Re: Firewall won't stay enabled
From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 07/20/04
- Next message: kasper: "remembered password"
- Previous message: Juergen Heinzl: "Re: Windows XP professional Problem"
- In reply to: jay: "Re: Firewall won't stay enabled"
- Next in thread: jay: "Re: Firewall won't stay enabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Jul 2004 17:14:40 -0400
I have no way of knowing. What are the contents of this particular registry key? I could be malware related, or it could just be a corrupt entry.
-- Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display Win 95/98/Me/XP Tweaks and Fixes http://www.dougknox.com -------------------------------- Per user Group Policy Restrictions for XP Home and XP Pro http://www.dougknox.com/xp/utils/xp_securityconsole.htm -------------------------------- Please reply only to the newsgroup so all may benefit. Unsolicited e-mail is not answered. "jay" <jay@discussions.microsoft.com> wrote in message news:6F36DC47-2158-4872-99B5-433EBDA67654@microsoft.com... > Is this registry key virus-related? > > HKLM\SOFTWARE\Microsoft\ z}j.1 > > > "Doug Knox MS-MVP" wrote: > >> You have a virus. Likely one of the following: >> >> W32.Klez >> http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html >> >> W32.Yaha >> http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.c@mm.html >> >> W32.Spybot.Worm >> http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html >> >> For additional help see www.dougknox.com, Win XP Utilities, Create Emergency Copies of Critical XP System Utilities. This small VB Program will create backup, usable copies of Task Manger, Regedit and MSConfig (named Taskmgr1.exe, Regedit.com and MSConfig1.exe) in a new folder C:\EmergencyUtil. Many virus programs will intercept these programs, based on their original file name. The modified file names, allow them to be run. Open Windows Explorer to C:\EmergencyUtil and double click the application you need. The next revision will allow you to browse for the folder you want to place the backups in. >> >> Additionally, see the Win XP Utilities section for Startup Programs Tracker. This small utility scans your system for startup programs and running processes. It also allows you to create a log file that can be copied and pasted into a newsgroup post. The contents of the program window are also copied to the Windows Clipboard, automatically. For replies to newsgroup posts, do NOT include the Running Services, unless its absolutely necessary. >> >> >> -- >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display >> Win 95/98/Me/XP Tweaks and Fixes >> http://www.dougknox.com >> -------------------------------- >> Per user Group Policy Restrictions for XP Home and XP Pro >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm >> -------------------------------- >> Please reply only to the newsgroup so all may benefit. >> Unsolicited e-mail is not answered. >> >> "jay" <jay@discussions.microsoft.com> wrote in message news:3FD14DC7-3ABC-43A4-BFAE-C98D8A938FAB@microsoft.com... >> > And, interestingly enough, the task manager won't stay open for more than about 30 seconds. And when I open the folder "c:\program files\norton antivirus" it, too, has only about 30 seconds to live. I'm convinced I've got something running that's looking to shutdown security-related things. But I can't find it. >> > >> > "Doug Knox MS-MVP" wrote: >> > >> >> The first entries I would look at are: >> >> >> >> SystemTray SysTray.Exe >> >> WINDVDPatch CTHELPER.EXE >> >> UpdReg C:\WINDOWS\UpdReg.EXE >> >> >> >> These are all launched from: >> >> >> >> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run >> >> >> >> Click Start, Run and enter REGEDIT Go to: >> >> >> >> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run >> >> >> >> Rght click on the Run subkey and select Export. This creates a backup of this particular subkey. After this is completed, right click each of the 3 values indicated, above and select Delete. Log off/logon or reboot. Check the HKLM\........... Run key again to see if any "new" values have been created. If not, rescan your system, ensuring that you have the latest updates for your AV program. >> >> >> >> -- >> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display >> >> Win 95/98/Me/XP Tweaks and Fixes >> >> http://www.dougknox.com >> >> -------------------------------- >> >> Per user Group Policy Restrictions for XP Home and XP Pro >> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm >> >> -------------------------------- >> >> Please reply only to the newsgroup so all may benefit. >> >> Unsolicited e-mail is not answered. >> >> >> >> "jay" <jay@discussions.microsoft.com> wrote in message news:01F959DE-388B-4345-8F34-63A4988002C9@microsoft.com... >> >> > Here is the tracker log file: >> >> > >> >> > >> >> > -- Registry -- >> >> > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce >> >> > >> >> > No Items Found >> >> > >> >> > -- Registry -- >> >> > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run >> >> > >> >> > NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup >> >> > SystemTray SysTray.Exe >> >> > nwiz nwiz.exe /install >> >> > IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" >> >> > iexplore C:\WINDOWS\System32\iexplore.exe >> >> > ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" >> >> > WINDVDPatch CTHELPER.EXE >> >> > UpdReg C:\WINDOWS\UpdReg.EXE >> >> > RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" >> >> > QuickTime Task "C:\program files\quicktime\qttask.exe" -atboottime >> >> > NAV CfgWiz C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" >> >> > Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" >> >> > Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE >> >> > >> >> > -- Registry -- >> >> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce >> >> > >> >> > No Items Found >> >> > >> >> > -- Registry -- >> >> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run >> >> > >> >> > NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit >> >> > >> >> > -- Registry -- >> >> > HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce >> >> > >> >> > No Items Found >> >> > >> >> > -- Start Menu - Current User -- >> >> > No Items Found >> >> > >> >> > -- Start Menu - All Users -- >> >> > iexplore.exe >> >> > >> >> > -- Disabled Items -- >> >> > No Items Found >> >> > >> >> > -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -- >> >> > explorer.exe >> >> > >> >> > -- Running Processes -- >> >> > System Idle Process >> >> > System >> >> > SMSS.EXE \SystemRoot\System32\smss.exe >> >> > CSRSS.EXE >> >> > WINLOGON.EXE winlogon.exe >> >> > SERVICES.EXE C:\WINDOWS\system32\services.exe >> >> > LSASS.EXE C:\WINDOWS\system32\lsass.exe >> >> > SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss >> >> > SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > SVCHOST.EXE >> >> > SVCHOST.EXE >> >> > CCSETMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" >> >> > CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" >> >> > SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe >> >> > EXPLORER.EXE C:\WINDOWS\Explorer.EXE >> >> > CDAC11BA.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE >> >> > CTSVCCDA.EXE C:\WINDOWS\System32\CTsvcCDA.exe >> >> > type32.exe "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" >> >> > CCAPP.EXE "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" >> >> > CTHELPER.EXE "C:\WINDOWS\System32\CTHELPER.EXE" >> >> > QTTASK.EXE "C:\program files\quicktime\qttask.exe" -atboottime >> >> > NVSVC32.EXE C:\WINDOWS\System32\nvsvc32.exe >> >> > DEVLDR32.EXE C:\WINDOWS\System32\devldr32.exe >> >> > RUNDLL32.EXE "C:\WINDOWS\System32\RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit >> >> > IEXPLORE.EXE "C:\WINDOWS\olefiles\iexplore.exe" >> >> > SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc >> >> > SYMLCSVC.EXE "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" >> >> > MSMSGS.EXE "C:\Program Files\Messenger\msmsgs.exe" -Embedding >> >> > StartupTracker3.exe "C:\download\StartupTracker3.exe" >> >> > wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe" >> >> > wmiprvse.exe >> >> > >> >> > -- Running Services -- >> >> > >> >> > Name: AudioSrv >> >> > Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: C-DillaCdaC11BA >> >> > Description: >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\drivers\CDAC11BA.EXE >> >> > >> >> > Name: ccEvtMgr >> >> > Description: Symantec Event Manager >> >> > Startup Mode: Auto >> >> > Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" >> >> > >> >> > Name: ccSetMgr >> >> > Description: Symantec Settings Manager >> >> > Startup Mode: Auto >> >> > Run from: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" >> >> > >> >> > Name: Creative Service for CDROM Access >> >> > Description: >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\CTsvcCDA.exe >> >> > >> >> > Name: CryptSvc >> >> > Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs >> >> > >> >> > Name: Dhcp >> >> > Description: Manages network configuration by registering and updating IP addresses and DNS names. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: dmserver >> >> > Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: Dnscache >> >> > Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService >> >> > >> >> > Name: ERSvc >> >> > Description: Allows error reporting for services and applictions running in non-standard environments. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: Eventlog >> >> > Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\services.exe >> >> > >> >> > Name: EventSystem >> >> > Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: FastUserSwitchingCompatibility >> >> > Description: Provides management for applications that require assistance in a multiple user environment. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: helpsvc >> >> > Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: lanmanserver >> >> > Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: lanmanworkstation >> >> > Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: LmHosts >> >> > Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k LocalService >> >> > >> >> > Name: Messenger >> >> > Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: Netman >> >> > Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: Nla >> >> > Description: Collects and stores network configuration and location information, and notifies applications when this information changes. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: NVSvc >> >> > Description: Provides system and desktop level support to the NVIDIA display driver >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\nvsvc32.exe >> >> > >> >> > Name: PlugPlay >> >> > Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\services.exe >> >> > >> >> > Name: PolicyAgent >> >> > Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\lsass.exe >> >> > >> >> > Name: ProtectedStorage >> >> > Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\lsass.exe >> >> > >> >> > Name: RasMan >> >> > Description: Creates a network connection. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: RemoteRegistry >> >> > Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\svchost.exe -k LocalService >> >> > >> >> > Name: RpcSs >> >> > Description: Provides the endpoint mapper and other miscellaneous RPC services. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\svchost -k rpcss >> >> > >> >> > Name: SamSs >> >> > Description: Stores security information for local user accounts. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\lsass.exe >> >> > >> >> > Name: Schedule >> >> > Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: seclogon >> >> > Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: SENS >> >> > Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs >> >> > >> >> > Name: ShellHWDetection >> >> > Description: >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: Spooler >> >> > Description: Loads files to memory for later printing. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\spoolsv.exe >> >> > >> >> > Name: srservice >> >> > Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: SSDPSRV >> >> > Description: Enables discovery of UPnP devices on your home network. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k LocalService >> >> > >> >> > Name: stisvc >> >> > Description: Provides image acquisition services for scanners and cameras. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc >> >> > >> >> > Name: Symantec Core LC >> >> > Description: Symantec Core LC >> >> > Startup Mode: Auto >> >> > Run from: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe >> >> > >> >> > Name: TapiSrv >> >> > Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: TermService >> >> > Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. >> >> > Startup Mode: Manual >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: Themes >> >> > Description: Provides user experience theme management. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: TrkWks >> >> > Description: Maintains links between NTFS files within a computer or across computers in a network domain. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs >> >> > >> >> > Name: uploadmgr >> >> > Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: W32Time >> >> > Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> > Name: WebClient >> >> > Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k LocalService >> >> > >> >> > Name: winmgmt >> >> > Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs >> >> > >> >> > Name: wuauserv >> >> > Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs >> >> > >> >> > Name: WZCSVC >> >> > Description: Provides automatic configuration for the 802.11 adapters >> >> > Startup Mode: Auto >> >> > Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs >> >> > >> >> >>
- Next message: kasper: "remembered password"
- Previous message: Juergen Heinzl: "Re: Windows XP professional Problem"
- In reply to: jay: "Re: Firewall won't stay enabled"
- Next in thread: jay: "Re: Firewall won't stay enabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
