:59 . 2001-08-17 12:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys 2009-02-22 01:59 . 2001-08-17 14:56 235,648 --a--c--- c:\windows\system32\dllcache\mgaud.dll 2009-02-22 01:59 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\memgrp.dll 2009-02-22 01:59 . 2004-08-04 01:00 26,112 --a--c--- c:\windows\system32\dllcache\memstpci.sys 2009-02-22 01:59 . 2001-08-17 13:52 17,280 --a--c--- c:\windows\system32\dllcache\mraid35x.sys 2009-02-22 01:59 . 2001-08-17 13:52 6,528 --a--c--- c:\windows\system32\dllcache\miniqic.sys 2009-02-22 01:59 . 2001-08-17 13:48 6,016 --a--c--- c:\windows\system32\dllcache\msfsio.sys 2009-02-22 01:57 . 2001-08-17 22:36 242,176 --a--c--- c:\windows\system32\dllcache\kdsusd.dll 2009-02-22 01:57 . 2001-08-17 12:12 70,730 --a--c--- c:\windows\system32\dllcache\lne100tx.sys 2009-02-22 01:57 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\kdsui.dll 2009-02-22 01:57 . 2001-08-17 22:36 37,376 --a--c--- c:\windows\system32\dllcache\kousd.dll 2009-02-22 01:57 . 2004-08-04 00:59 34,688 --a--c--- c:\windows\system32\dllcache\lbrtfdc.sys 2009-02-22 01:57 . 2001-08-17 12:12 26,442 --a--c--- c:\windows\system32\dllcache\lanepic5.sys 2009-02-22 01:57 . 2001-08-17 12:11 25,065 --a--c--- c:\windows\system32\dllcache\lmndis3.sys 2009-02-22 01:57 . 2001-08-17 12:12 20,573 --a--c--- c:\windows\system32\dllcache\lne100.sys 2009-02-22 01:57 . 2001-08-17 12:12 19,016 --a--c--- c:\windows\system32\dllcache\ktc111.sys 2009-02-22 01:57 . 2001-08-17 13:51 15,744 --a--c--- c:\windows\system32\dllcache\lit220p.sys 2009-02-22 01:57 . 2001-08-17 13:53 4,992 --a--c--- c:\windows\system32\dllcache\loop.sys 2009-02-22 01:56 . 2004-08-04 00:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys 2009-02-22 01:56 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll 2009-02-22 01:56 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-17 18:17 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-17 18:17 --------- d-----w c:\program files\Common Files\InstallShield 2008-12-30 22:27 --------- d-----w c:\program files\LeapFrog 2008-12-29 23:34 --------- d-----w c:\program files\The Learning Company 2008-12-29 19:00 --------- d-----w c:\program files\QuickTime 2008-12-29 18:59 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime 2008-12-25 18:37 --------- d-----w c:\program files\ICQ . ((((((((((((((((((((((((((((( SnapShot@2009-02-23_16.03.07.16 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-23 20:54:24 229,408 --sha-w c:\windows\system32\drivers\fidbox2.dat + 2009-02-24 01:00:47 237,600 --sha-w c:\windows\system32\drivers\fidbox2.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584] "E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2004-08-04 921600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-17 26112] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992] "PCTVOICE"="pctspk.exe" [2001-08-17 c:\windows\system32\pctspk.exe] "AtiPTA"="Atiptaxx.exe" [2000-09-05 c:\windows\system32\atiptaxx.exe] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] R3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2000-10-05 264576] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-03-25 24592] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2006-03-21 20160] S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [2005-01-25 212736] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aeeca1e0-fea2-11dd-a07e-a22e5a32f664}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.freeart1cile.com uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {9A9F0240-6512-452D-B78F-802BD7DE24D9} = 207.69.188.185 207.69.188.186 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-23 20:10:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(600) c:\windows\system32\klogon.dll . Completion time: 2009-02-23 20:17:51 ComboFix-quarantined-files.txt 2009-02-24 01:17:34 ComboFix2.txt 2009-02-23 21 55Pre-Run: 1,337,499,648 bytes free Post-Run: 1,326,899,200 bytes free 206 --- E O F --- 2009-02-21 07:05:44 Last edited by doc1628; 02-23-2009 at 06:22 PM. Reason: added log |
|
|
|
|
02-23-2009, 06:50 PM
|
#12 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan, and other problems?
That's not what the instruction calls for. You started off right but ended up wrong. It's not that critical though. The reg entry and file I had scripted to remove were just not needed but not malicious.
It's ok for now...just try to update Kaspersky now and boot to safe mode. Run a complete system scan and allow the software to quarantine whatever it complains of. Post back your results. Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
02-24-2009, 05:49 AM
|
#14 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan, and other problems?
Yes, update in normal mode then boot to safe mode for the scan. Don't be concerned about the script not working properly...as stated, the entries I wanted to remove are not malicious, just not needed.
When you dragged the script to the combofix.exe and it started to scan then you said you didn't see what you thought you should have seen...and started combofix by double clicking. That's what went wrong. You should have left it alone on it's first attempt to run after dragging it into the executable file. That's the way it's designed and that's what was expected and that's the way the instruction directed.
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
02-24-2009, 10:48 AM
|
#15 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Well, we were doing OK. Updates were downloading (whoo-hoo!) and all was going well. Until...it got attacked. Argh. Windows shut down and I sent the error report, which sent me to a web page saying it had been attached and shut down immediately to prevent it and to update critical updates. Then, the databases were corrupt for the KIS update, so I had to roll back to the original ones (hours and hours after downloading new ones!), rescanned, and all *seems* to be OK. So, I'm assuming no harm, no foul, just a waste of time and a close call! I'll be re-downloading KIS updates probably in 5 hours or so and keeping my fingers crossed. Do you have any other suggestions to try to make this successful while I'm connected without protection for that long? :) I'll post an update once I've attempted the update.
Thanks again, so much! You don't know how much this means that you've taken this on to help me out. |
|
|
|
|
02-24-2009, 12:19 PM
|
#16 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 564
OS: Dual Boot Setup, Vista SP2 and XPSP3
|
Re: Trojan, and other problems?
Forget the update for KIS...just scan here:
Please perform an online virus scan HERE.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance
|
|
|
|
|
02-24-2009, 05:25 PM
|
#18 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Hi 1972vet, I'm not so sure that's going to work. When I get to the URL, it keeps essentially refreshing and it's trying to check my system configuration. The screen doesn't actually refresh, but on the bottom toolbar you can see it (and hear it) clicking over and over and over again...never getting anywhere...is it time to give up? :( KIS does have a newer version of their software than the one I have (ran into that problem on this machine), so I could get a copy of that and install it - would that help any? Wouldn't be completely up to date, but newer than these databases are...
Is this as frustrating to you as it is to me, or is it a puzzle you're having fun figuring out? :) I guess if it weren't my machine, I'd be having fun trying to figure it out, so I hope you are! At least you're hanging in there with me, which I truly appreciate. |
|
|
|
|
02-26-2009, 03:16 PM
|
#20 (permalink) |
|
Registered User
Join Date: Feb 2009
Posts: 29
OS: Win XP Pro
|
Re: Trojan, and other problems?
Here's the latest. It took a while. :) I've attempted to run the KIS online scanner several times. Java downloaded just fine. It's working. Unfortunately, since Microsoft Windows update is on automatic, it's downloaded some updates and installed them too (no idea what) and restarted fine automatically (cut me out of the online scanner download once by restarting). Can't figure out how to turn off automatic download while we're working.
KIS eventually finally downloaded and installed the program to run it. However, on updating the database, I get one of two error messages and it cancels. One is "invalid file signature" (that happened twice, the next happens more frequently), and the other is "updater logic error related to download process." So.... Thanks, 1972vet! |
|
|
|
| Thread Tools | |
|
|
