1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

mssvc.exe

Discussion in 'Virus & Other Malware Removal' started by caldog, Oct 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    First timer here,
    I've read all of the threads re: mssvc.exe and I haven't seen a solution that removes whatever is causing it. Mine has been active for a couple of months. I have downloaded and run PC-cillin(full version), Sybot, Ad-aware, Trojan Hunter, Spywareblaster, and other to no avail. I've run these programs in safe mode also. Each boot-up leads to the mssvc.exe message and then the computer auto launches to my web browser page. Microsoft error message says it's Blaster Worm and when I install and run Fixblast from Symantec after about a half hour of scanning I get a message that reads"fixblast has encountered a problem and needs to shut down." I've read guesses from stealthdisk to backdoor trojan to multiple viruses. I am also locked out from Command prompt and administrative services by a message that says I dont have permission to enter that area. Bottom line - what is this thing and how do I get rid of it? Is it as easy as someone knowledgeable reviewing the startup log or will it take a reinstall of XP? Any help is appreciated.

    Thanks
     
  2. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Caldog, and welcome to TSG.. :)

    Could you please download 'Hijack This!' from http://www.spywareinfo.com/files/hijackthis.zip
    Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.

    This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

    And yes, usually :) it is that simple.... famous last words.. :D

    Cheers

    Liam
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    It's one of the installation files for 'Stealthdisk' - an app that enables files to be hidden.

    Un-installing and/or re-installing should fix it !!

    But if you want someone to check your system out do this:

    go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  4. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    Liam & $teve,
    here is the log

    Logfile of HijackThis v1.97.2
    Scan saved at 12:46:08 PM, on 10/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCCLIENT.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCGUIDE.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\POP3TRAP.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dale\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (disabled by BHODemon)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (disabled by BHODemon)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O9 - Extra button: Real.com (HKLM)First timer here,
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
    O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://a840.g.akamai.net/7/840/5805...com/cleanup/includes/ContentCleanup3Proj1.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37627.3203356481
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/cannonballs/install.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have some spyware on the system but I'll leave cleaning instructions on that to others for now, as I have to leave.

    But would you verify whether you have Administrative access to your Services profile: Administrative Tools > Services.

    This one of the most troublesome features of this worm, it disables administrative access and only reinstalls seem to fix it.

    If you have access to the services profile, look for:

    Microsoft DHCP Routing Client

    double click it and make sure it is set to "disabled".

    This should also be deleted from the registry: run regedit

    and look for it under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
     
  6. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi caldog,

    Please go here and download, then run Coolwebshredder..

    http://www.webattack.com/get/cwshredder.shtml

    Then reboot and run a new HJT! scan.

    Please close all browser windows, check to fix the following entries, and then click the Fix checked button...

    Note: Some entries will not be there after running CWS.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (disabled by BHODemon)

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (disabled by BHODemon)

    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O4 - Global Startup: officejet 6100.lnk = ?

    O9 - Extra button: Real.com (HKLM)First timer here,

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...lls/install.cab


    Then reboot and download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

    Now press Settings, and Settings again. Go to the Webupdate section, and check "Display also available beta versions".

    Now press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

    Be sure to use the immunize feature, for added protection.

    Then if you could reboot once more and post a final log, just for the final once over.

    Cheers

    Liam
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    And this:
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server

    ;)
     
  8. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Cheers, Steve, (y)

    Must read more than the first line at pacs. :) I usually look at the letter in the left hand column. At least I saw CW this time..:p

    Liam
     
  9. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    Rollin' Rog,
    I have no access to Services under Admin. Tools. When I ran a regedit and looked under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    I found 1 file entitled Dhcp(no mention of Microsoft or routing client)
     
  10. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    Liam,
    here is the log.
    only a couple of glithches while following your directions. I'm not sure if they had any effect on the results. Here they are :
    I could find no "settings" button for Spybot, so I could not access "display also available beta versions." I read in the Spybot help pages that settings are only available in the advanced version of the sofware.
    Each reboot was still followed by the mssvc.exe message.
    thanks




    Logfile of HijackThis v1.97.2
    Scan saved at 4:25:56 PM, on 10/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dale\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
    O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://a840.g.akamai.net/7/840/5805...com/cleanup/includes/ContentCleanup3Proj1.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37627.3203356481
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well the bad news is that when Administrative access is affected, the only fixes I have seen have involved reinstalls. And that is after editing the registry to remove the service. I just can't understand why this issue isn't being better documented on the antivirus library sites. We've had enough of a headache here with it, and plenty of Google > groups threads as well.

    You might try booting in Safe Mode, logging on as Administrator and having another look.

    In the meantime, please provide a copy of the HijackThis Startuplist (this is different from the Scanlog), by following these directions:

    click Config, then Misc Tools. Put a check in "list minor sections". Then click Generate StartupList and give a copy/paste of that.

    This should show us the exact service entry associated with mssvc.exe
     
  12. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    Here is the startup list'
    Logfile of HijackThis v1.97.2
    Scan saved at 8:25:29 AM, on 10/2/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Documents and Settings\Dale\Local Settings\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
    O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://a840.g.akamai.net/7/840/5805...com/cleanup/includes/ContentCleanup3Proj1.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37627.3203356481
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab

    I'll boot under safe mode and see if access to Admin. services is still denied
     
  13. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    Unfortunately access is still denied in safe mode.
    Did you ever see Butch Cassidy & the Sundance Kid? Butch & the Kid are being unbelievably tracked over rocks and they ask themselves "Who are those guys?"
    My question is "what is this thing?"
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    That's what I've been asking too, but basically this is a poorly, almost un documented variation of the msblaster/lovsan worm.

    You are still not giving me the startuplist format I'm asking for.

    Open HijackThis

    Click Config, then click Misc Tools

    put a check in "list minor sections"

    click Generate Startuplist

    That's the one I need to see.
     
  15. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    Here' the correct startup

    StartupList report, 10/2/2003, 9:56:34 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Dale\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dale\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\System32\Userinit.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    (Default) =

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\ssflwbox.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    FRU Task #Hewlett-Packard#hp psc 2100 series#1037223650.job
    Windows Update.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Support.com Configuration Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll
    CODEBASE = http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [CoDetectDigitalRiver Class]
    CODEBASE = http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab

    [Macromedia Authorware Web Player Control]
    InProcServer32 = C:\WINDOWS\System32\macromed\authorwa\awswax.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
    CODEBASE = http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab

    [{2119776A-F1AD-4FCD-9548-F1E1C615350C}]
    CODEBASE = http://www.stop-sign.com/pub/download/scandl_cnry.cab

    [ContentCleanup3X Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~2.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/5805...com/cleanup/includes/ContentCleanup3Proj1.cab

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacscom.dll
    CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

    [Cult3D ActiveX Player]
    InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
    CODEBASE = http://i.a.cnn.net/cnn/resources/cult3d/cult.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37627.3203356481

    [ContentAuditX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

    [ActiveDataInfo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
    CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [McFreeScan Class]
    InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
    CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Fallback: System32\DRIVERS\HSF_FALL.sys (autostart)
    Fsks: System32\DRIVERS\HSF_FSKS.sys (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    K56: System32\DRIVERS\HSF_K56K.sys (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    PC-cillin Personal Firewall: C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Microsoft DHCP Routing Client: C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE (autostart)
    Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SoftFax: System32\DRIVERS\HSF_FAXX.sys (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Tmfilter: System32\drivers\TmXPFlt.sys (autostart)
    Trend NT Realtime Service: "C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe" (autostart)
    Tmpreflt: System32\drivers\Tmpreflt.sys (autostart)
    Trend Micro Proxy Service: C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe (autostart)
    Trend Micro TDI Driver: \SystemRoot\System32\Drivers\tmtdi.sys (autostart)
    Common Firewall Driver: \SystemRoot\System32\Drivers\tm_cfw.sys (autostart)
    Tones: System32\DRIVERS\HSF_TONE.sys (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    V124: System32\DRIVERS\HSF_V124.sys (autostart)
    Vsapint: System32\drivers\Vsapint.sys (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 13,813 bytes
    Report generated in 1.391 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168815

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice