If you do not see one of the bogus services listed in Step 4 of this removal guide, please do the following:

First, try hard-rebooting back to Safe Mode, and check the services control panel again (in other words, repeat Step 4 in Safe Mode.) If you find one of the listed services now, stop it and disable it. Then skip to Step 7.

If you still do not see one of the listed bogus services, please stay in Normal Mode, and download the file attached to this post, "Get Active Services." Unzip that to the same folder you have Hijack This in. Run the program "get active services.vbs" This is a Visual Basic Script. Your antii-virus software may be set to warn you if VBS scripts run (Norton Anti-Virus will pop-up a warning.) Tell your anti-virus software to "authorize" or "allow" this script.

The script will scan your services, and generate a text file called Active.txt.

Scan the text file for any of the three services listed above. They will appear like this:


Network Security Service: �O.#������´�
"C:\WINDOWS\ipyt32.exe" /s

or

Workstation NetLogon Service: �O.#������´�
"C:\WINDOWS\ipyt32.exe" /s

or

Remote Procedure Call (RPC) Helper: �O.#������´�
"C:\WINDOWS\ipyt32.exe" /s

The actual file name will be different, and will match one of the 04 RUN enties in your HJT Log. But the funny characters displayed after the service is name is (so far) the giveaway, they appear after each of the bogus services.

Now you know for certain the service name on your computer. Go back to Step 4 of the removal guide, enter the services control panel, and look again for the service name you just found. Stop it and disable it as instructed.

Note: Some users have reported having trouble using the Active Processes script. If you have trouble, you can check your services through Hijack This. Run HJT. Click on Config -> Misc Tools. Check off the 2 options under the button that says "Generate StartupList Log", then click the button itself. Generate that log, save it as a text file, and then examine that log. It is a very long and detailed log, but scroll down until you see the line "Enumerating Windows NT/2000/XP services"

That section will show you all of the serivces on your computer, active or inactive. With a startuplist log from HJT, the bogus service will not have the strange characters behind the name. However, look for the names of the known bad services, and keep an eye out for the exe file attached to the service. If you see one that matches the HSA name pattern attached to one of the known bad service, it will be your problem entry. An example:

Remote Procedure Call (RPC) Helper: C:\WINDOWS\system32\atlkb32.exe /s (autostart)


If you still have trouble identifying the service, take the text file from Get Active Services (or HJT's startuplist log if you had to use it instead, register for our forums, and post the services log file in the Security - Spyware / Virus / Trojan forum, along with your HJT scan. Either attach the text as a file attachment to the post, or copy and paste the raw text data into the post. We will help you identify the service, and if it is a new one, we will add it to the guide.

Dexter...