Those results reflect changes that match some other thread issues I have been involved in. And fortunately also have some corrections from that other thread work that will help here.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc] "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00 "Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start." "DisplayName"="Cryptographic Services" "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "ObjectName"="LocalSystem" "Start"=dword:00000002 "Type"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon] "Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start." "DisplayName"="Secondary Logon" "ErrorControl"=dword:00000000 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "Objectname"="LocalSystem" "Start"=dword:00000002 "Type"=dword:00000120
Open Notepad (Start - Run, type Notepad then press OK), and copy the blue text inside the box above and paste it into the open Notepad textbox.
Save this to your desktop as "bigfix3.reg"
Be sure to include the "" quotes in the name.
Then right click bigfix3.reg, select Merge, and allow it to merge the new information with the Registry.
---------------------
Reboot.
@ECHO OFF if exist Checkit.txt del /q Checkit.txt if exist Results.txt del /q Results.txt sc query Cryptsvc > Checkit.txt sc query seclogon > Checkit1.txt sc query spooler > Checkit2.txt Type Checkit*.txt > Results.txt del /q Checkit*.txt Notepad Results.txt
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text (inside the box) into the open text box, then save this to your desktop as "3look.bat"
Be sure to include the "" quotes in the name. Then click on 3look.bat. When the scan completes a textbox will open - copy/paste those contents back here please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
If you would, also post in your next reply the C:\ComboFix.txt log from the earlier scan you ran. Don't run and create a new log - I would like the one from your first run of it.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
Those services look fixed and up and running now, and you may now also see some good improvements in all the problems you have been having there. A teammate named Mosaic1 has been very helpful in evaluating and providing repair suggestions for these corrupted service issues.
ComboFix shows some Registry keys with permission restrictions that do not appear to be either necessary, or at least are not helpful when users cannot access normal software functions like those. Let's address those now.
Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan.
Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:
You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.
ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
---------
Post back that new C:\ComboFix.txt log, as well as an update on any of those problems you were experiencing please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Cryptographic service is altered, so likely failing to start. As well as a few other services related to some unwanted change there.A teammate named Mosaic1 has provided a script we can use to verify these problem service issues, which will allow up to effect needed repairs.
Also, that iexplore.exe file in the Internet Explorer folder just does not seem to be the correct file size. See if you can send me a copy of that. Let's also see if the existing iexplore.exe file will work for you for now.
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"
Please locate the following hilighted file(s), zip a copy of it, and send it to jintan @ malwarecrypt.com as an attachment. Please place "Submitted Files - LordBTY/bg/ie" as the email Subject.
c:\Program Files\Internet Explorer\iexplore.exe
Then for now also right click that file, and name it to iexplore.exe.bad (agree to any warnings).
Then locate this copy, click it and see if you can open IE then:
c:\4bac1b979898353db5fea19d\iexplore.exe
------------------
'Script written by Mosaic1 'To diagnose a possible problem with CryptoGraphic Services. 'This script makes no changes to your operating system 'It merely reports 'Problem has so far only been seen in Windows XP SP3! 'Be careful not to fix anything unless you have the correct Registry Files for that operating System version.
Set fso = Wscript.CreateObject("Scripting.FileSystemObject") Dim Z set ts = fso.CreateTextFile("CReport.txt","true") Ts.write Now & vbcrlf & vbcrlf Set wshshell = Wscript.CreateObject("Wscript.Shell")
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colListOfServices = objWMIService.ExecQuery _ ("Select * from Win32_Service Where Name = 'Cryptsvc'") For Each objService in colListofServices
If objService.State = "Stopped" then ts.writeline "Cryptographic services not running!" ts.writeline "It's Start mode is set to: " & objService.StartMode
Wshshell.run "regedit /a Crypt.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc" ,, true Wshshell.run "regedit /a spooler.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler" ,,true Wshshell.run "regedit /a Seclogon.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seclogon" ,,true If not fso.Fileexists("Crypt.txt") then ts.writeline " Warning! No export of the Cryptsvc key exists." If fso.Fileexists("Crypt.txt") then set cs = fso.opentextfile("Crypt.txt",1) Do while not cs.AtEndOfStream C = cs.readall loop cs.close
ts.write C & vbcrlf fso.DeleteFile("Crypt.txt") End IF If not fso.Fileexists("spooler.txt") then ts.writeline " Warning! No export of the spooler key exists." If fso.Fileexists("spooler.txt") then set cs = fso.opentextfile("spooler.txt",1) Do while not cs.AtEndOfStream spool = cs.readall loop cs.close Set cs = nothing
ts.write spool & vbcrlf fso.DeleteFile("spooler.txt") End IF If not fso.Fileexists("Seclogon.txt") then ts.writeline " Warning! No export of the Seclogon key exists." If fso.Fileexists("Seclogon.txt") then set cs = fso.opentextfile("seclogon.txt",1) Do while not cs.AtEndOfStream seclogon = cs.readall loop cs.close Set cs = nothing ts.write seclogon & vbcrlf fso.DeleteFile("seclogon.txt") End IF
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text into the open text box, then save this to your desktop as "Testing Crypto.vbs"
Be sure to include the "" quotes in the name. Then click on Testing Crypto.vbs. When the scan completes a textbox will open - copy/paste those contents back here please. This will also be saved to the same location as the .vbs file named CReport.txt.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
No currently active items, as far as those tougher infection the scan located in the System Restore files (System Volume Information). I received that iexplore.exe file, thanks. Not seeing anything wrong with it, though it seems to be for Vista, and not XP. Can't be sure on that though. Windows File Protection likely replaced the renamed file with a backup copy, so the rename suggestion was not the best of ideas for that. Can you open IE using that other file though?
However, in just glancing back through the logs I realize you have two antivirus softwares installed there:
This will cause many problems, and these two may have now corrupted each other as well. May also be part of some of the problems you have going on now. I suggest you choose one of those, disable all security software and then uninstall it. Reboot, disable and uninstall the other. If either are a paid version be sure to save any registration keys/code.
Once you have done that and rebooted, post back a new RSIT log please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
I had removed them both and reinstalled them before.
Here's the RSIT log
Logfile of random's system information tool 1.06 (written by random/random) Run by User at 2009-08-07 13:27:24 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 87 GB (37%) free of 238 GB Total RAM: 1022 MB (49% free)
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:27:27, on 07/08/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-05-15 484904]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe [2008-03-28 1079296]
Those first two, by the looks of the names, are System Restore files, and the last one is an important and essential system file, as long as that file by that name is located in either the System32 folder of the System32\dllcache folder.
More important is that I not only really need you to not make any independent changes or run your own scans there, but SpyHunter is considered as rogue software itself. You need to uninstall that, and delete any files from it as well.
Once you have done that, reboot, to make sure all changes were made. Then a good idea now would be to check the system with an updated copy of the same tool that provided the initial verification of problems there.
Delete any existing copies of ComboFix, then download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 765out.com, then click the renamed 765out.com to run that scan.
Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]
I do not recognize two folders that are showing in the log. Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"
Right click My Computer, left click Explore, and use the plus + symbols to navigate to the following folders, and just let me know what is in them:
c:\temp\ext256 c:\temp\ext2782
If they happen to be empty then go ahead and delete them. If their questionable value software is already uninstalled you can delete this folder as well:
c:\program files\Enigma Software Group
And now let's get a current online scan run, to verify nothing malicious remains there.
Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:
Remove found threats Scan unwanted applications
Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.
If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Let's check a copy of that file. Just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file (c:\temp\ext2782\update.exe) on your computer.
Then for now rename it to update.exe.badClick here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
I received the update.exe file, thanks. My best assessment is it is a Windows updater file, though the internal code indicates a Windows 2000 version. Post back the Eset log when ready please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
When you post back that Eset log, also run this scan. We need to check the registry information on all the services there, to make sure all are correct.
Extract the file to the c:\ drive. Then navigate to the c:\getservice and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028221.exe a variant of Win32/TrojanDownloader.Swizzor.NCK trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028223.exe a variant of Win32/TrojanDownloader.Swizzor.NCL trojan cleaned by deleting - quarantined
And here's the getservice log :)
SERVICE_NAME: ALG DISPLAY_NAME: Application Layer Gateway Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1300 FLAGS : DESCRIPTION : Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Application Layer Gateway Service SERVICE_START_NAME : NT AUTHORITY\LocalService
TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : AOL Connectivity Service SERVICE_START_NAME : LocalSystem
SERVICE_NAME: aswUpdSv DISPLAY_NAME: avast! iAVS4 Control Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1376 FLAGS : DESCRIPTION : Provides automatic updating for the avast! antivirus.
TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : avast! iAVS4 Control Service SERVICE_START_NAME : LocalSystem
SERVICE_NAME: AudioSrv DISPLAY_NAME: Windows Audio TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : AudioGroup TAG : 0 DISPLAY_NAME : Windows Audio DEPENDENCIES : PlugPlay : RpcSs SERVICE_START_NAME : LocalSystem
SERVICE_NAME: avast! Antivirus DISPLAY_NAME: avast! Antivirus TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1508 FLAGS : DESCRIPTION : Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler.
SERVICE_NAME: avast! Mail Scanner DISPLAY_NAME: avast! Mail Scanner TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 580 FLAGS : DESCRIPTION : Implements mail scanning for avast! antivirus.
TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : avast! Mail Scanner DEPENDENCIES : avast! Antivirus SERVICE_START_NAME : LocalSystem
SERVICE_NAME: avast! Web Scanner DISPLAY_NAME: avast! Web Scanner TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 624 FLAGS : DESCRIPTION : Implements web (HTTP) scanning for avast! antivirus.
TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : avast! Web Scanner DEPENDENCIES : avast! Antivirus SERVICE_START_NAME : LocalSystem
SERVICE_NAME: BITS DISPLAY_NAME: Background Intelligent Transfer Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Background Intelligent Transfer Service DEPENDENCIES : Rpcss SERVICE_START_NAME : LocalSystem
SERVICE_NAME: Cryptsvc DISPLAY_NAME: Cryptsvc TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
SERVICE_NAME: DcomLaunch DISPLAY_NAME: DCOM Server Process Launcher TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 916 FLAGS : DESCRIPTION : Provides launch functionality for DCOM services.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch LOAD_ORDER_GROUP : Event Log TAG : 0 DISPLAY_NAME : DCOM Server Process Launcher SERVICE_START_NAME : LocalSystem
SERVICE_NAME: Dhcp DISPLAY_NAME: DHCP Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : DHCP Client SERVICE_START_NAME : LocalSystem
SERVICE_NAME: dmserver DISPLAY_NAME: Logical Disk Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Logical Disk Manager DEPENDENCIES : RpcSs : PlugPlay SERVICE_START_NAME : LocalSystem
SERVICE_NAME: Dnscache DISPLAY_NAME: DNS Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1160 FLAGS : DESCRIPTION : Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : DNS Client DEPENDENCIES : Tcpip SERVICE_START_NAME : NT AUTHORITY\NetworkService
SERVICE_NAME: ERSvc DISPLAY_NAME: Error Reporting Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Allows error reporting for services and applictions running in non-standard environments.
SERVICE_NAME: Eventlog DISPLAY_NAME: Event Log TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 720 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe LOAD_ORDER_GROUP : Event log TAG : 0 DISPLAY_NAME : Event Log SERVICE_START_NAME : LocalSystem
SERVICE_NAME: EventSystem DISPLAY_NAME: COM+ Event System TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : COM+ Event System DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem
SERVICE_NAME: FastUserSwitchingCompatibility DISPLAY_NAME: Fast User Switching Compatibility TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Fast User Switching Compatibility DEPENDENCIES : TermService SERVICE_START_NAME : LocalSystem
SERVICE_NAME: helpsvc DISPLAY_NAME: Help and Support TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Help and Support DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem
SERVICE_NAME: HTTPFilter DISPLAY_NAME: HTTP SSL TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 936 FLAGS : DESCRIPTION : This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
SERVICE_NAME: lanmanserver DISPLAY_NAME: Server TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Server SERVICE_START_NAME : LocalSystem
SERVICE_NAME: Lavasoft Ad-Aware Service DISPLAY_NAME: Lavasoft Ad-Aware Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1388 FLAGS : DESCRIPTION : Ad-Aware Service
TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : Lavasoft Ad-Aware Service DEPENDENCIES : RpcSS SERVICE_START_NAME : LocalSystem
SERVICE_NAME: LmHosts DISPLAY_NAME: TCP/IP NetBIOS Helper TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1276 FLAGS : DESCRIPTION : Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : TCP/IP NetBIOS Helper DEPENDENCIES : NetBT : Afd SERVICE_START_NAME : NT AUTHORITY\LocalService
SERVICE_NAME: Netman DISPLAY_NAME: Network Connections TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
SERVICE_NAME: NVSvc DISPLAY_NAME: NVIDIA Display Driver Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1980 FLAGS : DESCRIPTION : Provides system and desktop level support to the NVIDIA display driver
TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\nvsvc32.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NVIDIA Display Driver Service SERVICE_START_NAME : LocalSystem
SERVICE_NAME: PlugPlay DISPLAY_NAME: Plug and Play TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 720 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe LOAD_ORDER_GROUP : PlugPlay TAG : 0 DISPLAY_NAME : Plug and Play SERVICE_START_NAME : LocalSystem
SERVICE_NAME: ProtectedStorage DISPLAY_NAME: Protected Storage TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 732 FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS DESCRIPTION : Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
SERVICE_NAME: Schedule DISPLAY_NAME: Task Scheduler TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
SERVICE_NAME: seclogon DISPLAY_NAME: Secondary Logon TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
SERVICE_NAME: SENS DISPLAY_NAME: System Event Notification TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : System Event Notification DEPENDENCIES : EventSystem SERVICE_START_NAME : LocalSystem
SERVICE_NAME: SharedAccess DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS) DEPENDENCIES : Netman : WinMgmt SERVICE_START_NAME : LocalSystem
SERVICE_NAME: srservice DISPLAY_NAME: System Restore Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Restore Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem
SERVICE_NAME: SSDPSRV DISPLAY_NAME: SSDP Discovery Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1276 FLAGS : DESCRIPTION : Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SSDP Discovery Service DEPENDENCIES : HTTP SERVICE_START_NAME : NT AUTHORITY\LocalService
SERVICE_NAME: stisvc DISPLAY_NAME: Windows Image Acquisition (WIA) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 2032 FLAGS : DESCRIPTION : Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k imgsvc LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Image Acquisition (WIA) DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem
SERVICE_NAME: TapiSrv DISPLAY_NAME: Telephony TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
SERVICE_NAME: TermService DISPLAY_NAME: Terminal Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 916 FLAGS : DESCRIPTION : Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : UIGroup TAG : 0 DISPLAY_NAME : Themes SERVICE_START_NAME : LocalSystem
SERVICE_NAME: TrkWks DISPLAY_NAME: Distributed Link Tracking Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Distributed Link Tracking Client DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem
SERVICE_NAME: UMWdf DISPLAY_NAME: Windows User Mode Driver Framework TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 120 FLAGS : DESCRIPTION : Enables Windows user mode drivers.
TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\wdfmgr.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows User Mode Driver Framework DEPENDENCIES : RpcSs SERVICE_START_NAME : NT AUTHORITY\LocalService
SERVICE_NAME: usnjsvc DISPLAY_NAME: Messenger Sharing Folders USN Journal Reader service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 3796 FLAGS : DESCRIPTION : Service installed by Messenger to enable sharing scenarios
TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Windows Live\Messenger\usnsvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Messenger Sharing Folders USN Journal Reader service DEPENDENCIES : rpcss : eventlog SERVICE_START_NAME : LocalSystem
SERVICE_NAME: WebClient DISPLAY_NAME: WebClient TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1876 FLAGS : DESCRIPTION : Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService LOAD_ORDER_GROUP : NetworkProvider TAG : 0 DISPLAY_NAME : WebClient DEPENDENCIES : MRxDAV SERVICE_START_NAME : NT AUTHORITY\LocalService
SERVICE_NAME: winmgmt DISPLAY_NAME: Windows Management Instrumentation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
SERVICE_NAME: wscsvc DISPLAY_NAME: Security Center TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Monitors system security settings and configurations.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Security Center DEPENDENCIES : RpcSs : winmgmt SERVICE_START_NAME : LocalSystem
SERVICE_NAME: wuauserv DISPLAY_NAME: Automatic Updates TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1060 FLAGS : DESCRIPTION : Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Automatic Updates SERVICE_START_NAME : LocalSystem
Good, those service paths and descriptions are all correct now, and the Eset scan only located infection that had stored itself in the System Restore, which we will be clearing out shortly. Before we consider some last steps to finish our work here post back how things are running please. Any problems we still need to address?Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
The PC is running fine, though I'm concerned about the laptops health.
Because I had seen the windows update icon appear in the lower-right hand corner without my consent before I used the flash drive thing that made the autorun file. This is what happened with the PC when it was full infected.
Also, on startup, I'm given the option to run Microsoft Recovery Console or standard windows XP... does this mean something's wrong and should I be worried about it?
Also, I have an external hard drive with many important files on it, I unplugged it when I caught onto the severity of the virus infestation... what do you recommend for my files safety?
When you ran ComboFix it provided the means of installing the Recovery Console there. This is handy to have in case some future problem requires you access the system that way. The option is then added to your boot.ini file, and this is what you see when the computer first starts. As long as it defaults to the normal Windows bootup you should be fine.
I am not sure about the other two issues. To check the external drive it will need to be installed to a system. But at least we have seen no indications of file infectors, like Virut, so should there be other types of malware on the external drive that become active we can address those.
For now connect the external drive to this computer we have been working on. Then on both this computer and the latop, run the following scan and post back those logs (be sure to mention which one if from the laptop):
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Then Go here and run the Kaspersky online scan, and post back the log it creates.
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.
When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.
Then locate that log and copy/paste those contents back here please.
The scan requires a good bit of database downloading and can take quite a while to complete.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
It was updating at first, then I got a message saying the download timed out (probably because someone had used the laptop to access the wireless network which slowed the net right down.)
Now, whenever I open it and run the update
"ERROR: Key is expired"
I restarted, but it doesn't seem to work... what should I do?
Check in Add/Remove Programs and see if the uninstaller for Kaspersky was created. If so, go ahead and uninstall it and try the scan again. If no uninstall option there do the following instead.
Also, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"
Then right click My Computer, left click Explore, and use the plus + symbols to navigate to the following folder:
C:\Windows\Downloaded Program Files
Check those items, and if any indicate being Kaspersky right click - Remove that.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Currently it is Saturday, November 21, 2009 12:09 AM (GMT +1) There are a total of 73.021 posts in 17.116 threads. In the last 3 days there were 15 new threads and 72 reply posts. View Active Threads
Who's Online
This forum has 30330 registered members. Please welcome our newest member, DarkPrincess. 28 Guest(s), 1 Registered Member(s) are currently online. Details stefa01
|