Getting grumpy!

Unknown · August 2004

Two issues...
1) I've ran the removal steps 4 times now, and every time the thing is still there and has copied itself. I started out with 12 items, now I'm up to 19 (in HJT).
2) About Buster doesn't run once I click OK. It says it is idle and has nothing to scan.

Here's my latest HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 12:34:06 PM, on 8/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\sysjb.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\system32\apphl32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Novell\GroupWise\Notify.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydovr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydovr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydovr.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search-all-fast.com/pop/popup6.php?pin=37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C59125DF-029B-6A6C-6A20-25059899CD06} - C:\WINDOWS\winwf.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [apphl32.exe] C:\WINDOWS\system32\apphl32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [d3jf.exe] C:\WINDOWS\d3jf.exe
O4 - HKLM\..\RunOnce: [apphq.exe] C:\WINDOWS\system32\apphq.exe
O4 - HKLM\..\RunOnce: [addft.exe] C:\WINDOWS\system32\addft.exe
O4 - HKLM\..\RunOnce: [ipzv32.exe] C:\WINDOWS\system32\ipzv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb026.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32DAF20-8F11-4B18-A218-8D08E7275B36}: NameServer = 10.1.1.1

I know my big issue is ydovr.dll and there are some other suspicious ones in there, but everytime HJT says it deleted them, they return. Can you help a poor guy out?

Bill

Dexter · August 2004

A few other folks have had some trouble with about:buster, but we can skip that part and just use HJT, but first we need to ID your problem service name.

Please refer to Post# 2 of the removal guide to generate a log of your active service, in Normal Mode, and paste it here for review.

Dexter...

Wolftrap · August 2004

These are the Current Active Services:

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

iPod Service: iPodService
C:\Program Files\iPod\bin\iPodService.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Novell Application Launcher: NALNTSERVICE
C:\WINDOWS\System32\NALNTSRV.EXE

Remote management: Novell WUser Agent
C:\NOVELL\ZENRC\wuser32.exe

NVIDIA Driver Helper Service: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

Network Security Service: O?’ŽrtñåÈ²$Ó
C:\WINDOWS\sysjb.exe /s

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Sophos Anti-Virus Network: SweepNet
"C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE"

Sophos Anti-Virus: SWEEPSRV.SYS
"C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS"

Novell Workstation Manager: WM
C:\WINDOWS\System32\wm.exe

WUOLservice: WUOLService
C:\NOVELL\ZENRC\WUOLService.exe

Here's a listing of the active services on my computer.

Dexter · August 2004

This guy is your problem:

Network Security Service: O?’ŽrtñåÈ²$Ó
C:\WINDOWS\sysjb.exe /s

You need to follow Step 6 of the Removal guide, in Normal Mode, and stop that service, then disable it.

Once that is done, hard boot to Safe mode, and continue on with Step 7 on.

///EDIT: actually, I just revised the guide, Step 6 has now become Step 4, so that users should now always check for the services in Normal Mode. So go do step 4, knowing that you have the bogus Network Security Service on your system.

Dexter...

Wolftrap · August 2004

After doing that, it still came up as my Internet Home page. And here is my latest scan of HJT in Normal Modae immediately after hardboot.

Logfile of HijackThis v1.98.2
Scan saved at 2:19:49 PM, on 8/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\d3jf.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\system32\apphl32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\sysjb.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Novell\GroupWise\Notify.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydovr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydovr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydovr.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search-all-fast.com/pop/popup6.php?pin=37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C59125DF-029B-6A6C-6A20-25059899CD06} - C:\WINDOWS\winwf.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [apphl32.exe] C:\WINDOWS\system32\apphl32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [d3jf.exe] C:\WINDOWS\d3jf.exe
O4 - HKLM\..\RunOnce: [apphq.exe] C:\WINDOWS\system32\apphq.exe
O4 - HKLM\..\RunOnce: [addft.exe] C:\WINDOWS\system32\addft.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb026.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32DAF20-8F11-4B18-A218-8D08E7275B36}: NameServer = 10.1.1.1

Some of the things I was suspicious of are gone, but that dern ydovr.dll is still there, even though it never showed up upon searching its path.

Wolftrap · August 2004

Should I go into REGEDIT and delet the ydovr.dll when I see it? Would that work?

Dexter · August 2004

Did you stop the service and disable it?

Dexter...

Wolftrap · August 2004

Yes, I did stop and disable. But I just ran the service check again, and it has restarted itself. I just stopped it for the second time and again disabled it.

Wolftrap · August 2004

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydovr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydovr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydovr.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydovr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search-all-fast.com/pop/popup6.php?pin=37049

Can I go into the REG in safe mode and delete this entire Key? As in, delete HKLM\Software\Microsoft\Main or any other that is listed above?

Mancabus · August 2004

I have followed the steps on this post over at wilders security, and have found them to be the best for removing this about:blank problem.

http://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

Plus I have attached clean IE Main registry entries from my work computer.

Hopefully you can follow the instructions ok, as when I have I have been able to eliminate this crapper.

Dexter · August 2004

Stop the service if it is still there, hard boot to safe mode and delete those entries in HJT, then quarantine the files with my quarantine procedure.

Don't do it in regedit, as you don't want to delete them there, let HJT do it for you.

Dexter...

Dexter · August 2004

Mancabus wrote:

I have followed the steps on this post over at wilders security, and have found them to be the best for removing this about:blank problem.

http://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

Their method is a bit more complicated, and that guide is not as easy to follow as ours. Stopping the service works just as well as locating the AppInt DLL's key in the reg, and is easier to do. One look at the number of resolved HSA threads here on Short-Media will prove that our method works. Plus look at how many views the guide has gotten since it was published 8 days ago. Thousands...with only a very few people posting on the forums for further help. Plus the public feeback posts we have recieved, the private messages I have received, and the e-mails I have received, all saying "Thanks, that worked great!." Our method works.

///EDIT: Oh, and checking further int their thread on the new variants, they are only aware of 2 out of the 3 bogus service names, so we have more information on it than they do as well.

Dexter...

Mancabus · August 2004

I understand that Dexter, I just found the method here a little too long to follow.

No disrespect to You Dexter for your work here, as it is timely and most helpful to others.

It appears that wilders hasn't updated the page in a few months anyway.

Dexter · August 2004

Mancabus wrote:

I understand that Dexter, I just found the method here a little too long to follow.

No disrespect to You Dexter for your work here, as it is timely and most helpful to others.

It appears that wilders hasn't updated the page in a few months anyway.

No disrespected perceived or assumed.

We have no problem pointing users to fixes from other sites, so long as what is linked is useful. We're "man enough" to link to another site...unlike a some other tech sites, like the one that suspended my account temporarily today after I posted there about our guide and the free Omegakiller application we developed. Sheesh, if the objective is to help users, let's share information guys.... Anyway, I have left your link in, in case someone wants to follow it and try it.

Our method may look long on paper, but should only take anout 5 to 10 minutes to do, depending on how long it takes your computer to boot up in SAFE MODE. My goal in writing the removal guide in such a way was to cut down on forum posts. There is some redundancy to our method (comparing HJT logs from normal and safe modes) which helps users learn to identify the pattern of the infection files, and from there be able to self-diagnose their own HJT logs without having to post logs here. Comparing the number of page views to the number of users who are posting for additional help, it is reasonable to assume that it is working

Dexter...

Wolftrap · August 2004

I thought I had it licked! I opened IE and it couldn't find ydovr.dll! But, alas, it appears to have rewritten itself as

res://C:\WINDOWS\system32\hunyh.dll/sp.html#37049

So I'm off to hack it out again....

Wolftrap · August 2004

Well, after an hour and 20 minutes, here's my progress.

Logfile of HijackThis v1.98.2
Scan saved at 9:11:49 AM, on 8/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Novell\GroupWise\Notify.exe
C:\Novell\GroupWise\GRPWISE.EXE
C:\WINDOWS\system32\atlkw.exe
C:\WINDOWS\sysjb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bdfyd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bdfyd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bdfyd.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search-all-fast.com/pop/popup6.php?pin=37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C59125DF-029B-6A6C-6A20-25059899CD06} - C:\WINDOWS\winwf.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [apphl32.exe] C:\WINDOWS\system32\apphl32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlkw.exe] C:\WINDOWS\system32\atlkw.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb026.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32DAF20-8F11-4B18-A218-8D08E7275B36}: NameServer = 10.1.1.1

It seems as though everytime I get one out, it rewrites itself and I have to keep repeating the process. Bad programs are disabled, and I have a few things in quarantine. I have also noticed that for the last few times, it has rewritten itself to C:\WINDOWS and then next to C:\WINDOWS\system32....it's a cycle, so it's to the point that I know where to go to look for the file in question. Here's a list of my active programs....

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

iPod Service: iPodService
C:\Program Files\iPod\bin\iPodService.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Novell Application Launcher: NALNTSERVICE
C:\WINDOWS\System32\NALNTSRV.EXE

Remote management: Novell WUser Agent
C:\NOVELL\ZENRC\wuser32.exe

NVIDIA Driver Helper Service: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

Network Security Service: O?’ŽrtñåÈ²$Ó
C:\WINDOWS\sysjb.exe /s

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Sophos Anti-Virus Network: SweepNet
"C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE"

Sophos Anti-Virus: SWEEPSRV.SYS
"C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS"

Novell Workstation Manager: WM
C:\WINDOWS\System32\wm.exe

WUOLservice: WUOLService
C:\NOVELL\ZENRC\WUOLService.exe

And I notice that sysjb.exe is still there, even though I have disabled it....wonderful. I'm getting frustrated Dexter...tell me there's a light at the end of this tunnel!

Dexter · August 2004

Network Security Service is still there. Repeat the services.msc step of the guide (now step 4) in Normal mode. Find that service, right click and STOP. Then right click -> properties, DISABLE. Then hard-boot to Safe Mode, Hijack This, fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bdfyd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bdfyd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bdfyd.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdfyd.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {C59125DF-029B-6A6C-6A20-25059899CD06} - C:\WINDOWS\winwf.dll

O4 - HKLM\..\Run: [apphl32.exe] C:\WINDOWS\system32\apphl32.exe

O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe

O4 - HKLM\..\Run: [atlkw.exe] C:\WINDOWS\system32\atlkw.exe

(You appear to have multiple instances of the reloader going, perhaps that is part of the trouble.)

Find the exe and dll files in the entries above, quarantine them. Run about:buster to see if it cleans up any remnants. Hard-boot to normal mode, and check things out. Run a new HJT log and a new Active Services log, and post them for review.

Dexter...

Wolftrap · August 2004

Sounds good, I'll it a try. I have been stopping and disabling that sys.jb Network Security, but it reactivates itself. I'll post the results shortly...

Wolftrap · August 2004

Here's the latest HJT:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netni.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Novell\GroupWise\Notify.exe
C:\Novell\GroupWise\GRPWISE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [netni.exe] C:\WINDOWS\netni.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb026.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32DAF20-8F11-4B18-A218-8D08E7275B36}: NameServer = 10.1.1.1

And now here is the latest Active Program:

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

iPod Service: iPodService
C:\Program Files\iPod\bin\iPodService.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Novell Application Launcher: NALNTSERVICE
C:\WINDOWS\System32\NALNTSRV.EXE

Remote management: Novell WUser Agent
C:\NOVELL\ZENRC\wuser32.exe

NVIDIA Driver Helper Service: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Sophos Anti-Virus Network: SweepNet
"C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE"

Sophos Anti-Virus: SWEEPSRV.SYS
"C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS"

Novell Workstation Manager: WM
C:\WINDOWS\System32\wm.exe

WUOLservice: WUOLService
C:\NOVELL\ZENRC\WUOLService.exe

I hope I don't jinx myself, but I think we may have done it Dexter!

Dexter · August 2004

Looks good

Hoepfully you don't go out and get infected again. Check our articles on Defeating Spyware and Spyware General Infoto learn more about how to avoid getting infected again.

Also, do something good with your computer! Click the links in my sig to find out more about the Folding For A Cure project. Many of us here are involved in this easy andf worthwhile endeavour which let's our computers use their spare resources to search for cures to diseases.

Dexter...

Getting grumpy!

Comments