Firewall won't stay enabled

#1 July 20th 04, 07:50 PM

I can click to enable the firewall, then in about 30-60 seconds something disables it.

Similar behavior for Norton AV 2004, when attempting to turn on auto-protect. But with the added behavior that the program is being terminated completely after a few seconds.

All settings seem okay for automatic enabled operation at startup.

Have run AV with latest def's in safe mode and detected no virus, worm or trojans.

This is recent behavior. Unfortunately don't have a restore point to go to. Any ideas?

#2 July 20th 04, 07:50 PM

Jay,

See www.dougknox.com, Win XP Utilities, Startup Programs Tracker. Use =
this utility and post the contents of your log file. Include the =
Services section.

--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"jay" wrote in message =
...
I can click to enable the firewall, then in about 30-60 seconds =
something disables it.
=20
Similar behavior for Norton AV 2004, when attempting to turn on =
auto-protect. But with the added behavior that the program is being =
terminated completely after a few seconds.
=20
All settings seem okay for automatic enabled operation at startup.
=20
Have run AV with latest def's in safe mode and detected no virus, worm =
or trojans.
=20
This is recent behavior. Unfortunately don't have a restore point to =
go to. Any ideas?

#3 July 20th 04, 07:50 PM

Thanks. Will try it immediately.

"Doug Knox MS-MVP" wrote:

Jay,

See www.dougknox.com, Win XP Utilities, Startup Programs Tracker. Use this utility and post the contents of your log file. Include the Services section.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"jay" wrote in message ...
I can click to enable the firewall, then in about 30-60 seconds something disables it.

Similar behavior for Norton AV 2004, when attempting to turn on auto-protect. But with the added behavior that the program is being terminated completely after a few seconds.

All settings seem okay for automatic enabled operation at startup.

Have run AV with latest def's in safe mode and detected no virus, worm or trojans.

This is recent behavior. Unfortunately don't have a restore point to go to. Any ideas?

#4 July 20th 04, 09:46 PM

Here is the tracker log file:

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SystemTray SysTray.Exe
nwiz nwiz.exe /install
IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
iexplore C:\WINDOWS\System32\iexplore.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
QuickTime Task "C:\program files\quicktime\qttask.exe" -atboottime
NAV CfgWiz C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce

No Items Found

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
iexplore.exe

-- Disabled Items --
No Items Found

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
explorer.exe

-- Running Processes --
System Idle Process
System
SMSS.EXE \SystemRoot\System32\smss.exe
CSRSS.EXE
WINLOGON.EXE winlogon.exe
SERVICES.EXE C:\WINDOWS\system32\services.exe
LSASS.EXE C:\WINDOWS\system32\lsass.exe
SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
CCSETMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
EXPLORER.EXE C:\WINDOWS\Explorer.EXE
CDAC11BA.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE
CTSVCCDA.EXE C:\WINDOWS\System32\CTsvcCDA.exe
type32.exe "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
CCAPP.EXE "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
CTHELPER.EXE "C:\WINDOWS\System32\CTHELPER.EXE"
QTTASK.EXE "C:\program files\quicktime\qttask.exe" -atboottime
NVSVC32.EXE C:\WINDOWS\System32\nvsvc32.exe
DEVLDR32.EXE C:\WINDOWS\System32\devldr32.exe
RUNDLL32.EXE "C:\WINDOWS\System32\RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
IEXPLORE.EXE "C:\WINDOWS\olefiles\iexplore.exe"
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc
SYMLCSVC.EXE "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
MSMSGS.EXE "C:\Program Files\Messenger\msmsgs.exe" -Embedding
StartupTracker3.exe "C:\download\StartupTracker3.exe"
wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe"
wmiprvse.exe

-- Running Services --

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: C-DillaCdaC11BA
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\drivers\CDAC11BA.EXE

Name: ccEvtMgr
Description: Symantec Event Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Name: ccSetMgr
Description: Symantec Settings Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

Name: Creative Service for CDROM Access
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\CTsvcCDA.exe

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service,
which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: dmserver
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date.
If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services tha
t explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and log
off notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: NVSvc
Description: Provides system and desktop level support to the NVIDIA display driver
Startup Mode: Auto
Run from: C:\WINDOWS\System32\nvsvc32.exe

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RemoteRegistry
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to sta
rt.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k LocalService

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to st
art.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer-Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: Symantec Core LC
Description: Symantec Core LC
Startup Mode: Auto
Run from: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assista
nce, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service
is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail
to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: winmgmt
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is di
sabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: wuauserv
Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

#5 July 20th 04, 09:46 PM

#6 July 20th 04, 10:41 PM

#7 July 20th 04, 10:42 PM

Has the PC ever had any third party firewalls?? (Zone Alarm, Nortons,
McAfee's)?

On 7/20/04 12:05 AM, in article
, "jay"
wrote:

ccEvtMgr.exe

#8 July 20th 04, 10:42 PM

No. Just the XP firewall.

"MicroShaft" wrote:

Has the PC ever had any third party firewalls?? (Zone Alarm, Nortons,
McAfee's)?

On 7/20/04 12:05 AM, in article
, "jay"
wrote:

ccEvtMgr.exe

#9 July 20th 04, 11:47 PM

The first entries I would look at a

SystemTray SysTray.Exe
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE

These are all launched from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Rght click on the Run subkey and select Export. This creates a backup =
of this particular subkey. After this is completed, right click each =
of the 3 values indicated, above and select Delete. Log off/logon or =
reboot. Check the HKLM\........... Run key again to see if any "new" =
values have been created. If not, rescan your system, ensuring that =
you have the latest updates for your AV program.

--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"jay" wrote in message =
...
Here is the tracker log file:
=20
=20
-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce
=20
No Items Found
=20
-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
=20
NvCplDaemon RUNDLL32.EXE =
C:\WINDOWS\System32\NvCpl.dll,NvStartup
SystemTray SysTray.Exe
nwiz nwiz.exe /install
IntelliType "C:\Program Files\Microsoft =
Hardware\Keyboard\type32.exe"
iexplore C:\WINDOWS\System32\iexplore.exe
ccApp "C:\Program Files\Common Files\Symantec =
Shared\ccApp.exe"
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
RoxioEngineUtility "C:\Program Files\Common Files\Roxio =
Shared\System\EngUtil.exe"
QuickTime Task "C:\program files\quicktime\qttask.exe" =
-atboottime
NAV CfgWiz C:\Program Files\Common Files\Symantec =
Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
Jet Detection "C:\Program =
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
=20
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce
=20
No Items Found
=20
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
=20
NvMediaCenter RUNDLL32.EXE =
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
=20
-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce
=20
No Items Found
=20
-- Start Menu - Current User --
No Items Found
=20
-- Start Menu - All Users --
iexplore.exe
=20
-- Disabled Items --
No Items Found
=20
-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows =
NT\CurrentVersion\Winlogon --
explorer.exe
=20
-- Running Processes --
System Idle Process=20
System =20
SMSS.EXE \SystemRoot\System32\smss.exe
CSRSS.EXE =20
WINLOGON.EXE winlogon.exe
SERVICES.EXE C:\WINDOWS\system32\services.exe
LSASS.EXE C:\WINDOWS\system32\lsass.exe
SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE =20
SVCHOST.EXE =20
CCSETMGR.EXE "C:\Program Files\Common Files\Symantec =
Shared\ccSetMgr.exe"
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec =
Shared\ccEvtMgr.exe"
SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
EXPLORER.EXE C:\WINDOWS\Explorer.EXE
CDAC11BA.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE
CTSVCCDA.EXE C:\WINDOWS\System32\CTsvcCDA.exe
type32.exe "C:\Program Files\Microsoft =
Hardware\Keyboard\type32.exe"=20
CCAPP.EXE "C:\Program Files\Common Files\Symantec =
Shared\ccApp.exe"=20
CTHELPER.EXE "C:\WINDOWS\System32\CTHELPER.EXE"=20
QTTASK.EXE "C:\program files\quicktime\qttask.exe" =
-atboottime
NVSVC32.EXE C:\WINDOWS\System32\nvsvc32.exe
DEVLDR32.EXE C:\WINDOWS\System32\devldr32.exe
RUNDLL32.EXE "C:\WINDOWS\System32\RUNDLL32.EXE" =
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
IEXPLORE.EXE "C:\WINDOWS\olefiles\iexplore.exe"=20
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc
SYMLCSVC.EXE "C:\Program Files\Common Files\Symantec =
Shared\CCPD-LC\symlcsvc.exe"
MSMSGS.EXE "C:\Program Files\Messenger\msmsgs.exe" -Embedding
StartupTracker3.exe "C:\download\StartupTracker3.exe"=20
wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe"
wmiprvse.exe =20
=20
-- Running Services --
=20
Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this =
service is stopped, audio devices and effects will not function =
properly. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: C-DillaCdaC11BA
Description:=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\drivers\CDAC11BA.EXE
=20
Name: ccEvtMgr
Description: Symantec Event Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
=20
Name: ccSetMgr
Description: Symantec Settings Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
=20
Name: Creative Service for CDROM Access
Description:=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\CTsvcCDA.exe
=20
Name: CryptSvc
Description: Provides three management services: Catalog Database =
Service, which confirms the signatures of Windows files; Protected Root =
Service, which adds and removes Trusted Root Certification Authority =
certificates from this computer; and Key Service, which helps enroll =
this computer for certificates. If this service is stopped, these =
management services will not function properly. If this service is =
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: Dhcp
Description: Manages network configuration by registering and updating =
IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: dmserver
Description: Detects and monitors new hard disk drives and sends disk =
volume information to Logical Disk Manager Administrative Service for =
configuration. If this service is stopped, dynamic disk status and =
configuration information may become out of date. If this service is =
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for =
this computer. If this service is stopped, this computer will not be =
able to resolve DNS names and locate Active Directory domain =
controllers. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService
=20
Name: ERSvc
Description: Allows error reporting for services and applictions =
running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Eventlog
Description: Enables event log messages issued by Windows-based =
programs and components to be viewed in Event Viewer. This service =
cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe
=20
Name: EventSystem
Description: Supports System Event Notification Service (SENS), which =
provides automatic distribution of events to subscribing Component =
Object Model (COM) components. If the service is stopped, SENS will =
close and will not be able to provide logon and logoff notifications. If =
this service is disabled, any services that explicitly depend on it will =
fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require =
assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: helpsvc
Description: Enables Help and Support Center to run on this computer. =
If this service is stopped, Help and Support Center will be unavailable. =
If this service is disabled, any services that explicitly depend on it =
will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the =
network for this computer. If this service is stopped, these functions =
will be unavailable. If this service is disabled, any services that =
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: lanmanworkstation
Description: Creates and maintains client network connections to =
remote servers. If this service is stopped, these connections will be =
unavailable. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service =
and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
=20
Name: Messenger
Description: Transmits net send and Alerter service messages between =
clients and servers. This service is not related to Windows Messenger. =
If this service is stopped, Alerter messages will not be transmitted. If =
this service is disabled, any services that explicitly depend on it will =
fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Netman
Description: Manages objects in the Network and Dial-Up Connections =
folder, in which you can view both local area network and remote =
connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Nla
Description: Collects and stores network configuration and location =
information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: NVSvc
Description: Provides system and desktop level support to the NVIDIA =
display driver
Startup Mode: Auto
Run from: C:\WINDOWS\System32\nvsvc32.exe
=20
Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware =
changes with little or no user input. Stopping or disabling this service =
will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe
=20
Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley =
(IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe
=20
Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as =
private keys, to prevent access by unauthorized services, processes, or =
users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe
=20
Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: RemoteRegistry
Description: Enables remote users to modify registry settings on this =
computer. If this service is stopped, the registry can be modified only =
by users on this computer. If this service is disabled, any services =
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k LocalService
=20
Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC =
services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss
=20
Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe
=20
Name: Schedule
Description: Enables a user to configure and schedule automated tasks =
on this computer. If this service is stopped, these tasks will not be =
run at their scheduled times. If this service is disabled, any services =
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: seclogon
Description: Enables starting processes under alternate credentials. =
If this service is stopped, this type of logon access will be =
unavailable. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: SENS
Description: Tracks system events such as Windows logon, network, and =
power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: ShellHWDetection
Description:=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe
=20
Name: srservice
Description: Performs system restore functions. To stop service, turn =
off System Restore from the System Restore tab in My =
Computer-Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
=20
Name: stisvc
Description: Provides image acquisition services for scanners and =
cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc
=20
Name: Symantec Core LC
Description: Symantec Core LC
Startup Mode: Auto
Run from: C:\Program Files\Common Files\Symantec =
Shared\CCPD-LC\symlcsvc.exe
=20
Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that =
control telephony devices and IP based voice connections on the local =
computer and, through the LAN, on servers that are also running the =
service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: TermService
Description: Allows multiple users to be connected interactively to a =
machine as well as the display of desktops and applications to remote =
computers. The underpinning of Remote Desktop (including RD for =
Administrators), Fast User Switching, Remote Assistance, and Terminal =
Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: TrkWks
Description: Maintains links between NTFS files within a computer or =
across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers =
between clients and servers on the network. If this service is stopped, =
synchronous and asynchronous file transfers between clients and servers =
on the network will not occur. If this service is disabled, any services =
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: W32Time
Description: Maintains date and time synchronization on all clients =
and servers in the network. If this service is stopped, date and time =
synchronization will be unavailable. If this service is disabled, any =
services that explicitly depend on it will fail to start.
=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: WebClient
Description: Enables Windows-based programs to create, access, and =
modify Internet-based files. If this service is stopped, these functions =
will not be available. If this service is disabled, any services that =
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
=20
Name: winmgmt
Description: Provides a common interface and object model to access =
management information about operating system, devices, applications and =
services. If this service is stopped, most Windows-based software will =
not function properly. If this service is disabled, any services that =
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: wuauserv
Description: Enables the download and installation of critical Windows =
updates. If the service is disabled, the operating system can be =
manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

#10 July 21st 04, 01:41 AM

No joy. But thanks for looking.

"Doug Knox MS-MVP" wrote:

The first entries I would look at a

SystemTray SysTray.Exe
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE

These are all launched from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Rght click on the Run subkey and select Export. This creates a backup of this particular subkey. After this is completed, right click each of the 3 values indicated, above and select Delete. Log off/logon or reboot. Check the HKLM\........... Run ke
y again to see if any "new" values have been created. If not, rescan your system, ensuring that you have the latest updates for your AV program.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"jay" wrote in message ...
Here is the tracker log file:

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SystemTray SysTray.Exe
nwiz nwiz.exe /install
IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
iexplore C:\WINDOWS\System32\iexplore.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
QuickTime Task "C:\program files\quicktime\qttask.exe" -atboottime
NAV CfgWiz C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce

No Items Found

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
iexplore.exe

-- Disabled Items --
No Items Found

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
explorer.exe

-- Running Processes --
System Idle Process
System
SMSS.EXE \SystemRoot\System32\smss.exe
CSRSS.EXE
WINLOGON.EXE winlogon.exe
SERVICES.EXE C:\WINDOWS\system32\services.exe
LSASS.EXE C:\WINDOWS\system32\lsass.exe
SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
CCSETMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
EXPLORER.EXE C:\WINDOWS\Explorer.EXE
CDAC11BA.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE
CTSVCCDA.EXE C:\WINDOWS\System32\CTsvcCDA.exe
type32.exe "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
CCAPP.EXE "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
CTHELPER.EXE "C:\WINDOWS\System32\CTHELPER.EXE"
QTTASK.EXE "C:\program files\quicktime\qttask.exe" -atboottime
NVSVC32.EXE C:\WINDOWS\System32\nvsvc32.exe
DEVLDR32.EXE C:\WINDOWS\System32\devldr32.exe
RUNDLL32.EXE "C:\WINDOWS\System32\RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
IEXPLORE.EXE "C:\WINDOWS\olefiles\iexplore.exe"
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc
SYMLCSVC.EXE "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
MSMSGS.EXE "C:\Program Files\Messenger\msmsgs.exe" -Embedding
StartupTracker3.exe "C:\download\StartupTracker3.exe"
wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe"
wmiprvse.exe

-- Running Services --

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: C-DillaCdaC11BA
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\drivers\CDAC11BA.EXE

Name: ccEvtMgr
Description: Symantec Event Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Name: ccSetMgr
Description: Symantec Settings Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

Name: Creative Service for CDROM Access
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\CTsvcCDA.exe

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Serv
ice, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: dmserver
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of d
ate. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and
logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: NVSvc
Description: Provides system and desktop level support to the NVIDIA display driver
Startup Mode: Auto
Run from: C:\WINDOWS\System32\nvsvc32.exe

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RemoteRegistry
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k LocalService

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail t
o start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer-Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: Symantec Core LC
Description: Symantec Core LC
Startup Mode: Auto
Run from: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Ass
istance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this serv
ice is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will f
ail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start

#11 July 21st 04, 02:41 AM

And, interestingly enough, the task manager won't stay open for more than about 30 seconds. And when I open the folder "c:\program files\norton antivirus" it, too, has only about 30 seconds to live. I'm convinced I've got something running that's looking
to shutdown security-related things. But I can't find it.

"Doug Knox MS-MVP" wrote:

The first entries I would look at a

SystemTray SysTray.Exe
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE

These are all launched from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Rght click on the Run subkey and select Export. This creates a backup of this particular subkey. After this is completed, right click each of the 3 values indicated, above and select Delete. Log off/logon or reboot. Check the HKLM\........... Run ke
y again to see if any "new" values have been created. If not, rescan your system, ensuring that you have the latest updates for your AV program.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"jay" wrote in message ...
Here is the tracker log file:

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SystemTray SysTray.Exe
nwiz nwiz.exe /install
IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
iexplore C:\WINDOWS\System32\iexplore.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
QuickTime Task "C:\program files\quicktime\qttask.exe" -atboottime
NAV CfgWiz C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce

No Items Found

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
iexplore.exe

-- Disabled Items --
No Items Found

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
explorer.exe

-- Running Processes --
System Idle Process
System
SMSS.EXE \SystemRoot\System32\smss.exe
CSRSS.EXE
WINLOGON.EXE winlogon.exe
SERVICES.EXE C:\WINDOWS\system32\services.exe
LSASS.EXE C:\WINDOWS\system32\lsass.exe
SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
CCSETMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
EXPLORER.EXE C:\WINDOWS\Explorer.EXE
CDAC11BA.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE
CTSVCCDA.EXE C:\WINDOWS\System32\CTsvcCDA.exe
type32.exe "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
CCAPP.EXE "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
CTHELPER.EXE "C:\WINDOWS\System32\CTHELPER.EXE"
QTTASK.EXE "C:\program files\quicktime\qttask.exe" -atboottime
NVSVC32.EXE C:\WINDOWS\System32\nvsvc32.exe
DEVLDR32.EXE C:\WINDOWS\System32\devldr32.exe
RUNDLL32.EXE "C:\WINDOWS\System32\RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
IEXPLORE.EXE "C:\WINDOWS\olefiles\iexplore.exe"
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc
SYMLCSVC.EXE "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
MSMSGS.EXE "C:\Program Files\Messenger\msmsgs.exe" -Embedding
StartupTracker3.exe "C:\download\StartupTracker3.exe"
wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe"
wmiprvse.exe

-- Running Services --

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: C-DillaCdaC11BA
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\drivers\CDAC11BA.EXE

Name: ccEvtMgr
Description: Symantec Event Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Name: ccSetMgr
Description: Symantec Settings Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

Name: Creative Service for CDROM Access
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\CTsvcCDA.exe

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Serv
ice, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: dmserver
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of d
ate. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and
logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: NVSvc
Description: Provides system and desktop level support to the NVIDIA display driver
Startup Mode: Auto
Run from: C:\WINDOWS\System32\nvsvc32.exe

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RemoteRegistry
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k LocalService

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail t
o start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer-Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: Symantec Core LC
Description: Symantec Core LC
Startup Mode: Auto
Run from: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Ass
istance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this serv
ice is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will f
ail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start

#12 July 21st 04, 05:41 AM

You have a virus. Likely one of the following:

W32.Klez

l

W32.Yaha

l

W32.Spybot.Worm
http://securityresponse.symantec.com...spybot.worm.h=
tml

For additional help see www.dougknox.com, Win XP Utilities, Create =
Emergency Copies of Critical XP System Utilities. This small VB Program =
will create backup, usable copies of Task Manger, Regedit and MSConfig =
(named Taskmgr1.exe, Regedit.com and MSConfig1.exe) in a new folder =
C:\EmergencyUtil. Many virus programs will intercept these programs, =
based on their original file name. The modified file names, allow them =
to be run. Open Windows Explorer to C:\EmergencyUtil and double click =
the application you need. The next revision will allow you to browse =
for the folder you want to place the backups in.

Additionally, see the Win XP Utilities section for Startup Programs =
Tracker. This small utility scans your system for startup programs and =
running processes. It also allows you to create a log file that can be =
copied and pasted into a newsgroup post. The contents of the program =
window are also copied to the Windows Clipboard, automatically. For =
replies to newsgroup posts, do NOT include the Running Services, unless =
its absolutely necessary.

--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"jay" wrote in message =
...
And, interestingly enough, the task manager won't stay open for more =
than about 30 seconds. And when I open the folder "c:\program =
files\norton antivirus" it, too, has only about 30 seconds to live. I'm =
convinced I've got something running that's looking to shutdown =
security-related things. But I can't find it.
=20
"Doug Knox MS-MVP" wrote:
=20
The first entries I would look at a
=20
SystemTray SysTray.Exe
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
=20
These are all launched from:
=20
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
=20
Click Start, Run and enter REGEDIT Go to:
=20
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
=20
Rght click on the Run subkey and select Export. This creates a =
backup of this particular subkey. After this is completed, right click =
each of the 3 values indicated, above and select Delete. Log off/logon =
or reboot. Check the HKLM\........... Run key again to see if any "new" =
values have been created. If not, rescan your system, ensuring that =
you have the latest updates for your AV program.
=20
--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"jay" wrote in message =
...
Here is the tracker log file:
=20
=20
-- Registry --
=
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce
=20
No Items Found
=20
-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
=20
NvCplDaemon RUNDLL32.EXE =
C:\WINDOWS\System32\NvCpl.dll,NvStartup
SystemTray SysTray.Exe
nwiz nwiz.exe /install
IntelliType "C:\Program Files\Microsoft =
Hardware\Keyboard\type32.exe"
iexplore C:\WINDOWS\System32\iexplore.exe
ccApp "C:\Program Files\Common =
Files\Symantec Shared\ccApp.exe"
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
RoxioEngineUtility "C:\Program Files\Common Files\Roxio =
Shared\System\EngUtil.exe"
QuickTime Task "C:\program =
files\quicktime\qttask.exe" -atboottime
NAV CfgWiz C:\Program Files\Common =
Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
Jet Detection "C:\Program =
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
Advanced Tools Check =
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
=20
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce
=20
No Items Found
=20
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
=20
NvMediaCenter RUNDLL32.EXE =
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
=20
-- Registry --
=
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce
=20
No Items Found
=20
-- Start Menu - Current User --
No Items Found
=20
-- Start Menu - All Users --
iexplore.exe
=20
-- Disabled Items --
No Items Found
=20
-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows =
NT\CurrentVersion\Winlogon --
explorer.exe
=20
-- Running Processes --
System Idle Process=20
System =20
SMSS.EXE \SystemRoot\System32\smss.exe
CSRSS.EXE =20
WINLOGON.EXE winlogon.exe
SERVICES.EXE C:\WINDOWS\system32\services.exe
LSASS.EXE C:\WINDOWS\system32\lsass.exe
SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE =20
SVCHOST.EXE =20
CCSETMGR.EXE "C:\Program Files\Common Files\Symantec =
Shared\ccSetMgr.exe"
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec =
Shared\ccEvtMgr.exe"
SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
EXPLORER.EXE C:\WINDOWS\Explorer.EXE
CDAC11BA.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE
CTSVCCDA.EXE C:\WINDOWS\System32\CTsvcCDA.exe
type32.exe "C:\Program Files\Microsoft =
Hardware\Keyboard\type32.exe"=20
CCAPP.EXE "C:\Program Files\Common Files\Symantec =
Shared\ccApp.exe"=20
CTHELPER.EXE "C:\WINDOWS\System32\CTHELPER.EXE"=20
QTTASK.EXE "C:\program files\quicktime\qttask.exe" =
-atboottime
NVSVC32.EXE C:\WINDOWS\System32\nvsvc32.exe
DEVLDR32.EXE C:\WINDOWS\System32\devldr32.exe
RUNDLL32.EXE "C:\WINDOWS\System32\RUNDLL32.EXE" =
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
IEXPLORE.EXE "C:\WINDOWS\olefiles\iexplore.exe"=20
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc
SYMLCSVC.EXE "C:\Program Files\Common Files\Symantec =
Shared\CCPD-LC\symlcsvc.exe"
MSMSGS.EXE "C:\Program Files\Messenger\msmsgs.exe" =
-Embedding
StartupTracker3.exe "C:\download\StartupTracker3.exe"=20
wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe"
wmiprvse.exe =20
=20
-- Running Services --
=20
Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If =
this service is stopped, audio devices and effects will not function =
properly. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: C-DillaCdaC11BA
Description:=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\drivers\CDAC11BA.EXE
=20
Name: ccEvtMgr
Description: Symantec Event Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec =
Shared\ccEvtMgr.exe"
=20
Name: ccSetMgr
Description: Symantec Settings Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec =
Shared\ccSetMgr.exe"
=20
Name: Creative Service for CDROM Access
Description:=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\CTsvcCDA.exe
=20
Name: CryptSvc
Description: Provides three management services: Catalog Database =
Service, which confirms the signatures of Windows files; Protected Root =
Service, which adds and removes Trusted Root Certification Authority =
certificates from this computer; and Key Service, which helps enroll =
this computer for certificates. If this service is stopped, these =
management services will not function properly. If this service is =
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: Dhcp
Description: Manages network configuration by registering and =
updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: dmserver
Description: Detects and monitors new hard disk drives and sends =
disk volume information to Logical Disk Manager Administrative Service =
for configuration. If this service is stopped, dynamic disk status and =
configuration information may become out of date. If this service is =
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for =
this computer. If this service is stopped, this computer will not be =
able to resolve DNS names and locate Active Directory domain =
controllers. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService
=20
Name: ERSvc
Description: Allows error reporting for services and applictions =
running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Eventlog
Description: Enables event log messages issued by Windows-based =
programs and components to be viewed in Event Viewer. This service =
cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe
=20
Name: EventSystem
Description: Supports System Event Notification Service (SENS), =
which provides automatic distribution of events to subscribing Component =
Object Model (COM) components. If the service is stopped, SENS will =
close and will not be able to provide logon and logoff notifications. If =
this service is disabled, any services that explicitly depend on it will =
fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require =
assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: helpsvc
Description: Enables Help and Support Center to run on this =
computer. If this service is stopped, Help and Support Center will be =
unavailable. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the =
network for this computer. If this service is stopped, these functions =
will be unavailable. If this service is disabled, any services that =
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: lanmanworkstation
Description: Creates and maintains client network connections to =
remote servers. If this service is stopped, these connections will be =
unavailable. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) =
service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
=20
Name: Messenger
Description: Transmits net send and Alerter service messages =
between clients and servers. This service is not related to Windows =
Messenger. If this service is stopped, Alerter messages will not be =
transmitted. If this service is disabled, any services that explicitly =
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Netman
Description: Manages objects in the Network and Dial-Up Connections =
folder, in which you can view both local area network and remote =
connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Nla
Description: Collects and stores network configuration and location =
information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: NVSvc
Description: Provides system and desktop level support to the =
NVIDIA display driver
Startup Mode: Auto
Run from: C:\WINDOWS\System32\nvsvc32.exe
=20
Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware =
changes with little or no user input. Stopping or disabling this service =
will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe
=20
Name: PolicyAgent
Description: Manages IP security policy and starts the =
ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe
=20
Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as =
private keys, to prevent access by unauthorized services, processes, or =
users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe
=20
Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: RemoteRegistry
Description: Enables remote users to modify registry settings on =
this computer. If this service is stopped, the registry can be modified =
only by users on this computer. If this service is disabled, any =
services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k LocalService
=20
Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous =
RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss
=20
Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe
=20
Name: Schedule
Description: Enables a user to configure and schedule automated =
tasks on this computer. If this service is stopped, these tasks will not =
be run at their scheduled times. If this service is disabled, any =
services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: seclogon
Description: Enables starting processes under alternate =
credentials. If this service is stopped, this type of logon access will =
be unavailable. If this service is disabled, any services that =
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: SENS
Description: Tracks system events such as Windows logon, network, =
and power events. Notifies COM+ Event System subscribers of these =
events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: ShellHWDetection
Description:=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe
=20
Name: srservice
Description: Performs system restore functions. To stop service, =
turn off System Restore from the System Restore tab in My =
Computer-Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home =
network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
=20
Name: stisvc
Description: Provides image acquisition services for scanners and =
cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc
=20
Name: Symantec Core LC
Description: Symantec Core LC
Startup Mode: Auto
Run from: C:\Program Files\Common Files\Symantec =
Shared\CCPD-LC\symlcsvc.exe
=20
Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs =
that control telephony devices and IP based voice connections on the =
local computer and, through the LAN, on servers that are also running =
the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: TermService
Description: Allows multiple users to be connected interactively to =
a machine as well as the display of desktops and applications to remote =
computers. The underpinning of Remote Desktop (including RD for =
Administrators), Fast User Switching, Remote Assistance, and Terminal =
Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: TrkWks
Description: Maintains links between NTFS files within a computer =
or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers =
between clients and servers on the network. If this service is stopped, =
synchronous and asynchronous file transfers between clients and servers =
on the network will not occur. If this service is disabled, any services =
that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: W32Time
Description: Maintains date and time synchronization on all clients =
and servers in the network. If this service is stopped, date and time =
synchronization will be unavailable. If this service is disabled, any =
services that explicitly depend on it will fail to start.
=20
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
=20
Name: WebClient
Description: Enables Windows-based programs to create, access, and =
modify Internet-based files. If this service is stopped, these functions =
will not be available. If this service is disabled, any services that =
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
=20
Name: winmgmt
Description: Provides a common interface and object model to access =
management information about operating system, devices, applications and =
services. If this service is stopped, most Windows-based software will =
not function properly. If this service is disabled, any services that =
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: wuauserv
Description: Enables the download and installation of critical =
Windows updates. If the service is disabled, the operating system can be =
manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
=20
Name: WZCSVC
Description: Provides automatic configuration for the 802.11 =
adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

#13 July 22nd 04, 03:55 PM

It may not be what Symantec and others classify as a virus, but Adware =
or other "scumware". Usually, those that support detection of =
"scumware" will only notify you of it during a scan. The "real time" =
protection won't flag it (at least McAfee doesn't).

--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"jay" wrote in message =
...
I've isolated the infection. Norton AV does NOT detect it. So I'll =
send the particulars to them. For everyone else:
=20
If your standard XP firewall won't stay enabled. If your AV program =
won't stay in "auto-protect" and gets automatically terminated when you =
try to run it. When task manager terminates after about 30 seconds or =
so. When certain security-related folders disappear after about 30 =
seconds when you're trying to view them. When looking at =
security-related URL's with IE and IE terminates unexpectedly. Then =
look for these:
=20
Files & Folders:
=20
\Windows\olefiles\iexplore.exe (66k vs 89 for IE6)
\Windows\pss\iexplore.exeCommonStartup (66k)
=20
Registry Entry:
=20
HKLM\SOFTWARE\Microsoft\Shared =
Tools\MSConfig\startupfolder\C:^olefiles^iexplore. exe
There will be subkeys here, but the whole folder needs to go or you =
won't be able to stop the process from loading every time you boot.
=20
One more thing, you must go open the task manager and, without having =
Internet Explorer running as an application quickly stop the "iexplore" =
process running. Once you do it will stop preventing you from cleaning =
it off the machine. To verify that it's the offending process, you can =
enable XP's internet firewall, and observe that it does stay enabled for =
longer than 30 seconds.
=20
Thanks, Doug, for your help. I'm reporting this to Symantec and to =
Microsoft. Perhaps it's something new but more likely something I'm not =
aware of a fix or preventative for. Unfortunately, I have no idea what =
other things this critter does once it's infected a system.

#14 July 22nd 04, 03:55 PM

It may not be what Symantec and others classify as a virus, but Adware =
or other "scumware". Usually, those that support detection of =
"scumware" will only notify you of it during a scan. The "real time" =
protection won't flag it (at least McAfee doesn't).

--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"jay" wrote in message =
...
I've isolated the infection. Norton AV does NOT detect it. So I'll =
send the particulars to them. For everyone else:
=20
If your standard XP firewall won't stay enabled. If your AV program =
won't stay in "auto-protect" and gets automatically terminated when you =
try to run it. When task manager terminates after about 30 seconds or =
so. When certain security-related folders disappear after about 30 =
seconds when you're trying to view them. When looking at =
security-related URL's with IE and IE terminates unexpectedly. Then =
look for these:
=20
Files & Folders:
=20
\Windows\olefiles\iexplore.exe (66k vs 89 for IE6)
\Windows\pss\iexplore.exeCommonStartup (66k)
=20
Registry Entry:
=20
HKLM\SOFTWARE\Microsoft\Shared =
Tools\MSConfig\startupfolder\C:^olefiles^iexplore. exe
There will be subkeys here, but the whole folder needs to go or you =
won't be able to stop the process from loading every time you boot.
=20
One more thing, you must go open the task manager and, without having =
Internet Explorer running as an application quickly stop the "iexplore" =
process running. Once you do it will stop preventing you from cleaning =
it off the machine. To verify that it's the offending process, you can =
enable XP's internet firewall, and observe that it does stay enabled for =
longer than 30 seconds.
=20
Thanks, Doug, for your help. I'm reporting this to Symantec and to =
Microsoft. Perhaps it's something new but more likely something I'm not =
aware of a fix or preventative for. Unfortunately, I have no idea what =
other things this critter does once it's infected a system.

#15 July 22nd 04, 03:55 PM

It may not be what Symantec and others classify as a virus, but Adware =
or other "scumware". Usually, those that support detection of =
"scumware" will only notify you of it during a scan. The "real time" =
protection won't flag it (at least McAfee doesn't).

--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"jay" wrote in message =
...
I've isolated the infection. Norton AV does NOT detect it. So I'll =
send the particulars to them. For everyone else:
=20
If your standard XP firewall won't stay enabled. If your AV program =
won't stay in "auto-protect" and gets automatically terminated when you =
try to run it. When task manager terminates after about 30 seconds or =
so. When certain security-related folders disappear after about 30 =
seconds when you're trying to view them. When looking at =
security-related URL's with IE and IE terminates unexpectedly. Then =
look for these:
=20
Files & Folders:
=20
\Windows\olefiles\iexplore.exe (66k vs 89 for IE6)
\Windows\pss\iexplore.exeCommonStartup (66k)
=20
Registry Entry:
=20
HKLM\SOFTWARE\Microsoft\Shared =
Tools\MSConfig\startupfolder\C:^olefiles^iexplore. exe
There will be subkeys here, but the whole folder needs to go or you =
won't be able to stop the process from loading every time you boot.
=20
One more thing, you must go open the task manager and, without having =
Internet Explorer running as an application quickly stop the "iexplore" =
process running. Once you do it will stop preventing you from cleaning =
it off the machine. To verify that it's the offending process, you can =
enable XP's internet firewall, and observe that it does stay enabled for =
longer than 30 seconds.
=20
Thanks, Doug, for your help. I'm reporting this to Symantec and to =
Microsoft. Perhaps it's something new but more likely something I'm not =
aware of a fix or preventative for. Unfortunately, I have no idea what =
other things this critter does once it's infected a system.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode