Re: How do I find process?

From: Tim (noanswer_at_hotmail.com)
Date: 11/17/04 

Date: Wed, 17 Nov 2004 20:09:25 -0000

I hope it makes sense Karl

Thanks

Tim

"Silent Runners.vbs", revision 27, launched at: 17:30
Operating System: Windows XP SP2

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Titanium Antivirus
2004\APVXDWIN.EXE" /s" ["Panda Software International"]
"HPDJ Taskbar Utility" =
"C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"HPHmon03" = "C:\WINDOWS\system32\hphmon03.exe" ["Hewlett-Packard"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
"DelDirTree" = "C:\WINDOWS\UnInst32.exe C:\WINDOWS\DelDir.BEN" ["Dritek
System Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
                                        \StubPath =
"C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO"
  -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program
Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
  -> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
  -> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
  -> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
  -> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINDOWS\System32\stobject.dll" [MS]

Startup items in "Tim" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft
Office\Office10\OSA.EXE -b -l" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\wuauserv.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\es.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k
netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k
DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks,
"C:\WINDOWS\system32\svchost.exe -k netsvcs"
{"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService"
{"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility,
"C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft
Shared\VS7DEBUG\MDM.EXE"" [MS]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k
netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe"
["NVIDIA Corporation"]
Panda anti-virus service, PAVSRV, ""C:\Program Files\Panda Software\Panda
Titanium Antivirus 2004\pavsrv51.exe"" ["Panda Software"]
Panda IManager Service, PSIMSVC, ""C:\Program Files\Panda Software\Panda
Titanium Antivirus 2004\PsImSvc.exe"" ["Panda Software Internacional"]
Panda Process Protection Service, PavPrSrv, ""C:\Program Files\Common
Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software"]
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Pml Driver, Pml Driver, "C:\WINDOWS\system32\HPHipm09.exe" ["HP"]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan,
"C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss"
{"C:\WINDOWS\system32\rpcss.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection,
"C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k
LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k
netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS\System32\svchost.exe -k
netsvcs" {"C:\WINDOWS\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k
LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch"
{"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\shsvcs.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService"
{"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess,
"C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\System32\svchost.exe -k
imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt,
"C:\WINDOWS\system32\svchost.exe -k netsvcs"
{"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\w32time.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe"
[MS]
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k
netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\wkssvc.dll" [MS]}

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:OjH8M7JzEHA.3656@TK2MSFTNGP09.phx.gbl...
> Absolutely. levinson_k@despammed.com
>
>
> "Tim" <noanswer@hotmail.com> wrote in message
> news:e9PnDqHzEHA.2600@TK2MSFTNGP09.phx.gbl...
>> Hi Karl,
>> I do thank you for your continued support in helping me to resolve this
>> matter. I have done as you said and run silentrunners (similar to
>> hijackthis) and have got the log file. I dont fully understand it, would
> you
>> have a look for me and tell me if there is anything untoward there?
>>
>>
>> Regards
>>
>> Tim
>> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
>> news:Oq5DfV9yEHA.824@TK2MSFTNGP11.phx.gbl...
>> >
>> > "Tim" <noanswer@hotmail.com> wrote in message
>> > news:%23jsbbS7yEHA.2572@tk2msftngp13.phx.gbl...
>> >> when I boot my pc everything loads (Possibly my Panda AV loads a
>> >> little
>> > more
>> >> slowly than the rest of the stuff, but even so when it loads the icon
>> >> into
>> >> the systray this unknown process is still running in the background).
> As
>> >> soon as it starts whirring and clicking in the background I open TM
>> >> but
>> >> there is nothing in there that is eating into my processor memory. I
> have
>> >> tried everything, bootvis, turning everything off and starting one by
> one
>> >> but it is still there.It takes about 2.5 mins from boot to silent
>> >> desktop,
>> >> can anyone help?
>> >>
>> >> Please dont tell me spyware or virus, I check my system everyday with
> new
>> >> virus sigs, spybot S&D, adaware and CWSShredder. I also have full pc
>> >> security (as told by MSBSA) and I use win xp sp2 with firewall on.
>> >
>> > Well, just because you're running anti-virus, it could still be a
>> > virus.
>> > And just because your AV icon appears in the system tray, a virus could
>> > still have disabled it.
>> >
>> > What happened when you ran RKDETECT from
> http://www.security.nnov.ru/soft/
>> > and Silent Runners from www.silentrunners.org ?
>> >
>> > What's the name of the process? Is it still the same as in your
>> > initial
>> > post? Can you find the file on your computer? If so, what happened
> when
>> > you submitted the file to one or more anti-virus vendors? If not, you
> may
>> > want to use one of the following methods to find and copy the file to a
>> > floppy disk:
>> >
>> > * first, try to find out where the file is located by using Silent
> Runners
>> > and/or the MSCONFIG command or something similar to look at what is
>> > starting
>> > up automatically on your system and what folder it's in [and let us
>> > know
>> > what folder it's in, post the results here if you have any questions];
>> > * if you know the file's name and folder, what error message do you get
>> > when you type COPY C:\FOLDERNAME\FILENAME A: in the Start, Run
> command
>> > or
>> > at a DOS Command Prompt to try to copy the file to a floppy?
>> > * try rebooting your computer and press F8 to boot into DOS / Command
>> > Prompt Only mode [not sure if this will help you find the file];
>> > * make and/or boot to a DOS boot floppy, for example by downloading one
>> > from www.bootdisk.com and then use NTFSDOS from
>> > http://www.sysinternals.com/ntw2k/freeware/ntfsdos.shtml if your hard
>> > drive
>> > is formatted in NTFS format;
>> > * download and burn either the Bitdefender Linux rescue CD from
>> > http://www.bitdefender.com/bd/site/products.php?p_id=40 or Knoppix from
>> > www.knoppix-std.org or www.knoppix.org to a CD and boot to the Knoppix
> CD
>> > to
>> > find and copy the file to a floppy;
>> > * If you have another computer that can connect to your computer via
>> > Windows Explorer / Windows networking, you should also be able to copy
> the
>> > file that way too.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>
>
>

Relevant Pages

  • Re: svchost.exe shuts down audio and server services
    ... However today I accepted an automatic windows update - it disappeared from ... netsvcs is part of the -k switch for svchost.exe and is the System User. ... Windows Audio and Server services are stopped. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: svchost.exe shuts down audio and server services
    ... The destination specified for your expanded files is not a directory. ... MS-MVP Windows Shell/User ... netsvcs is part of the -k switch for svchost.exe and is the System User. ... Windows Audio and Server services are stopped. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Powering off is the only way to restart or shutdown!
    ... svchost.exe -k netsvcs ... livesrv.exe /service (BitDefender Desktop Update Service) ... svchost.exe -k netsvcs (Logical Disk Manager) ... svchost.exe -k netsvcs (Windows Firewall/Internet Connection Sharing ...
    (microsoft.public.windowsxp.security_admin)
  • Powering off is the only way to restart or shutdown!
    ... svchost.exe -k netsvcs ... livesrv.exe /service (BitDefender Desktop Update Service) ... svchost.exe -k netsvcs (Logical Disk Manager) ... svchost.exe -k netsvcs (Windows Audio) ...
    (microsoft.public.windowsxp.security_admin)
  • Re: svchost.exe shuts down audio and server services
    ... Error message when starting the Server service in Windows XP ... netsvcs is part of the -k switch for svchost.exe and is the System User. ... Windows Audio and Server services are stopped. ...
    (microsoft.public.windowsxp.help_and_support)