virus blitz :(

stargazer777

As has been stated by many people.....here and elsewhere.....there is no 'one' spyware program that catches everything....and I recommend that you use Ad-aware to double check your pc for other nasties, just in case.........???

poppy

Quote:

---

Originally posted by crunchie
A link is probably easier as I really am not a guru.
Just an ordinary working man :).

http://www.windowsitpro.com/Windows/...ows_38206.html

---

Crunchie,

I tried the command in Start>Run for removal of MS VM, and I got a small message window, "Could not find INF file 'java.inf'." I'm wondering why it's gone, if a malware item screwed it up, or .... ?? I did not remove MS VM Java previously.

Should I consider MS VM as disabled, and just go ahead and install SunJava ?

Also, I've read many posts in various places that SunJava has caused instabilities. Has this been 'cured' ?

- Dave G.

Dave: I can't comment on whether or not your MS VM is disabled but if you want to safely use Java Technology when surfing, Sun's version is it. Sun and MS reached an agreement a year or so ago and MS no longer distributes VM. New XP PCs automatically come with Sun's Java already installed.

FWIW, I have installed the Sun Java version on every PC at work and on all of my friend's PCs I update. I have not had any issues at all. It is worth pointing out that these PCs have been thoroughly screened for nasties before putting on the Java...

This thread may help a little too... http://discussions.virtualdr.com/sho...hreadid=181403

You can use this site to see if you even have Java installed.

And this one will let you know if it is enabled.

They could answer why you were not able to find things.

I would suggest downloading CWShredder and running it also.

Thanks, guys . . .

Train, I tried both of those Java sites .... the first told me I did indeed have MS Java installed, and the second site demonstrated that, apparently, it IS working. Now I am TOTALLY baffled as to why running the MS VM uninstall command in Start>Run tells me it cannot find 'java.inf' .... ???

The main questions about this are (1) Do I go ahead and install SunJava, and if NO ..... (2) How can I uninstall MS VM if it cannot find the items to toss out ?

--------------------------------------

Greengoose, thank you for the suggestion. I had already downloaded and previously run CWShredder. Just now, I had run AdAware and Stinger, and had everything deleted/disabled ..... then I ran CWShredder and it found nothing -- I guess the other apps found and munched it.

--------------------------------------

A few of these nasties seem to REappear immediately after my malware killing apps get rid of everything they find. This is true even with MS Messenger totally turned off and visiting no websites except VirtualDr. Apparently, there is *something* that my malware killers are NOT finding, that is reinstalling these buggers ....

Since someone (Train?) said all malware should be removed before installing SunJava, I have no idea how to get fully 'clean' to do so, if things get slapped back onto my system right after getting rid of them ......


Thanks again,
- Dave

My statement of the problems was with XP SP2 install. But I do agree it would be better if you had a clean machine to install anything on.

Follow the instructions in this thread and post you log in this thread, I or one of the other moderators will then move it to the HJT forum.
http://discussions.virtualdr.com/sho...hreadid=167915

There, the folks that are more knowledgeable about reading those logs can put together what has been posted and better help you.

Well, I posted more on my thread in the Virus/Trojan forum ( http://discussions.virtualdr.com/sho...0&pagenumber=1), since I seem to have a mix of those *plus* spyware/hijackware.


Here is my latest HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 12:52:22 PM, on 2/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Plextor\PlexTool.exe
D:\Program Files\SpySubtract\SpySub.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\Documents and Settings\Dave.DGATES1\htt.exe
C:\Documents and Settings\Dave.DGATES1\dddd.exe
C:\WINDOWS2\explorer.exe
C:\Documents and Settings\Dave.DGATES1\htt.exe
C:\Documents and Settings\Dave.DGATES1\dddd.exe
D:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave.DGATES1\dddd.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS2\blank.htm
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS2\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS2\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS2\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [kalvsys] c:\windows2\system32\kalvbda32.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe


I know someone will tell me to have HJT 'kill' a bunch of stuff on this list, but just keep in mind .... as I said in the Virus/Trojan forum, I keep killing and killing this stuff with my a.v., HJT, Stinger, etc etc. .... and it just gets REinstalled again and again. It seems that *something* -- which my virus/malware killers apparently keep missing -- goes right back and puts nasties back into my system right after I kill them off.

If antivirus (AVG *and* Housecall), HJT, Stinger, etc. can't keep them killed for good, how can I ever get my system clean ? And I need to do so, to install SunJava, as I was instructed to do on the Virus/Trojan forum . . .


Thanks,
- Dave G.

Thanks, Train . . .


I put another post in the HJT forum, with a new HJT log.

As I've said, I'm tired of deleting and killing stuff, when apparently my a.v. and malware killers seem to keep missing something that apparently goes right back and REinstalls the same or similar junk.

I've used my various malware utilities and a.v. to wipe everything away, then I run them again, literally minutes later, and the junk is all over the place again.

What's frustrating is, I didn't have a *single problem* with this stuff before a month or so ago ....... now I can't keep it off to save my neck. :mad:

- Dave

Some where you picked up a bunch of probably morphing .dll and stuff like that.
Yes, they change their names everytime you try to get rid of them, reboot, etc.

But the base has to be dug out and that was why I wanted you to post the hjt log in this thread. That way I would have moved the whole thing to the hjt forum and all this mess would have been keep together.

Hi Dave, let's try Silent Runners and see what it reports before we start work on your log. Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

OK, well …. I get hit with so many popups, so often, I can’t even write a post, as they interfere with typing, so I will use MS Word first.

First of all, thank you again to anyone and everyone that has had the patience to try and help me. At this point, I must appear as a raving lunatic.

Train …. I’m sorry, I’m a bit confused. In your last post, you said you’d asked me for an HJT log in the HJT forum, but I did, just a couple of posts earlier. What am I missing here ? I know I must seem like an idiot at this point, but this deluge of nasties has my brain melting.

I had felt that perhaps I should post on both the Trojan/Virus and the HJT forums, since I seemed to be experiencing problems from both. Is there a consensus that I should keep my posts focused on one forum? All I want in the world is to get ALL of this garbage off of my PC and *keep* it off, and get back to normal. Right now I feel like I’m a prisoner when I can’t even finish typing a post, and a popup appears every 10 seconds (scarcely an exaggeration).

And as for hijackers, it’s *almost* funny – right now, it looks like about half a dozen hijackers are battling to have control of my browser window.
--------------------------------------------------------------
AnneMarie ….. thanks for your willingness to join my insanity. You asked for a Silent Runner log, here it is:
(NOTE: The HJT forum asks users to paste HJT logs directly into their posts .... I'm assuming I should do the same with the SR logs -- if that is incorrect, let me know and I will use an attachment next time (for SR logs only).

Silent Runner log, 02/07/05 12:41 AM
"Silent Runners.vbs", revision RED (R28) (Echo output), launched at: 00:41
Operating System: Windows XP

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"LDM" = "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [null data]
"ctfmon.exe" = "C:\WINDOWS2\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"zBrowser Launcher" = "D:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "]
"RoxioDragToDisc" = ""D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"" ["Roxio"]
"RemoteControl" = "C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe" ["Cyberlink Corp."]
"Logitech Utility" = "Logi_MwX.Exe" [file not found]
"LDM" = "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [null data]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Systems Restart" = "Rundll32.exe wnim.dll, DllRegisterServer" [MS]
"kalvsys" = "C:\windows2\system32\kalvugh32.exe" [(path error)]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS2\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{28CAEFF3-0F18-4036-B504-51D73BD81ABC}\(Default) = "&EliteBar"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\EliteToolBar\EliteToolBar version 59.dll" [empty string]
{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\(Default) = "&EliteSideBar"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\EliteSideBar\EliteSideBar 08.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{5FFD4A60-C328-128D-44EB-21D258091D15}" = "Delayed Applications Handler"
-> resolves to: {CLSID}\InprocServer32\(Default) = blank [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\System32\stobject.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "AtiExtEvent\DLLName" = "(no data)" [file not found]


Startup items in "Dave" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup
"Logitech Desktop Messenger" -> shortcut to: "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [empty string]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"PlexTools Professional" -> shortcut to: "D:\Program Files\Plextor\PlexTool.exe Startup" ["Plextor SA/NV"]
"SpySubtract" -> shortcut to: "D:\Program Files\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic Updates, wuauserv, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wuauserv.dll" [MS]}
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
COM+ Event System, EventSystem, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\cryptsvc.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS2\System32\svchost.exe -k NetworkService" {"C:\WINDOWS2\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS2\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS2\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\dmserver.dll" ["Microsoft Corp."]}
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Messenger, Messenger, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\msgsvc.dll" [MS]}
Network Connections, Netman, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\mswsock.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS2\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS2\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS2\system32\lsass.exe" [MS]
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS2\system32\svchost -k rpcss" {"C:\WINDOWS2\system32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "C:\WINDOWS2\system32\svchost.exe -k LocalService" {"C:\WINDOWS2\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS2\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\lmhsvc.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
TrueVector Internet Monitor, vsmon, "C:\WINDOWS2\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]
Upload Manager, uploadmgr, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\audiosrv.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\w32time.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS2\System32\wdfmgr.exe" [MS]
WinTab Service, WinTabService, "C:\WINDOWS2\System32\DRIVERS\WtSrv.exe" ["Tablet Driver"]
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wkssvc.dll" [MS]}



- Dave G.

Hi Dave, I merged your topics from both forums to this one thread. That's why it looks a bit odd. Sorry, I should have told you.

Please post all your logs inside the thread, do not attach them. Attachments are too difficult to follow and compare against earlier logs.

I need more information. I have uploaded a file called srvlook_test_112.zip by IMM to this post. Please download it to your Desktop, unzip it and doubleclick on RUNME.bat. It will create a text file, Srvlook.log. Please copy the log back in this thread. You may need to make a couple of posts.

Do you have DllCompare? If not, go here and download and run DllCompare. Follow the prompts and post the log it makes back in this thread.

Can you please post another screenshot of your C:\ folder.

Ooops, I forgot to attach srvlook_test_112.zip

Thanks, AnneMarie ...

First, here is my SrvLook log:



A Service_look by IMM (v1.0)

System Info:
Windows XP Pro SP1 (Build 2600)
System Drive: C:\ ()

number of entries: 47
SERVICE_NAME: AudioSrv
DISPLAY_NAME : Windows Audio
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7Alrt
DISPLAY_NAME : AVG7 Alert Manager Server
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7UpdSvc
DISPLAY_NAME : AVG7 Update Service
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
DISPLAY_NAME : Computer Browser
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CryptSvc
DISPLAY_NAME : Cryptographic Services
BINARY_PATH_NAME : C:\WINDOWS2\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
DISPLAY_NAME : DHCP Client
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
DISPLAY_NAME : Logical Disk Manager
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
DISPLAY_NAME : DNS Client
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k NetworkService
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
DISPLAY_NAME : Error Reporting Service
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
DISPLAY_NAME : Event Log
BINARY_PATH_NAME : C:\WINDOWS2\system32\services.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
DISPLAY_NAME : COM+ Event System
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME : Fast User Switching Compatibility
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
DISPLAY_NAME : Help and Support
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
DISPLAY_NAME : Server
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
DISPLAY_NAME : Workstation
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
DISPLAY_NAME : TCP/IP NetBIOS Helper
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k LocalService
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: MDM
DISPLAY_NAME : Machine Debug Manager
BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
DISPLAY_NAME : Messenger
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
DISPLAY_NAME : Network Connections
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
DISPLAY_NAME : Network Location Awareness (NLA)
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
DISPLAY_NAME : Plug and Play
BINARY_PATH_NAME : C:\WINDOWS2\system32\services.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
DISPLAY_NAME : IPSEC Services
BINARY_PATH_NAME : C:\WINDOWS2\System32\lsass.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME : Protected Storage
BINARY_PATH_NAME : C:\WINDOWS2\system32\lsass.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
DISPLAY_NAME : Remote Access Connection Manager
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
DISPLAY_NAME : Remote Registry
BINARY_PATH_NAME : C:\WINDOWS2\system32\svchost.exe -k LocalService
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: RpcSs
DISPLAY_NAME : Remote Procedure Call (RPC)
BINARY_PATH_NAME : C:\WINDOWS2\system32\svchost -k rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
DISPLAY_NAME : Security Accounts Manager
BINARY_PATH_NAME : C:\WINDOWS2\system32\lsass.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
DISPLAY_NAME : Task Scheduler
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
DISPLAY_NAME : Secondary Logon
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
DISPLAY_NAME : System Event Notification
BINARY_PATH_NAME : C:\WINDOWS2\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME : Shell Hardware Detection
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
DISPLAY_NAME : Print Spooler
BINARY_PATH_NAME : C:\WINDOWS2\system32\spoolsv.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: srservice
DISPLAY_NAME : System Restore Service
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
DISPLAY_NAME : SSDP Discovery Service
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k LocalService
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: TapiSrv
DISPLAY_NAME : Telephony
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
DISPLAY_NAME : Terminal Services
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
DISPLAY_NAME : Themes
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
DISPLAY_NAME : Distributed Link Tracking Client
BINARY_PATH_NAME : C:\WINDOWS2\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UMWdf
DISPLAY_NAME : Windows User Mode Driver Framework
BINARY_PATH_NAME : C:\WINDOWS2\System32\wdfmgr.exe
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: uploadmgr
DISPLAY_NAME : Upload Manager
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: vsmon
DISPLAY_NAME : TrueVector Internet Monitor
BINARY_PATH_NAME : C:\WINDOWS2\system32\ZoneLabs\vsmon.exe -service
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
DISPLAY_NAME : Windows Time
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
DISPLAY_NAME : WebClient
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k LocalService
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
DISPLAY_NAME : Windows Management Instrumentation
BINARY_PATH_NAME : C:\WINDOWS2\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WinTabService
DISPLAY_NAME : WinTab Service
BINARY_PATH_NAME : C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
DISPLAY_NAME : Automatic Updates
BINARY_PATH_NAME : C:\WINDOWS2\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
DISPLAY_NAME : Wireless Zero Configuration
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7UpdSvc
DISPLAY_NAME : Wireless Zero Configuration
BINARY_PATH_NAME : C:\WINDOWS2\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem


- Dave