Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I have a variant of rl.webtracer.cc[RESOLVED]


  • This topic is locked This topic is locked

#1
benoakes

benoakes

    Member

  • Member
  • PipPip
  • 18 posts
We've had the rl.webtracer.cc home page hijacker for a couple of weeks. There are registry keys to set the IE start page to http://rl.webtracer.cc/-/?bayzm as well as user style sheet entries to use c:\windows\stsheets.dat. I have deleted the file and the registry entries. I have run NoAdware, spybot, CWshredder and AdAware, but these registry keys and the file keep reappearing when I reboot. Norton 2005 does not report any viruses.

I have searched for similar probelms, but I can't find the specific files mentioned in other reports of this problem e.g. c:\windows\system32\drivers\p3i.sys.

Here is the output from Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 22:06:30, on 04/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdown...0.chm::/win.exe
O16 - DPF: {46378FDC-0501-446E-8CC9-9C4F6F5E906B} (DownloadInstall Class) - http://www.glance.ne...loadInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115238743875
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O20 - Winlogon Notify: iexplore - iFdrc.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Any help gratefully received.

Ben Noakes
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi benoakes

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdown...0.chm::/win.exe
O16 - DPF: {46378FDC-0501-446E-8CC9-9C4F6F5E906B} (DownloadInstall Class) - http://www.glance.ne...loadInstall.cab
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O20 - Winlogon Notify: iexplore - iFdrc.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
O1 - Hosts: 1159680172 auto.search.msn.com
C:\WINDOWS\SYSTEM32\draw32.dll
O20 - Winlogon Notify: iexplore - iFdrc.dll (file missing)

Exit Explorer.Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
benoakes

benoakes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Kc

Thanks for your quick response. Unfortunately I don't think that it has fixed the problem.

When I tried to fix O1 Hosts ... Hijackthis said "HijackThis could not write the selected changes to your hosts file. The probable cause is that some programme is denying access to it, or that your user account doesn't have the rights to write to it." I am an administrator on my PC.

When I fixed R0 .. statr page = http://rl.webtracer.cc/-/?bayzm the value disappeared, but rerunning the scan showed that it was back again.

I rebooted in safe mode, deleted the draw32.dll, removed the start page and styles registry entries and removed the auto.search.msn.com line from my hosts file, but when I rebooted they were all back again.

Here's the new HijackThis log file

Logfile of HijackThis v1.99.1
Scan saved at 07:56:36, on 05/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115238743875
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I have run the pandasoftware online scan. It found the following


Incident Status Location Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-5db4521e-600bb6e3.zip[Dummy.class] Possible Virus. No disinfected C:\Documents and Settings\Ben\Local Settings\Temp\ld.php Possible Virus. No disinfected C:\Program Files\Infogrames Interactive\X-COM Enforcer\System\XCom.exe Virus:Bck/Haxdoor.A Renamed C:\WINDOWS\SYSTEM32\fltr.a3d Virus:Bck/Haxdoor.A Renamed C:\WINDOWS\SYSTEM32\klo5.sys Virus:Bck/Haxdoor.A Renamed C:\WINDOWS\SYSTEM32\p2.ini Virus:Bck/Haxdoor.A Renamed C:\WINDOWS\SYSTEM32\ps.a3d Virus:Bck/Haxdoor.A Renamed C:\WINDOWS\SYSTEM32\redir.a3d Virus:Bck/Haxdoor.A Renamed C:\WINDOWS\SYSTEM32\vtd_16.exe It doesn't look great, but I've got to go to work now, so I'll look closer later.

Ben
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi benoakes

Download startdreck.zip

UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here

Kc :tazz:
  • 0

#5
benoakes

benoakes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
KC

Here's the contents of the StartDreck logfile.

StartDreck (build 2.1.7 public stable) - 2005-05-05 @ 20:52:30 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Ben at COMPUTER

»Registry
»Files
»System/Drivers
»NT Services
*Alerter Alerter - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service ALG - on demand
`binary: C:\WINDOWS\System32\alg.exe
*Application Management AppMgmt - disabled
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows Audio AudioSrv running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Background Intelligent Transfer Service BITS - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser Browser running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Event Manager ccEvtMgr running auto
`binary: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*Symantec Password Validation ccPwdSvc - on demand
`binary: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
*Symantec Settings Manager ccSetMgr running auto
`binary: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*Indexing Service CiSvc - on demand
`binary: C:\WINDOWS\system32\cisvc.exe
*ClipBook ClipSrv - on demand
`binary: C:\WINDOWS\system32\clipsrv.exe
*COM+ System Application COMSysApp - on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Creative Service for CDROM Access Creative Service for running auto
`binary: C:\WINDOWS\System32\CTsvcCDA.exe
*Cryptographic Services CryptSvc running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client Dhcp running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service dmadmin - on demand
`binary: C:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager dmserver - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client Dnscache running auto
`binary: C:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service ERSvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log Eventlog running auto
`binary: C:\WINDOWS\system32\services.exe
*COM+ Event System EventSystem running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fax Fax - auto
`binary: C:\WINDOWS\system32\fxssvc.exe
*Help and Support helpsvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Human Interface Device Access HidServ - disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service ImapiService - on demand
`binary: C:\WINDOWS\System32\imapi.exe
*Server lanmanserver running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation lanmanworkstation running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*LexBce Server LexBceS running auto
`binary: C:\WINDOWS\system32\LEXBCES.EXE
*TCP/IP NetBIOS Helper LmHosts running auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger Messenger - disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
`binary: C:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator MSDTC - on demand
`binary: C:\WINDOWS\System32\msdtc.exe
*Windows Installer MSIServer - on demand
`binary: C:\WINDOWS\System32\msiexec.exe /V
*Norton AntiVirus Auto-Protect Service navapsvc running auto
`binary: "C:\Program Files\Norton AntiVirus\navapsvc.exe"
*Network DDE NetDDE - on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Network DDE DSDM NetDDEdsdm - on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Net Logon Netlogon - on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Network Connections Netman running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Intel NCS NetService NetSvc - on demand
`binary: C:\Program Files\Intel\NCS\Sync\NetSvc.exe
*Network Location Awareness (NLA) Nla running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Norton AntiVirus Firewall Monitor Service NPFMntor running auto
`binary: C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
*NT LM Security Support Provider NtLmSsp - on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Removable Storage NtmsSvc - on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*NVIDIA Display Driver Service NVSvc running auto
`binary: C:\WINDOWS\System32\nvsvc32.exe
*Plug and Play PlugPlay running auto
`binary: C:\WINDOWS\system32\services.exe
*IPSEC Services PolicyAgent running auto
`binary: C:\WINDOWS\System32\lsass.exe
*Protected Storage ProtectedStorage running auto
`binary: C:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager RasAuto - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager RasMan running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager RDSessMgr - on demand
`binary: C:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access RemoteAccess - disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
`binary: C:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC) RpcSs running auto
`binary: C:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP RSVP - on demand
`binary: C:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager SamSs running auto
`binary: C:\WINDOWS\system32\lsass.exe
*SAVScan SAVScan - on demand
`binary: C:\Program Files\Norton AntiVirus\SAVScan.exe
*ScriptBlocking Service SBService - auto
`binary: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
*Smart Card Helper SCardDrv - on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Smart Card SCardSvr - on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler Schedule running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon seclogon running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification SENS running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Shell Hardware Detection ShellHWDetection running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Network Drivers Service SNDSrvc running auto
`binary: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
*Symantec SPBBCSvc SPBBCSvc running auto
`binary: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
*Print Spooler Spooler running auto
`binary: C:\WINDOWS\system32\spoolsv.exe
*System Restore Service srservice running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service SSDPSRV running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA) stisvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider SwPrv - on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3}
*Symantec Core LC Symantec Core LC running auto
`binary: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
*Performance Logs and Alerts SysmonLog - on demand
`binary: C:\WINDOWS\system32\smlogsvc.exe
*Telephony TapiSrv running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services TermService running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes Themes running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Distributed Link Tracking Client TrkWks running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Upload Manager uploadmgr running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host upnphost - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply UPS - on demand
`binary: C:\WINDOWS\System32\ups.exe
*Volume Shadow Copy VSS - on demand
`binary: C:\WINDOWS\System32\vssvc.exe
*Windows Time w32time running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*WebClient WebClient running auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation winmgmt running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*WMDM PMSP Service WMDM PMSP Service running auto
`binary: C:\WINDOWS\System32\MsPMSPSv.exe
*Portable Media Serial Number WmdmPmSp running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter WmiApSrv - on demand
`binary: C:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates wuauserv running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration WZCSVC running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
`binary:
*abp480n5 abp480n5 - disabled
`binary: \SystemRoot\System32\DRIVERS\ABP480N5.SYS
*Microsoft ACPI Driver ACPI running boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC ACPIEC - disabled
`binary:
*adpu160m adpu160m - disabled
`binary: \SystemRoot\System32\DRIVERS\adpu160m.sys
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment AFD running auto
`binary: \SystemRoot\System32\drivers\afd.sys
*Intel AGP Bus Filter agp440 running boot
`binary: \SystemRoot\System32\DRIVERS\agp440.sys
*Compaq AGP Bus Filter agpCPQ - disabled
`binary: \SystemRoot\System32\DRIVERS\agpCPQ.sys
*Aha154x Aha154x - disabled
`binary: \SystemRoot\System32\DRIVERS\aha154x.sys
*aic78u2 aic78u2 - disabled
`binary: \SystemRoot\System32\DRIVERS\aic78u2.sys
*aic78xx aic78xx - disabled
`binary: \SystemRoot\System32\DRIVERS\aic78xx.sys
*AliIde AliIde - disabled
`binary: \SystemRoot\System32\DRIVERS\aliide.sys
*ALI AGP Bus Filter alim1541 - disabled
`binary: \SystemRoot\System32\DRIVERS\alim1541.sys
*AMD AGP Bus Filter Driver amdagp - disabled
`binary: \SystemRoot\System32\DRIVERS\amdagp.sys
*amsint amsint - disabled
`binary: \SystemRoot\System32\DRIVERS\amsint.sys
*asc asc - disabled
`binary: \SystemRoot\System32\DRIVERS\asc.sys
*asc3350p asc3350p - disabled
`binary: \SystemRoot\System32\DRIVERS\asc3350p.sys
*asc3550 asc3550 - disabled
`binary: \SystemRoot\System32\DRIVERS\asc3550.sys
*Aspi32 Aspi32 running auto
`binary:
*RAS Asynchronous Media Driver AsyncMac - on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller atapi running boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk Atdisk - disabled
`binary:
*ATM ARP Client Protocol Atmarpc - on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver audstub running on demand
`binary: System32\DRIVERS\audstub.sys
*Beep Beep running system
`binary:
*bvrp_pci bvrp_pci - on demand
`binary:
*cbidf cbidf - disabled
`binary: \SystemRoot\System32\DRIVERS\cbidf2k.sys
*cbidf2k cbidf2k - disabled
`binary:
*Closed Caption Decoder CCDECODE - on demand
`binary: System32\DRIVERS\CCDECODE.sys
*cd20xrnt cd20xrnt - disabled
`binary: \SystemRoot\System32\DRIVERS\cd20xrnt.sys
*Cdaudio Cdaudio - system
`binary:
*Cdfs Cdfs running disabled
`binary:
*CD-ROM Driver Cdrom running system
`binary: System32\DRIVERS\cdrom.sys
*Changer Changer - system
`binary:
*CmdIde CmdIde - disabled
`binary: \SystemRoot\System32\DRIVERS\cmdide.sys
*Cpqarray Cpqarray - disabled
`binary: \SystemRoot\System32\DRIVERS\cpqarray.sys
*dac2w2k dac2w2k - disabled
`binary: \SystemRoot\System32\DRIVERS\dac2w2k.sys
*DAC2W2Ke DAC2W2Ke running auto
`binary: \??\C:\WINDOWS\System32\drivers\DAC2W2Ke.sys
*dac960nt dac960nt - disabled
`binary: \SystemRoot\System32\DRIVERS\dac960nt.sys
*Disk Driver Disk running boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot dmboot - disabled
`binary: System32\drivers\dmboot.sys
*dmio dmio - disabled
`binary: System32\drivers\dmio.sys
*dmload dmload - disabled
`binary: System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
`binary: system32\drivers\DMusic.sys
*dpti2o dpti2o - disabled
`binary: \SystemRoot\System32\DRIVERS\dpti2o.sys
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
`binary: system32\drivers\drmkaud.sys
*drvmcdb drvmcdb running boot
`binary: \SystemRoot\system32\drivers\drvmcdb.sys
*drvnddm drvnddm running auto
`binary: system32\drivers\drvnddm.sys
*Intel® PRO Adapter Driver E100B running on demand
`binary: System32\DRIVERS\e100b325.sys
*3Com EtherLink XL 90XB/C Adapter Driver EL90XBC - on demand
`binary: System32\DRIVERS\el90xbc5.sys
*Fastfat Fastfat running disabled
`binary:
*Floppy Disk Controller Driver Fdc running on demand
`binary: System32\DRIVERS\fdc.sys
*Fips Fips running system
`binary:
*Floppy Disk Driver Flpydisk running on demand
`binary: System32\DRIVERS\flpydisk.sys
*Volume Manager Driver Ftdisk running boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*Game Port Enumerator gameenum running on demand
`binary: System32\DRIVERS\gameenum.sys
*Generic Packet Classifier Gpc running on demand
`binary: System32\DRIVERS\msgpc.sys
*Microsoft HID Class Driver HidUsb - on demand
`binary: System32\DRIVERS\hidusb.sys
*hpn hpn - disabled
`binary: \SystemRoot\System32\DRIVERS\hpn.sys
*HSFHWBS2 HSFHWBS2 running on demand
`binary: System32\DRIVERS\HSFHWBS2.sys
*HSF_DP HSF_DP running on demand
`binary: System32\DRIVERS\HSF_DP.sys
*i2omgmt i2omgmt running system
`binary:
*i2omp i2omp - disabled
`binary: \SystemRoot\System32\DRIVERS\i2omp.sys
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system
`binary: System32\DRIVERS\i8042prt.sys
*i81x i81x - on demand
`binary: System32\DRIVERS\i81xnt5.sys
*iAimFP0 iAimFP0 - on demand
`binary: System32\DRIVERS\wADV01nt.sys
*iAimFP1 iAimFP1 - on demand
`binary: System32\DRIVERS\wADV02NT.sys
*iAimFP2 iAimFP2 - on demand
`binary: System32\DRIVERS\wADV05NT.sys
*iAimFP3 iAimFP3 - on demand
`binary: System32\DRIVERS\wSiINTxx.sys
*iAimFP4 iAimFP4 - on demand
`binary: System32\DRIVERS\wVchNTxx.sys
*iAimTV0 iAimTV0 - on demand
`binary: System32\DRIVERS\wATV01nt.sys
*iAimTV1 iAimTV1 - on demand
`binary: System32\DRIVERS\wATV02NT.sys
*iAimTV2 iAimTV2 - on demand
`binary: System32\DRIVERS\wATV03nt.sys
*iAimTV3 iAimTV3 - on demand
`binary: System32\DRIVERS\wATV04nt.sys
*iAimTV4 iAimTV4 - on demand
`binary: System32\DRIVERS\wCh7xxNT.sys
*ialm ialm - on demand
`binary: System32\DRIVERS\ialmnt5.sys
*CD-Burning Filter Driver Imapi running system
`binary: System32\DRIVERS\imapi.sys
*ini910u ini910u - disabled
`binary: \SystemRoot\System32\DRIVERS\ini910u.sys
*IntelIde IntelIde - disabled
`binary: \SystemRoot\System32\DRIVERS\intelide.sys
*IP Traffic Filter Driver IpFilterDriver - on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver IpInIp - on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator IpNat - on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver IPSec running system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service IRENUM - on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver isapnp running boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver Kbdclass running system
`binary: System32\DRIVERS\kbdclass.sys
*kbeepm kbeepm - on demand
`binary: \??\C:\DOCUME~1\Ben\LOCALS~1\Temp\kbeepm.sys
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
`binary: system32\drivers\kmixer.sys
*KSecDD KSecDD running boot
`binary:
*lbrtfdc lbrtfdc - system
`binary:
*mdmxsdk mdmxsdk running auto
`binary: System32\DRIVERS\mdmxsdk.sys
*LMMngr memlow running auto
`binary: \??\C:\WINDOWS\System32\memlow.sys
*mnmdd mnmdd running system
`binary:
*Modem Modem running on demand
`binary:
*Mouse Class Driver Mouclass running system
`binary: System32\DRIVERS\mouclass.sys
*MountMgr MountMgr running boot
`binary:
*mraid35x mraid35x - disabled
`binary: \SystemRoot\System32\DRIVERS\mraid35x.sys
*WebDav Client Redirector MRxDAV running on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb MRxSmb running system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs Msfs running system
`binary:
*Microsoft Streaming Service Proxy MSKSSRV - on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
`binary: system32\drivers\MSPQM.sys
*Microsoft Streaming Tee/Sink-to-Sink Converter MSTEE - on demand
`binary: system32\drivers\MSTEE.sys
*Mup Mup running boot
`binary:
*MxlW2k MxlW2k running on demand
`binary:
*NABTS/FEC VBI Codec NABTSFEC - on demand
`binary: System32\DRIVERS\NABTSFEC.sys
*NAVENG NAVENG running on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050504.016\NAVENG.Sys
*NAVEX15 NAVEX15 running on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050504.016\NavEx15.Sys
*NDIS System Driver NDIS running boot
`binary:
*Microsoft TV/Video Connection NdisIP - on demand
`binary: System32\DRIVERS\NdisIP.sys
*Remote Access NDIS TAPI Driver NdisTapi running on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol Ndisuio running on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver NdisWan running on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy NDProxy running on demand
`binary:
*NetBIOS Interface NetBIOS running system
`binary: System32\DRIVERS\netbios.sys
*NetBT NetBT running system
`binary: System32\DRIVERS\netbt.sys
*Npfs Npfs running system
`binary:
*Ntfs Ntfs running disabled
`binary:
*Null Null running system
`binary:
*nv nv running on demand
`binary: System32\DRIVERS\nv4_mini.sys
*IPX Traffic Filter Driver NwlnkFlt - on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*OMCI WDM Device Driver omci running system
`binary: System32\DRIVERS\omci.sys
*Creative SB Live! Series (WDM) P16X running on demand
`binary: system32\drivers\P16X.sys
*Intel PentiumIII Processor Driver P3 - system
`binary: System32\DRIVERS\p3.sys
*Parallel port driver Parport running on demand
`binary: System32\DRIVERS\parport.sys
*PartMgr PartMgr running boot
`binary:
*ParVdm ParVdm running auto
`binary:
*PCI Bus Driver PCI running boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump PCIDump - system
`binary:
*PCIIde PCIIde running boot
`binary: \SystemRoot\System32\DRIVERS\pciide.sys
*Pcmcia Pcmcia - disabled
`binary:
*PDCOMP PDCOMP - on demand
`binary:
*PDFRAME PDFRAME - on demand
`binary:
*PDRELI PDRELI - on demand
`binary:
*PDRFRAME PDRFRAME - on demand
`binary:
*perc2 perc2 - disabled
`binary: \SystemRoot\System32\DRIVERS\perc2.sys
*perc2hib perc2hib - disabled
`binary: \SystemRoot\System32\DRIVERS\perc2hib.sys
*PfModNT PfModNT running auto
`binary: \??\C:\WINDOWS\System32\PfModNT.sys
*WAN Miniport (PPTP) PptpMiniport running on demand
`binary: System32\DRIVERS\raspptp.sys
*Processor Driver Processor running system
`binary: System32\DRIVERS\processr.sys
*QoS Packet Scheduler PSched running on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver Ptilink running on demand
`binary: System32\DRIVERS\ptilink.sys
*PxHelp20 PxHelp20 running boot
`binary: \SystemRoot\System32\DRIVERS\PxHelp20.sys
*ql1080 ql1080 - disabled
`binary: \SystemRoot\System32\DRIVERS\ql1080.sys
*Ql10wnt Ql10wnt - disabled
`binary: \SystemRoot\System32\DRIVERS\ql10wnt.sys
*ql12160 ql12160 - disabled
`binary: \SystemRoot\System32\DRIVERS\ql12160.sys
*ql1240 ql1240 - disabled
`binary: \SystemRoot\System32\DRIVERS\ql1240.sys
*ql1280 ql1280 - disabled
`binary: \SystemRoot\System32\DRIVERS\ql1280.sys
*Remote Access Auto Connection Driver RasAcd running system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP) Rasl2tp running on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver RasPppoe running on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel Raspti running on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss Rdbss running system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD RDPCDD running system
`binary: System32\DRIVERS\RDPCDD.sys
*Terminal Server Device Redirector Driver rdpdr - on demand
`binary: System32\DRIVERS\rdpdr.sys
*RDPWD RDPWD - on demand
`binary:
*Digital CD Audio Playback Filter Driver redbook running system
`binary: System32\DRIVERS\redbook.sys
*SAVRT SAVRT running on demand
`binary: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS
*SAVRTPEL SAVRTPEL running system
`binary: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
*Secdrv Secdrv running auto
`binary: System32\DRIVERS\secdrv.sys
*Serenum Filter Driver serenum running on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver Serial running system
`binary: System32\DRIVERS\serial.sys
*Sfloppy Sfloppy - system
`binary:
*Simbad Simbad - disabled
`binary:
*SIS AGP Bus Filter sisagp - disabled
`binary: \SystemRoot\System32\DRIVERS\sisagp.sys
*BDA Slip De-Framer SLIP - on demand
`binary: System32\DRIVERS\SLIP.sys
*Sparrow Sparrow - disabled
`binary: \SystemRoot\System32\DRIVERS\sparrow.sys
*SPBBCDrv SPBBCDrv running system
`binary: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
*Microsoft Kernel Audio Splitter splitter - on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver sr running boot
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv Srv running on demand
`binary: System32\DRIVERS\srv.sys
*sscdbhk5 sscdbhk5 running system
`binary: system32\drivers\sscdbhk5.sys
*ssrtln ssrtln running system
`binary: system32\drivers\ssrtln.sys
*STEC3 STEC3 running auto
`binary: \??\C:\WINDOWS\System32\STEC3.sys
*BDA IPSink streamip - on demand
`binary: System32\DRIVERS\StreamIP.sys
*Software Bus Driver swenum running on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
`binary: system32\drivers\swmidi.sys
*symc810 symc810 - disabled
`binary: \SystemRoot\System32\DRIVERS\symc810.sys
*symc8xx symc8xx - disabled
`binary: \SystemRoot\System32\DRIVERS\symc8xx.sys
*SYMDNS SYMDNS running on demand
`binary: \SystemRoot\System32\Drivers\SYMDNS.SYS
*SymEvent SymEvent running on demand
`binary: \??\C:\Program Files\Symantec\SYMEVENT.SYS
*SYMFW SYMFW running on demand
`binary: \SystemRoot\System32\Drivers\SYMFW.SYS
*SYMIDS SYMIDS running on demand
`binary: \SystemRoot\System32\Drivers\SYMIDS.SYS
*SYMIDSCO SYMIDSCO running on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20041209.018\symidsco.sys
*symlcbrd symlcbrd running auto
`binary: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys
*SYMNDIS SYMNDIS running on demand
`binary: \SystemRoot\System32\Drivers\SYMNDIS.SYS
*SYMREDRV SYMREDRV running on demand
`binary: \SystemRoot\System32\Drivers\SYMREDRV.SYS
*SYMTDI SYMTDI running system
`binary: \SystemRoot\System32\Drivers\SYMTDI.SYS
*sym_hi sym_hi - disabled
`binary: \SystemRoot\System32\DRIVERS\sym_hi.sys
*sym_u3 sym_u3 - disabled
`binary: \SystemRoot\System32\DRIVERS\sym_u3.sys
*Microsoft Kernel System Audio Device sysaudio running on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver Tcpip running system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE TDPIPE - on demand
`binary:
*TDTCP TDTCP - on demand
`binary:
*Terminal Device Driver TermDD running system
`binary: System32\DRIVERS\termdd.sys
*tfsnboio tfsnboio running auto
`binary: system32\dla\tfsnboio.sys
*tfsncofs tfsncofs running auto
`binary: system32\dla\tfsncofs.sys
*tfsndrct tfsndrct running auto
`binary: system32\dla\tfsndrct.sys
*tfsndres tfsndres running auto
`binary: system32\dla\tfsndres.sys
*tfsnifs tfsnifs running auto
`binary: system32\dla\tfsnifs.sys
*tfsnopio tfsnopio running auto
`binary: system32\dla\tfsnopio.sys
*tfsnpool tfsnpool running auto
`binary: system32\dla\tfsnpool.sys
*tfsnudf tfsnudf running auto
`binary: system32\dla\tfsnudf.sys
*tfsnudfa tfsnudfa running auto
`binary: system32\dla\tfsnudfa.sys
*TosIde TosIde - disabled
`binary: \SystemRoot\System32\DRIVERS\toside.sys
*Udfs Udfs - disabled
`binary:
*ultra ultra - disabled
`binary: \SystemRoot\System32\DRIVERS\ultra.sys
*Microcode Update Driver Update running on demand
`binary: System32\DRIVERS\update.sys
*USB Audio Driver (WDM) usbaudio - on demand
`binary: system32\drivers\usbaudio.sys
*Microsoft USB Generic Parent Driver usbccgp - on demand
`binary: System32\DRIVERS\usbccgp.sys
*USB Cable Modem 351000 NDIS Driver usbcm - on demand
`binary: System32\DRIVERS\usbcm.sys
*Microsoft USB 2.0 Enhanced Host Controller Mini usbehci running on demand
`port Driver
`binary: System32\DRIVERS\usbehci.sys
*USB2 Enabled Hub usbhub running on demand
`binary: System32\DRIVERS\usbhub.sys
*Microsoft USB PRINTER Class usbprint running on demand
`binary: System32\DRIVERS\usbprint.sys
*USB Mass Storage Driver USBSTOR - on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*USB Video Device (WDM) usbvideo - on demand
`binary: System32\Drivers\usbvideo.sys
*MemDRV vdnt32 - system
`binary: \??\C:\WINDOWS\System32\vdnt32.sys
*VgaSave VgaSave running system
`binary: \SystemRoot\System32\drivers\vga.sys
*VIA AGP Bus Filter viaagp - disabled
`binary: \SystemRoot\System32\DRIVERS\viaagp.sys
*ViaIde ViaIde - disabled
`binary: \SystemRoot\System32\DRIVERS\viaide.sys
*VolSnap VolSnap running boot
`binary:
*Remote Access IP ARP Driver Wanarp running on demand
`binary: System32\DRIVERS\wanarp.sys
*WDICA WDICA - on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
`binary: system32\drivers\wdmaud.sys
*winachsf winachsf running on demand
`binary: System32\DRIVERS\HSF_CNXT.sys
*World Standard Teletext Codec WSTCODEC - on demand
`binary: System32\DRIVERS\WSTCODEC.SYS
*Intel® Graphics Platform (SoftBIOS) Driver {6080A529-897E-4629- - on demand
`binary: system32\drivers\ialmsbw.sys
*Intel® Graphics Chipset (KCH) Driver {D31A0762-0CEB-444e- - on demand
`binary: system32\drivers\ialmkchw.sys
»Application specific

Hope that helps

Cheers
Ben
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi benoakes

Sorry for my late reply.

http://www.atribune....oads/locate.zip
UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat
Now copy the locate log and post back here

Kc :tazz:
  • 0

#7
benoakes

benoakes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Kc

Report.txt contains the following.

C:\WINDOWS\SYSTEM32\DRIVERS\DAC2W2KE.SYS
C:\DOCUME~1\JULIE\LOCALS~1\TEMP\KBEEPM.SYS


Ben
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi benoakes

Please read through the instructions before you start (you may want to print this out).

Lets see if this will finds any hidden Trojan’s http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
when first run the program will auto-update, don't run yet.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.

Reboot into Safe Mode: Click here if you don't know how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com

Click on Fix Checked when finished and exit HijackThis.

Run ewido now do a full scan when scan is finnished post the log.

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\System32\drivers\DAC2W2Ke.sys

Reboot as normal.

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
benoakes

benoakes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Kc

I did as you instructed, although ewido actually removed DAC2w2Ke.sys, as well as several Trojans, so there was no need to killbox it. Following a couple of reboots it's not reappeared and the same is true for stsheets and rl.webtracer.cc registry entries.

Panda virus scan didn't find anything else, so I think I'm in the clear. Thanks very much for your help. Just in case, here's a current HijackThis log.

Ben

Logfile of HijackThis v1.99.1
Scan saved at 22:04:00, on 09/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115238743875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi benoakes

have HJT fix the following O19 - User stylesheet: (file missing)

Congratulations! Your system is CLEAN ;)

Download the Microsoft Antispyware Free

ewido Trojan’s removal tool free

SpyBot Search & Destroy v1.3

Winpatrol Free

Ad-Aware SE Personal Edition Free

Turn of system restore
Disabling or enabling Windows XP System Restore

Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats. 8)

Kc :tazz:
  • 0

#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP