No response since 7/8?

Discussion in 'adware, spyware & hijack cleaning' started by LBD, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. LBD
    Offline

    LBD Registered Member

    "bump"
  2. TonyKlein
    Offline

    TonyKlein Security Expert

    Your log now looks fine; I'd like Mosaic1 to take a look at your VXfinder log, as I have no experience using that application.
  3. Mosaic1
    Online

    Mosaic1 Guest

    sisbkup1028k.dll

    Do you have a copy of this file in your Recycle Bin? If so I would like a copy of it please for analysis.

    Let me know and I'll PM you my email address. Thanks.

    I am not clear on what your current status actually is.

    Are you still getting errors? And if so, what and when?

    VX2 looks ok but you should remove the User Agent String.

    Run VX2 Finder again. Once the results come up, click the UserAgent Button on the right to remove the User Agent String.
  4. LBD
    Offline

    LBD Registered Member

    I don't have a copy of the sisbkup1028k.dll file in my Recycle bin; I deleted it on 7/22 and shredded the contents of my Recycle bin.

    I will remove the User Agent with VX2Finder this evening.

    As far as my PC's current status, here are some details.

    The PC is fine in safe mode - connects to the Internet, brings up my homepage, other websites, etc. The PC is NOT fine in normal mode - it tries to connect to the Internet, gets about 2 bars worth on the progress bar and then quickly does the rest of the bars and brings up a blank white screen with no URL in the address bar. When I type in a URL and hit enter, it does the same thing, looks like it's going to do something, and just comes up with a blank white screen. I absolutely cannot connect to a single site in normal mode. I cannot download anything, even in safe mode. I tried re-installing the Comcast Internet connection program and when I did that, I was able to connect, surf, etc. (not download though). But when I closed out that session and then double-clicked to get back in, the same old blank white screen stuff happened. I know I need 7 or 8 Windows XP Home Edition critical updates, but I get to the Microsoft Updates' page in safe mode and click to install them, but the download never happens. The only other weird thing that I've noticed is what I brought up before, that when I hover my mouse on my desktop over the Comcast Internet icon and right-click, two of the options, Open and the third one, whatever that is, the word is missing - you don't see "Open" listed on the menu and one other choice.

    I ran AdAware this weekend, SpywareBlaster, Spybot, and Bazooka again. Spybot only comes up with DSO Exploit; SpywareBlaster is totally up-to-date; Bazooka found nothing, and AdAware found for the second week in a row, VX2. Last time and this time, I clicked to have it delete and quarantine it, and it does, but it keeps showing up, so something is not right. A couple weeks ago, PestScan found 5 things: EUniverse, BingoFunGames, CWS, EbatesMoneyMaker, and SandBoxer. I used the manual removal procedures at http://www.pestpatrol.com/PestInfo/... to get rid of BingoFunGames and I think EbatesMoneyMaker. I will try to run it again tonight to see if it still shows the other three.

    That's where I am right now - I want my PC back and normal again!
  5. Mosaic1
    Online

    Mosaic1 Guest

    Where is your firewall?

    If you can getnthe internet in Safe Mode and not in normal, then it's time to ask yourself what runs in normal mode which doesn't in Safe Mode.

    Run hijackthis in both modes and look at the running processes.

    Where are the differences? Can you start disabling some of the startups in groups and then try Regular Mode. See if you can get on the internet. It would be a matter of ruling them out a few at a time.

    Don't forget to re-enable after you have finished testing.
  6. LBD
    Offline

    LBD Registered Member

    We have McAfee and Windows XP Home Edition has their Internet Connection Firewall, but I have had to disable that from time to time during this whole troubleshooting period.

    Good news - I re-ran the VX2Finder and got rid of the user agent. I was able to download and install all of the critical Windows updates. I added our Comcast (ISP) in my trusted sites and guess what? I was actually able to get on the Internet last night in normal mode! Yahoo!

    However, I did run several of the anti-spyware programs (Adaware, SpyBot, SpywareBlaster, Housecall, etc.) and Adaware found something new, Rads01.Quadrogram (malware) and deleted and quarantined it. Housecall found a non-cleanable Troj_Agent.AE on C:\System Volume Information\_restore {ED67 ..}\RP316\A0217443.exe. I deleted the file, re-booted, and could still get on the Internet in normal mode.

    My question has to do with the two log files, one from Safe Mode and one from Normal Mode - can you look at them and tell me if I should have HJT fix anything?

    Thanks,
    Lisa

    Logfile of HijackThis v1.98.0 (Normal Mode)
    Scan saved at 6:34:14 PM, on 7/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\SWG\sgmain.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\SWG\sgbhp.exe
    C:\Program Files\newhjt\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: ComcastHSI - {08B54801-872C-48B6-A6E1-C82654633165} - http://www.comcast.net (file missing) (HKCU)
    O9 - Extra button: Support - {1E62ABE5-B3F6-4C97-94D3-DEA011F942BC} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: Help - {277FF29F-D738-4FF0-9D59-8505264F5DB3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\INLOADER519v.dll

    Logfile of HijackThis v1.98.0 (Safe Mode)
    Scan saved at 8:11:12 PM, on 7/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\newhjt\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.SH!
    O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun C:\Program Files\Real\RealPlayer\firstrun.smi"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\INLOADER519v.dll
  7. Mosaic1
    Online

    Mosaic1 Guest

    As a test, take Comcast out of trusted and see if you still get on the internet. I see you have a new ApInit_Dlls file added.

    Its name is:
    INLOADER519v.dll
    And it is in system32;

    Go to System32 please and look to see if it is visible.

    If so. right click on it and choose send to >Compressed from the menu.

    This will create a new zip file.

    Please email me at
    Katie_3232 @hotmail.com

    Send the zip as an attachment along with a reminder of this subject. I forget sometimes because I do so many.

    I have added a space before the @ on that address. Remove the space and the email address will work.

    I'll have a look and then send that file in for analysis. This is not normal. You removed another earlier and now you have yet one more with a new name.
  8. LBD
    Offline

    LBD Registered Member

    Mo and Tony,
    I didn't have to worry about the little test of taking Comcast out of my trusted sites because tonight I couldn't get on the Internet in normal mode at all. It was doing the same thing it always does - when I doubleclicked on Comcast, it gets about 2 bars on the progress bar for connecting, then quickly draws the rest of the bars and leaves a blank white screen. Just to make sure that Comcast was still in my trusted sites, I checked and it was and I removed it, but same thing. So, we've regressed a little bit from yesterday. I'm in now in safe mode. I did email you the zipped file, the second AppInit_Dll, named INLOADER519v.dll, that is showing up in the O20 line of the HJT log files. When you send files in for analysis, what does that mean and how long does it take? Thanks for all of your hard work and help!
    Lisa
  9. Mosaic1
    Online

    Mosaic1 Guest

    A couple things please.

    You seem to be getting reinfected.

    I'd like you to go to the Internet Explorer Address Bar and paste this in. Then press enter.

    javascript:navigator.userAgent

    Copy and paste the result into your next reply.
  10. Mosaic1
    Online

    Mosaic1 Guest

    I'd like you to do a registry search for this CLSID please:
    {7FDD59E7-B45B-41f5-A620-51DFF3F06D83}


    As for a search of the registry here's a very nice script to help you out.

    Download it and run it. When it starts, you will be prompted to enter a search phrase. Do that and go have a cup of coffee.
    When you get back, a message box will be there on the desktop.Say yes to open the results. Copy and paste the contents into a reply here. Once you close that file, it will be deleted, so please save it as results.txt. We may need it again.

    Here's that link:
    http://www.billsway.com/vbspage/
    Find Registry Search Tool And download it.
  11. LBD
    Offline

    LBD Registered Member

    Here are the results from the javascript:navigator.userAgent -

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

    And, for the second item, the registry search by BillsWay.com ran very quickly, 16 secs or so, and came up with NO INSTANCES of the CLSID. I doublechecked everything and still came up with the same result.
  12. Mosaic1
    Online

    Mosaic1 Guest

    See if you can fix the Appinit_Dlls value in HijackThis and then restart.

    Delete the file and see what happens. This is just repetition. It may come right back again.

    As a start. let's clear the 020 entry and then reboot. Delete INLOADER519v.dll


    Can you get on the internet now?


    Go to start >Run and type Regedit
    press enter
    Navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension

    Right Click on Extension and choose Export from the menu.

    This will make a copy of the key. Give it a name and then when saved, find the file. Right click, choose edit. Copy and paste the contents into your next reply here.


    Finally. Let's disable Spyware guard. In Msconfig remove checkmarks from the SpywareGuard Entries.

    Then disable the BHO.

    You can download and use BHO Demon to disable the BHO

    All this can easily be undone later.

    Here's the link to a page where you can download BHO Demon.

    http://www.computercops.biz/downloads-cat-14.html
  13. LBD
    Offline

    LBD Registered Member

    I have done everything that you suggested: had HJT fix the O20 entry, rebooted, deleted INLOADER519.dll, rebooted, then I could get on the Internet. Did the Regedit key file and will post shortly in a separate msg. Disabled SpywareGuard and disabled the BHO. After doing all of that, I rebooted and discovered that I could not get on the Internet in normal mode, so I'm typing this in safe mode.
  14. LBD
    Offline

    LBD Registered Member

    Regedit key file info below:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.pdf]
    "Content Type"="application/pdf"
    "Version"="5.0.0.2001031500"
    @="Adobe Acrobat"
    "Location"="C:\\Program Files\\Internet Explorer\\PLUGINS\\nppdf32.dll"
  15. Mosaic1
    Online

    Mosaic1 Guest

    Ok It seems your problem may be related to that AppInit_Dlls file reappearing. See if you have yet another one. Do a log and let me know. The real questoin is this:

    How is that thing being placed there? To be honest I don't know.



    There is a new utility named Startup Tracker which sometimes shows what Hijackthis doesn't. It will get the active services too. Download extract and run it. It will place its report on the clipboard. Reply here and paste it in.
    http://www.dougknox.com/xp/utils/xp_starttrack.htm

    The Registry file you posted is OK.

    With SpywareGuard disabled, can you download normally?

    I want you to be able to get this new utility.

    If you cannot, then can you get your emails? If so, PM me with you address and I'll send you a copy of the utility later.

    Re-enable SpywareGuard if it hasn't been shown to be faulty. It is not the cause of your Download problems.
  16. LBD
    Offline

    LBD Registered Member

    Well, there's indeed a strange thing going on here! I forgot in my two messages yesterday to tell you that after doing all of the procedures last night, I re-ran HJT and did not see the AppInit reappear (yeah!). So, I have no clue how it's getting there either. I deleted INLOADER519v.dll from System32 folder, but I still have the zipped version of same that I emailed you - should I delete that too?

    I haven't been able to download normally since this whole thing happened a month ago. I'm at work now and will download the Startup Tracker onto a floppy and extract it at home this evening and run it - so stay tuned for my next post for the report from that.

    About SpywareGuard - I can re-enable it, but it hasn't worked right either since all of this. It brings up the front page and I click on "check for updates" and it always fails at that point ... looks like it's going to work and then comes back with the corrupt files or virus or whatever msg. A few weeks ago, I tried deleting the SpywareGuard program and while I can get rid of most of it, it always comes back with a msg. that some other program is using a few of the files and I can't delete them. I don't know what to do with it, but it's not doing me any good not functioning.

    More later when I have the Startup Tracker report.
  17. Mosaic1
    Online

    Mosaic1 Guest

    That sounds awful! OK go ahead and leave it disabled.

    When you run Startup Tracker would you run it once in Regular Mode first, save the log as a tect file. Then Boot to Safe mode and run it again please, save the log and name it Safemode.txt

    I'd like to compare what is running in each mode.

    Thanks.
  18. LBD
    Offline

    LBD Registered Member

    Okay, Mo, I only have the normal mode Startup Tracker log file. I'll have to do the safe mode this evening when I get home and post it separately. Here's the normal mode log file:

    8/4/2004 6:17:16 AM

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray SysTray.Exe
    HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    HPHmon03 C:\WINDOWS\System32\hphmon03.exe
    AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    Alogserv C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
    ComcastSUPPORT C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

    -- Registry --
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

    -- Registry --
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

    H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

    -- Start Menu - Current User --
    No Items Found

    -- Start Menu - All Users --
    Adobe Gamma Loader.lnk
    Acrobat Assistant.lnk
    Microtek Scanner Finder.lnk
    Microsoft Office.lnk

    -- Disabled Items --
    SpywareGuard

    -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
    Explorer.exe

    -- Running Processes --
    System Idle Process
    System
    SMSS.EXE \SystemRoot\System32\smss.exe
    csrss.exe
    winlogon.exe winlogon.exe
    services.exe C:\WINDOWS\system32\services.exe
    lsass.exe C:\WINDOWS\system32\lsass.exe
    svchost.exe C:\WINDOWS\system32\svchost -k rpcss
    svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
    Avsynmgr.exe "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"
    svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
    Explorer.exe C:\WINDOWS\Explorer.EXE
    VSStat.exe "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe"
    Vshwin32.exe "C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe"
    Avconsol.exe "C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe"
    WebScanX.exe "C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe"
    hpztsb04.exe "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
    hphmon03.exe "C:\WINDOWS\System32\hphmon03.exe"
    Directcd.exe "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    AlogServ.exe "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe"
    CFD.exe "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    HPHipm09.exe C:\WINDOWS\System32\HPHipm09.exe
    wcescomm.exe "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" /background
    AcroTray.exe "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"
    SDII.exe "C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe"
    tgcmd.exe "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    Mcshield.exe "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"
    StartupTracker3.exe "C:\Documents and Settings\System Administrator\Local Settings\Temp\Temporary Directory 1 for StartupTracker3.zip\StartupTracker3.exe"
    wmiprvse.exe

    -- Running Services --

    Name: AudioSrv
    Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: AvSynMgr
    Description: McAfee AVSync Manager
    Startup Mode: Auto
    Run from: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"

    Name: BITS
    Description: Uses idle network bandwidth to transfer data.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: CryptSvc
    Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: Dhcp
    Description: Manages network configuration by registering and updating IP addresses and DNS names.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Dnscache
    Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

    Name: ERSvc
    Description: Allows error reporting for services and applictions running in non-standard environments.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Eventlog
    Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: EventSystem
    Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: FastUserSwitchingCompatibility
    Description: Provides management for applications that require assistance in a multiple user environment.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: helpsvc
    Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: lanmanserver
    Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: lanmanworkstation
    Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: LmHosts
    Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: McShield
    Description: McAfee On Access Scanner
    Startup Mode: Manual
    Run from: "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"

    Name: Messenger
    Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Netman
    Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Nla
    Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: PlugPlay
    Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: Pml Driver
    Description:
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\HPHipm09.exe

    Name: PolicyAgent
    Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\lsass.exe

    Name: ProtectedStorage
    Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\lsass.exe

    Name: RasMan
    Description: Creates a network connection.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: RemoteAccess
    Description: Offers routing services to businesses in local area and wide area network environments.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: RpcSs
    Description: Provides the endpoint mapper and other miscellaneous RPC services.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost -k rpcss

    Name: SamSs
    Description: Stores security information for local user accounts.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\lsass.exe

    Name: Schedule
    Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: seclogon
    Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: SENS
    Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: ShellHWDetection
    Description:
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Spooler
    Description: Loads files to memory for later printing.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\spoolsv.exe

    Name: srservice
    Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: SSDPSRV
    Description: Enables discovery of UPnP devices on your home network.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: stisvc
    Description: Provides image acquisition services for scanners and cameras.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

    Name: TapiSrv
    Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: TermService
    Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Themes
    Description: Provides user experience theme management.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: TrkWks
    Description: Maintains links between NTFS files within a computer or across computers in a network domain.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: uploadmgr
    Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: W32Time
    Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: WebClient
    Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: winmgmt
    Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: wuauserv
    Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: WZCSVC
    Description: Provides automatic configuration for the 802.11 adapters
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
  19. Mosaic1
    Online

    Mosaic1 Guest

    I really needed the Safe Mode first and then the regular. There may have been something set to run and we could only see that in Safe mode.

    Please go to Safe mode and run Hijackthis and Startup Tracker. SAve the logs as Safemode HT.txt and Safemode ST.txt

    Then boot to Regular Windows And run both utilities.

    SAve as Regular HT.txt and Regular ST.txt
  20. LBD
    Offline

    LBD Registered Member

    Here are the (4) log files as you requested:

    Logfile of HijackThis v1.98.0 (Safemode_HT.txt)
    Scan saved at 6:38:24 PM, on 8/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\newhjt\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.SH!
    O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun C:\Program Files\Real\RealPlayer\firstrun.smi"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

    8/4/2004 6:31:07 PM Log File of Startup Tracker (Safemode_ST.txt)

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray SysTray.Exe
    HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    HPHmon03 C:\WINDOWS\System32\hphmon03.exe
    AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    Alogserv C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
    ComcastSUPPORT C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

    -- Registry --
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    DelayShred "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.SH!
    RealPlayer0 "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun C:\Program Files\Real\RealPlayer\firstrun.smi"

    -- Registry --
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

    -- Registry --
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

    H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

    -- Start Menu - Current User --
    SpywareGuard.lnk
    BHODemon 2.0.lnk

    -- Start Menu - All Users --
    Adobe Gamma Loader.lnk
    Acrobat Assistant.lnk
    Microtek Scanner Finder.lnk
    Microsoft Office.lnk

    -- Disabled Items --
    SpywareGuard

    -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
    Explorer.exe

    -- Running Processes --
    System Idle Process
    System
    smss.exe \SystemRoot\System32\smss.exe
    csrss.exe
    winlogon.exe winlogon.exe
    services.exe C:\WINDOWS\system32\services.exe
    lsass.exe C:\WINDOWS\system32\lsass.exe
    svchost.exe C:\WINDOWS\system32\svchost -k rpcss
    svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    Explorer.EXE C:\WINDOWS\Explorer.EXE
    StartupTracker3.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for StartupTracker3.zip\StartupTracker3.exe"
    wmiprvse.exe

    -- Running Services --

    Name: CryptSvc
    Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: Dhcp
    Description: Manages network configuration by registering and updating IP addresses and DNS names.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Dnscache
    Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

    Name: Eventlog
    Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: helpsvc
    Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: lanmanserver
    Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: lanmanworkstation
    Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: LmHosts
    Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: Messenger
    Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Netman
    Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: PlugPlay
    Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: RpcSs
    Description: Provides the endpoint mapper and other miscellaneous RPC services.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost -k rpcss

    Name: srservice
    Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: TermService
    Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: uploadmgr
    Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: winmgmt
    Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: WZCSVC
    Description: Provides automatic configuration for the 802.11 adapters
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Logfile of HijackThis v1.98.0 in Regular Mode (Regular_HT.txt)
    Scan saved at 6:48:08 PM, on 8/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINDOWS\System32\HPHipm09.exe
    C:\Program Files\newhjt\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: ComcastHSI - {08B54801-872C-48B6-A6E1-C82654633165} - http://www.comcast.net (file missing) (HKCU)
    O9 - Extra button: Support - {1E62ABE5-B3F6-4C97-94D3-DEA011F942BC} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: Help - {277FF29F-D738-4FF0-9D59-8505264F5DB3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O15 - Trusted Zone: http://www.comcast.net
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

    8/4/2004 6:49:14 PM Log File of Startup Tracker in Regular Mode (Regular_ST.txt)

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray SysTray.Exe
    HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    HPHmon03 C:\WINDOWS\System32\hphmon03.exe
    AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    Alogserv C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
    ComcastSUPPORT C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

    -- Registry --
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

    -- Registry --
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Registry --
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

    H/PC Connection Agent "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

    -- Start Menu - Current User --
    No Items Found

    -- Start Menu - All Users --
    Adobe Gamma Loader.lnk
    Acrobat Assistant.lnk
    Microtek Scanner Finder.lnk
    Microsoft Office.lnk

    -- Disabled Items --
    SpywareGuard

    -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
    Explorer.exe

    -- Running Processes --
    System Idle Process
    System
    SMSS.EXE \SystemRoot\System32\smss.exe
    CSRSS.EXE
    WINLOGON.EXE winlogon.exe
    SERVICES.EXE C:\WINDOWS\system32\services.exe
    LSASS.EXE C:\WINDOWS\system32\lsass.exe
    SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
    SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs
    SVCHOST.EXE
    SVCHOST.EXE
    SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
    Avsynmgr.exe "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"
    SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc
    VSStat.exe "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe"
    VSHWIN32.EXE "C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe"
    WebScanX.exe "C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe"
    Avconsol.exe "C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe"
    Explorer.EXE C:\WINDOWS\Explorer.EXE
    hpztsb04.exe "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
    hphmon03.exe "C:\WINDOWS\System32\hphmon03.exe"
    Directcd.exe "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    AlogServ.exe "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe"
    CFD.exe "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    wcescomm.exe "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" /background
    tgcmd.exe "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    AcroTray.exe "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"
    SDII.exe "C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe"
    Mcshield.exe "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"
    HPHipm09.exe C:\WINDOWS\System32\HPHipm09.exe
    StartupTracker3.exe "C:\Documents and Settings\System Administrator\Local Settings\Temp\Temporary Directory 2 for StartupTracker3.zip\StartupTracker3.exe"
    wmiprvse.exe

    -- Running Services --

    Name: AudioSrv
    Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: AvSynMgr
    Description: McAfee AVSync Manager
    Startup Mode: Auto
    Run from: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"

    Name: BITS
    Description: Uses idle network bandwidth to transfer data.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: CryptSvc
    Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: Dhcp
    Description: Manages network configuration by registering and updating IP addresses and DNS names.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Dnscache
    Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

    Name: ERSvc
    Description: Allows error reporting for services and applictions running in non-standard environments.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Eventlog
    Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: EventSystem
    Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: FastUserSwitchingCompatibility
    Description: Provides management for applications that require assistance in a multiple user environment.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: helpsvc
    Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: lanmanserver
    Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: lanmanworkstation
    Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: LmHosts
    Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: McShield
    Description: McAfee On Access Scanner
    Startup Mode: Manual
    Run from: "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"

    Name: Messenger
    Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Netman
    Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Nla
    Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: PlugPlay
    Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: Pml Driver
    Description:
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\HPHipm09.exe

    Name: PolicyAgent
    Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\lsass.exe

    Name: ProtectedStorage
    Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\lsass.exe

    Name: RasMan
    Description: Creates a network connection.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: RemoteAccess
    Description: Offers routing services to businesses in local area and wide area network environments.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: RpcSs
    Description: Provides the endpoint mapper and other miscellaneous RPC services.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost -k rpcss

    Name: SamSs
    Description: Stores security information for local user accounts.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\lsass.exe

    Name: Schedule
    Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: seclogon
    Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: SENS
    Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: ShellHWDetection
    Description:
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Spooler
    Description: Loads files to memory for later printing.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\spoolsv.exe

    Name: srservice
    Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: SSDPSRV
    Description: Enables discovery of UPnP devices on your home network.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: stisvc
    Description: Provides image acquisition services for scanners and cameras.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

    Name: TapiSrv
    Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: TermService
    Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Themes
    Description: Provides user experience theme management.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: TrkWks
    Description: Maintains links between NTFS files within a computer or across computers in a network domain.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: uploadmgr
    Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: W32Time
    Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: WebClient
    Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: winmgmt
    Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: wuauserv
    Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: WZCSVC
    Description: Provides automatic configuration for the 802.11 adapters
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
  21. LBD
    Offline

    LBD Registered Member

    "bump"
  22. Mosaic1
    Online

    Mosaic1 Guest

    I really don't know what else to tell you other than whatever is going on it is not visible to us. If it were my system I would format and reinstall. I rarely tell anyone to do that.
Thread Status:
Not open for further replies.