Solved

Very strange Virus..

Posted on 2004-09-19
44
2,809 Views
Last Modified: 2010-04-11
Seems that I've contracted very strange virus...
I tried to run spybot, during searching for files when it finds file named : Hacker. (something), my pc abrubtly shuts down. I tried this 3 times with the same effect...
When I try to search for files and folders  and typed word :Hacker ...computer shuts down  when it hits this file...
I've tried Anti virus tool (Stinger), the same story...it searches for files until it hit something with word "Hacker" in it..
Any Ideas?
0
Comment
Question by:valdeik
  • 21
  • 8
  • 6
  • +4
44 Comments
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 180 total points
ID: 12098778
Have you tried to run stinger in safe mode to see if that would make any difference

After running the latest stinger , check this online virus scanner and see if that can help

http://housecall.trendmicro.com/

Also

Download Hijackthis software from here http://www.softpedia.com/public/cat/10/17/10-17-69.shtml and
save the log and paste it here http://hijackthis.de/index.php?langselect=english to analyze it  
If there are files that the website cannot really say whether it is good or bad application/process, post it here .

Remove temporary internet files, folders and cookies
Also remove windows Temp files going to

1) Start --> run --> typein:  %systemroot%/temp
2) Start  --> run --> typein: %temp%
0
 

Author Comment

by:valdeik
ID: 12098801
thanks  sunray 2003, Yes I've tried stinger in the save mode as well...when it hits this file pc shuts down..
Let me try your other suggestions....
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12098817
valdeik,

Also

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup

There culd be some unknown process running at startup.
0
 

Author Comment

by:valdeik
ID: 12098837
hijackthis  analisys gave me a lot of files labeled- NASTY and many UNKNOWN...what should I do? check them in hijack this and click fix checked? What do you think, sunray?
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12098845
remove the ones that says Nasty

Then rerun hijackthis and post log here
0
 

Author Comment

by:valdeik
ID: 12098855
OK, I'll try..
0
 

Author Comment

by:valdeik
ID: 12098924
hijackThis coudn't remove " Hijacked Internet Access by New.Net "  5 of the same file...should I go ahhead and try spybot now?
0
 

Author Comment

by:valdeik
ID: 12098932
Sorry, here is log file ...
Logfile of HijackThis v1.98.2
Scan saved at 7:52:01 PM, on 9/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\atlux32.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\netfd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Notebook\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%SystemRoot%\System32\userinit.exe
O2 - BHO: (no name) - {DB58988A-7E72-E50C-B2C0-29E44B377388} - C:\WINDOWS\sdkmr.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunOnce: [winjw32.exe] C:\WINDOWS\winjw32.exe
O4 - HKLM\..\RunOnce: [atlwv.exe] C:\WINDOWS\system32\atlwv.exe
O4 - HKLM\..\RunOnce: [crfy.exe] C:\WINDOWS\crfy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/07796d5dafe56213e017/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095045174709
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O19 - User stylesheet: C:\WINDOWS\my.css (file missing)
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12098980
valdeik,
> hijackThis coudn't remove " Hijacked Internet Access by New.Net "  5
> of the same file...should I go ahhead and try spybot now?

Yes run spybot and that should remove it
www.softpedia.com/public/cat/10/17/10-17-21.shtml

Fix these

C:\WINDOWS\system32\atlux32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\netfd.exe
O2 - BHO: (no name) - {DB58988A-7E72-E50C-B2C0-29E44B377388} -
C:\WINDOWS\sdkmr.dllO4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunOnce: [winjw32.exe] C:\WINDOWS\winjw32.exe
O4 - HKLM\..\RunOnce: [atlwv.exe] C:\WINDOWS\system32\atlwv.exe
O4 - HKLM\..\RunOnce: [crfy.exe] C:\WINDOWS\crfy.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

0
 

Author Comment

by:valdeik
ID: 12099044
Well,
I've ran spybot and in the middle of searching, computer stole again...abrupt shut down...
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12099051
valdeik,

If you donot search for this file either by going to find (within xp) or use spyware removal tools , does the computer shutdown..
0
 

Author Comment

by:valdeik
ID: 12099092
no it doesn't... it works OK until I try to run anti virus or spyware programs..  Well, Not really...When I type address in my browser window like( www. anything.com), sometimes, it doesn't work and on my taskbar I get message: You was infected! (exact words)  that's why I started all spyware and cleaning adventure...
What do you think, sunray?
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12099099
valdeik,

Looks weird

Try other spyware removal tools

Some of the experts here have helped in compiling all the important spyware tools and they are listed in this thread
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

Also did you try msconfig suggestion given earlier

0
 

Author Comment

by:valdeik
ID: 12099103
I tried to fix in hijackthis suggested files, some were removed , some it won't remove (Hijacked Internet access by New.Net)
and I couldn't find :
C:\WINDOWS\system32\atlux32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\netfd.exe
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12099111
valdeik,

Were you not able to fix these 3 exe files in hijackthis itself ?

Have you tried to remove new.net going to add/remove programs in control panel ?
If it doesnot work , http://www.geocities.com/merijn_bellekom/new/nonewdotnet.html


0
 

Author Comment

by:valdeik
ID: 12099113
I'll try msconfig now..
0
 

Author Comment

by:valdeik
ID: 12099129
wait,
I'm looking at it and have doubts...why do I need to do it? comp. start's up OK...what would it give me?
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12099136
there are certain programs /applications/processes that start up during system bootup which might be causing the issue you are having. If you control them then you can find the culprit that is giving issues.
You can disable all except anti-virus in the startup tab and see if system is OK. If yes then enable each application one by one , do a restart each time to figure out which one might be causing the issue
0
 

Author Comment

by:valdeik
ID: 12099301
sunray,
to remove new.net I went to suggested link, followed all the instructions and it didn't work for me I've got the message:
Error loading c:\newdotnet6_38.dll ....
 LSPFix found 0 files...
Well, I think  it is new.net  virus...
 how else I can remove it?
0
 
LVL 1

Expert Comment

by:darkdrago
ID: 12099335
well if it is a virus you might want to try to get a bootdisk for a virus scanner and try that out.
I have used http://www.ultimatebootcd.com/ before and it was pretty good for getting rid of virus's.
You may have to remake it slightly with newer virus definitions for the cd.
0
 
LVL 4

Expert Comment

by:beem4n
ID: 12100098
Hi,

Install panda antivirus (trial version works 30 days, allowing one free update) - it should catch your virus.
0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 160 total points
ID: 12100780
First download this New.net uninstaller program >> http://www.new.net/support/uninstall5_48.exe.
run it in safemode to remove New.net, after that reboot back in normal mode and do the following procudure CAREFULLY and backup ur registry before making changes to it !!

So can u see this line in ur log >> F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%SystemRoot%\System32\userinit.exe

this is wrong, coz the value of userinit key shud be only >> C:\WINDOWS\system32\userinit.exe,
so correct it, and to correct it do this,,,,,, goto Start>Run>regedit and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

in the right pane, double click on the UserInit key, u can see the value data as >> C:\WINDOWS\system32\userinit.exe,%SystemRoot%\System32\userinit.exe

change it to >> C:\WINDOWS\system32\userinit.exe,
(Note the comma following the file path information)

save the key, and restart ur system,,,,, now run hijackthis again, and analyse it on the Analysation Website, check what are the nasties which are still present, or post here the LOG and we will check it out !!

Post Back and Good Luck :)
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 12

Accepted Solution

by:
rossfingal earned 160 total points
ID: 12102577
Hi!
Try uninstalling New.net through Add/Remove Programs in Control Panel,
before you attempt any other repairs.

In your first post, you mention Spybot S & D stops when it hits a file named "Hacker. (something)"
Let's try this -
Download Rkdetectorv0.62.zip from:
http://www.3wdesign.es/security/principal.html?u=82pxv20n
 
Unzip it to your desktop.
In the RKDetector folder you unzipped you will see rkdetector.exe and tcp.dll
 
Hold down your control key and
left click each of these files once so they both end up highlighted at the same time.  
Next right click one of them and choose copy.
Then, click on "Start", click on "Run" and type %windir% and hit enter.  
The window that open will be the systemroot folder (windows or winnt, depending on the system).
 
Right click an open area in that window and choose paste.  
You should see rkdetector.exe and tcp.dll appear on the file list there.

Once that is done, click on "Start", click on "Run", and type cmd and press enter.
In the following commands {s}=press the space bar one time
At the command prompt type the following
cd {s} desktop  
Then press enter
rkdetector.exe {s} > {s} rkdetector.txt
Then press enter

The command window will go blank for a minute or so,
when the prompt comes back type exit and press enter.

Find the file on your desktop called rkdetector.txt and look at the last 6 lines,
if they all say "Found: 0" then let us know nothing was found.  
If something was found then paste the entire contents of the file as a reply to this thread.

Good luck!
RF

0
 

Author Comment

by:valdeik
ID: 12103184
Dear RF,
 I did install RKDetector as you suggested....  but at the command window i get the message that command is not recognozed..
perhaps i'm typing something wrong? Thanks
0
 

Author Comment

by:valdeik
ID: 12103484
Dear SheharyaarSaahil,

 I've followed your suggestion as well, corrected path:C:\WINDOWS\system32\userinit.exe,
and here is my new log file from hijackthis:

Logfile of HijackThis v1.98.2
Scan saved at 9:08:35 AM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Notebook\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095045174709
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12103511
Is this the line:
"Once that is done, click on "Start", click on "Run", and type cmd and press enter."
If so, substitute command for cmd.

RF
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12103559
>> O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe

this is looking suspisious !!  :-/
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12104082
valdeik
Sorry about that! :)
Click on "Start", click on "Run", type command
After the command prompt loads, type this:
C:\windows\rkdetector.exe -v (there is a space between exe and -)
This should work - let me know!
RF
0
 

Author Comment

by:valdeik
ID: 12104468
RF,
OK, I've done that.
(Found: 2 wrong Services)
*SV:  SLService (SmartLinkService) PATH: slserv.exe
*SV:  vsdatant (vsdatant) PATH: c:\windows\system32\vsdatant.sys
What should I do now?
0
 

Author Comment

by:valdeik
ID: 12104672
When I analyze HijackThis Log file  only c:\windows\system32\slserv.exe      is marked as NASTY...
How can I fix this..?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12104723
if this file is present in C:\Windows\System32 folder, then delete this file from here in safemode manually !!
0
 

Author Comment

by:valdeik
ID: 12104920
what about c:\windows\system32\vsdatant.sys    ?   should I delete it as well?
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12104922
Often, if you have a file on your system called slserv.exe that is sometimes replaced by the Gaobot worm.
In order to verify this I need you to run the Gaobot Removal Tool.
Since, we can not be certain of the exact version of Gaobot, you might as well run both tools
Here's the links to get them from:
Run this one first, then reboot.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.removal.tool.html
Then run this one and reboot:
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.uj.removal.tool.html
Make sure "System Restore" is turned off before you run these!

As far as vsdatant.sys is concerned -
did you ever have ZoneAlarm firewall installed on your system.
Check the properties on vsdatant.sys and post them here.

While you're on the Internet,
download Getservice.zip from the following:
http://www.bleepingcomputer.com/files/spyware/getservice.zip
Extract the file to the c:\ drive.
Then navigate to the c:\getservices and double-click on the getservices.bat file.
A notepad will open up.
Please paste the contents of that notepad as a reply to this post.

Good luck!
RF
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12105070
>> what about c:\windows\system32\vsdatant.sys

nopes, its related to ZoneAlarm i think.. check its properties, the details shud tell abt Zone Labs !!
0
 

Author Comment

by:valdeik
ID: 12105593
I'm currently running gaobot Fix tool, it takes  very long time...
0
 

Author Comment

by:valdeik
ID: 12105609
Yes, and I can't locate getservices.bat file...it's not in the flolder...???
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12106022
I scans your whole system - that can take awhile.

Check for it on your C: drive.
Is psservice.exe in the folder?
They're both probably on your c: drive.
RF
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12106061
valdeik,

Just deleted the two files the ROOTKIT detector picked up. then Also do a search for:
slserv.exe  and  vsdatant.sys  in your registry.

START >> RUN >> REGEDIT

Delete anything it finds. Now if your rootkit is anything like the one I removed on one of our clients, it has a invisable folder in your recycle bin. Easy way to see if this is the case, would be to empty your recycle bin and see if it still shows full.

Once you cleared the files from your workstation and the registry seems to be cleaned out. I would remove some of your security software, for the fact it didn't do it's job. Lucky for you there are free alternatives with better results. I'm also going to list some sites for you to keep bookmarked.

Antivirus:
Kaspersky Antivirus 5.0 (version just released this month) http://www.kaspersky.com/personal
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years.

AVG is also a great virus scanner( more for home user) not to mention they have a wonderful FREE edtion.
http://www.grisoft.com/us/us_dwnl_free.php

Firewall:
Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.  www.sygate.com

BLINK - This is a firewall that eeye.com has released, this is more for a larger networks, but simply the best!

Vulnerability assessment:
Retina® Network Security Scanner (http://eeye.com/html/products/retina/index.html)
You can get a free 30 day trial: which is all you need to patch up your system. I used "Microsoft Basline Security Analyser v1.2" and windows update to patch my system before stepping up to RETINA. Retina found 10 more critical flaws in my network and it was as easy as clicking "FIX IT" or download a provided link to the needed patch!

Spyware/Adware/Malware/Dataware:
AD-AWARE - www.lavasoftusa.com
If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.

BHO Demon - www.majorgeeks.com/download3550.html  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. This is a must for Home and Corporate users.

IDS ( Intrusion Detection System ): - snort.org
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid home users.

References:
http://isc.sans.org/index.php?off=diary -Everyday info on the latest exploits/virus/security issues.
http://eeye.com - perfect for advisories and the best security software.
www.majorgeeks.com - Every program a nerd could think of!!
www.sygate.com
www.kaspersky.com
www.lavasoftusa.com
http://www.grisoft.com

Now with all this in mind, you need to make some security decisions and keep current. If you have any questions let me know.

Good Luck,
Jorden
0
 

Author Comment

by:valdeik
ID: 12106115
RF,
here it is
and scan didn't find anything


PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Alerter
      DEPENDENCIES        : LanmanWorkstation
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\alg.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Application Layer Gateway Service
      DEPENDENCIES        :
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Application Management
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Ati HotKey Poller
(null)
      TYPE              : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\Ati2evxx.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Ati HotKey Poller
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : AudioGroup
      TAG              : 0
      DISPLAY_NAME        : Windows Audio
      DEPENDENCIES        : PlugPlay
                    : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Uses idle network bandwidth to transfer data.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Background Intelligent Transfer Service
      DEPENDENCIES        : Rpcss
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Computer Browser
      DEPENDENCIES        : LanmanWorkstation
                    : LanmanServer
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\cisvc.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Indexing Service
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\clipsrv.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : ClipBook
      DEPENDENCIES        : NetDDE
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : COM+ System Application
      DEPENDENCIES        : rpcss
      SERVICE_START_NAME: LocalSystem
      FAIL_RESET_PERIOD : 30 seconds
      FAILURE_ACTIONS        : Restart      DELAY: 1000 seconds
                    : Restart      DELAY: 5000 seconds
                    : None      DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Cryptographic Services
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : TDI
      TAG              : 0
      DISPLAY_NAME        : DHCP Client
      DEPENDENCIES        : Tcpip
                    : Afd
                    : NetBT
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\dmadmin.exe /com
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Logical Disk Manager Administrative Service
      DEPENDENCIES        : RpcSs
                    : PlugPlay
                    : DmServer
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Logical Disk Manager
      DEPENDENCIES        : RpcSs
                    : PlugPlay
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k NetworkService
      LOAD_ORDER_GROUP  : TDI
      TAG              : 0
      DISPLAY_NAME        : DNS Client
      DEPENDENCIES        : Tcpip
      SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 0  IGNORE
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Error Reporting Service
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
      LOAD_ORDER_GROUP  : Event log
      TAG              : 0
      DISPLAY_NAME        : Event Log
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : Network
      TAG              : 0
      DISPLAY_NAME        : COM+ Event System
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Fast User Switching Compatibility
      DEPENDENCIES        : TermService
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Help and Support
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem
      FAIL_RESET_PERIOD : 86400 seconds
      FAILURE_ACTIONS        : Restart      DELAY: 100 seconds
                    : Restart      DELAY: 100 seconds
                    : None      DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 4  DISABLED
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Human Interface Device Access
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\imapi.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : IMAPI CD-Burning COM Service
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Irmon
Supports infrared devices installed on the computer and detects other devices that are in range.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : TDI
      TAG              : 0
      DISPLAY_NAME        : Infrared Monitor
      DEPENDENCIES        : irda
                    : RpcSs
                    : TermService
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Server
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : NetworkProvider
      TAG              : 0
      DISPLAY_NAME        : Workstation
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
      LOAD_ORDER_GROUP  : TDI
      TAG              : 0
      DISPLAY_NAME        : TCP/IP NetBIOS Helper
      DEPENDENCIES        : NetBT
                    : Afd
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: McShield
(null)
      TYPE              : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : McAfee.com McShield
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mcupdmgr.exe
(null)
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : McAfee SecurityCenter Update Manager
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MCVSRte
(null)
      TYPE              : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : McAfee.com VirusScan Online Realtime Engine
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Messenger
      DEPENDENCIES        : LanmanWorkstation
                    : NetBIOS
                    : PlugPlay
                    : RpcSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\mnmsrvc.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : NetMeeting Remote Desktop Sharing
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\msdtc.exe
      LOAD_ORDER_GROUP  : MS Transactions
      TAG              : 1
      DISPLAY_NAME        : Distributed Transaction Coordinator
      DEPENDENCIES        : RPCSS
                    : SamSS
      SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
      TYPE              : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\msiexec.exe /V
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Windows Installer
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
      LOAD_ORDER_GROUP  : NetDDEGroup
      TAG              : 0
      DISPLAY_NAME        : Network DDE
      DEPENDENCIES        : NetDDEDSDM
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Network DDE DSDM
      DEPENDENCIES        :
                    : EGrLocalSystem
                    : Network DDE DSDM
                    : etwork DDE
                    : workService
                    : Distributed Transaction Coordinator
                    : ion
                    : \Applicax
                    : 
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
      LOAD_ORDER_GROUP  : RemoteValidation
      TAG              : 0
      DISPLAY_NAME        : Net Logon
      DEPENDENCIES        : LanmanWorkstation
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
      TYPE              : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Network Connections
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Network Location Awareness (NLA)
      DEPENDENCIES        : Tcpip
                    : Afd
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : NT LM Security Support Provider
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Removable Storage
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: OzoneInstallerService
(null)
      TYPE              : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Ozone Installer
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
      LOAD_ORDER_GROUP  : PlugPlay
      TAG              : 0
      DISPLAY_NAME        : Plug and Play
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : IPSEC Services
      DEPENDENCIES        : RPCSS
                    : Tcpip
                    : IPSec
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
      TYPE              : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Protected Storage
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Remote Access Auto Connection Manager
      DEPENDENCIES        : RasMan
                    : Tapisrv
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Remote Access Connection Manager
      DEPENDENCIES        : Tapisrv
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\sessmgr.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Remote Desktop Help Session Manager
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 4  DISABLED
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Routing and Remote Access
      DEPENDENCIES        : RpcSS
                    : +NetBIOSGroup
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k LocalService
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Remote Registry
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: NT AUTHORITY\LocalService
      FAIL_RESET_PERIOD : 0 seconds
      FAILURE_ACTIONS        : Restart      DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\locator.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Remote Procedure Call (RPC) Locator
      DEPENDENCIES        : LanmanWorkstation
      SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost -k rpcss
      LOAD_ORDER_GROUP  : COM Infrastructure
      TAG              : 0
      DISPLAY_NAME        : Remote Procedure Call (RPC)
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem
      FAIL_RESET_PERIOD : 0 seconds
      FAILURE_ACTIONS        : Reboot      DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\rsvp.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : QoS RSVP
      DEPENDENCIES        : TcpIp
                    : Afd
                    : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
      LOAD_ORDER_GROUP  : LocalValidation
      TAG              : 0
      DISPLAY_NAME        : Security Accounts Manager
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 0  IGNORE
      BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Smart Card Helper
      DEPENDENCIES        : +Smart Card Reader
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 0  IGNORE
      BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Smart Card
      DEPENDENCIES        : PlugPlay
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : SchedulerGroup
      TAG              : 0
      DISPLAY_NAME        : Task Scheduler
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 0  IGNORE
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Secondary Logon
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : Network
      TAG              : 0
      DISPLAY_NAME        : System Event Notification
      DEPENDENCIES        : EventSystem
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
      DEPENDENCIES        : Netman
                    : NLA
                    : RasMan
                    : ALG
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
Provides notifications for AutoPlay hardware events.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 0  IGNORELogfile of HijackThis v1.98.2
Scan saved at 10:46:25 AM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\Notebook\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095045174709
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : ShellSvcGroup
      TAG              : 0
      DISPLAY_NAME        : Shell Hardware Detection
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SLService
(null)
      TYPE              : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : slserv.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : SmartLinkService
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
      TYPE              : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\spoolsv.exe
      LOAD_ORDER_GROUP  : SpoolerGroup
      TAG              : 0
      DISPLAY_NAME        : Print Spooler
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem
      FAIL_RESET_PERIOD : 86400 seconds
      FAILURE_ACTIONS        : Restart      DELAY: 60000 seconds
                    : Restart      DELAY: 60000 seconds
                    : None      DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : System Restore Service
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : SSDP Discovery Service
      DEPENDENCIES        :
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k imgsvc
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Windows Image Acquisition (WIA)
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 0  IGNORE
      BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{407F0312-E422-4003-8825-047F7D3DE330}
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : MS Software Shadow Copy Provider
      DEPENDENCIES        : rpcss
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\smlogsvc.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Performance Logs and Alerts
      DEPENDENCIES        :
      SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Telephony
      DEPENDENCIES        : PlugPlay
                    : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Terminal Services
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : UIGroup
      TAG              : 0
      DISPLAY_NAME        : Themes
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem
      FAIL_RESET_PERIOD : 86400 seconds
      FAILURE_ACTIONS        : Restart      DELAY: 60000 seconds
                    : Restart      DELAY: 60000 seconds
                    : None      DELAY: 0 seconds

SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\tlntsvr.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Telnet
      DEPENDENCIES        : RPCSS
                    : TCPIP
                    : NTLMSSP
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Distributed Link Tracking Client
      DEPENDENCIES        : RpcSs
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Universal Plug and Play Device Host
      DEPENDENCIES        : SSDPSRV
      SERVICE_START_NAME: NT AUTHORITY\LocalService
      FAIL_RESET_PERIOD : -1 seconds
      FAILURE_ACTIONS        : Restart      DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\ups.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Uninterruptible Power Supply
      DEPENDENCIES        :
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\vssvc.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Volume Shadow Copy
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Windows Time
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
      LOAD_ORDER_GROUP  : NetworkProvider
      TAG              : 0
      DISPLAY_NAME        : WebClient
      DEPENDENCIES        : MRxDAV
      SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 0  IGNORE
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Windows Management Instrumentation
      DEPENDENCIES        : RPCSS
                    : Eventlog
      SERVICE_START_NAME: LocalSystem
      FAIL_RESET_PERIOD : 86400 seconds
      FAILURE_ACTIONS        : Restart      DELAY: 60000 seconds
                    : Restart      DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Portable Media Serial Number Service
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmdmPmSp
Retrieves the serial number of any portable music player connected to your computer
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Portable Media Serial Number
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Windows Management Instrumentation Driver Extensions
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\wbem\wmiapsrv.exe
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : WMI Performance Adapter
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : Automatic Updates
      DEPENDENCIES        :
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
      TYPE              : 20 WIN32_SHARE_PROCESS
      START_TYPE        : 2  AUTO_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
      LOAD_ORDER_GROUP  : TDI
      TAG              : 0
      DISPLAY_NAME        : Wireless Zero Configuration
      DEPENDENCIES        : RpcSs
                    : Ndisuio
      SERVICE_START_NAME: LocalSystem

SERVICE_NAME: YPCService
(null)
      TYPE              : 10 WIN32_OWN_PROCESS
      START_TYPE        : 3  DEMAND_START
      ERROR_CONTROL        : 1  NORMAL
      BINARY_PATH_NAME  : C:\WINDOWS\system32\YPCSER~1.EXE
      LOAD_ORDER_GROUP  :
      TAG              : 0
      DISPLAY_NAME        : YPCService
      DEPENDENCIES        : RPCSS
      SERVICE_START_NAME: LocalSystem
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12106275
C:\WINDOWS\system32\slserv.exe    
O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe

Remove those and update your security products like stated right before your post.

* if your on windows xp/me , disable system restore *


0
 

Author Comment

by:valdeik
ID: 12106531
I can't delete file: C:\windows\system32\slserv.exe  
when i try to do it I get the message: Cannot delete slserv : Access is denied.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12106709
try taking ownership of these files..... :-/

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421
0
 

Author Comment

by:valdeik
ID: 12107280
Thanks Guys,

Mostly I have deleted all viruses and seems like spybot is working as well.
Till next time,
Val
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12107398
Glad we could help you!
I didn't know we were done.
Thanks!

Regards!
RF
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now