Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PC Slow after Internet Connect with log


  • Please log in to reply

#1
harrassment

harrassment

    New Member

  • Member
  • Pip
  • 9 posts
Within 2 minutes of connecting to the internet my PC slows to crawl and CPU usage stays at 100% until hard reboot. Ctrl-Alt-Del will not bring up the Windows Task Manger, although icon appears in task bar. I have to start it prior to connection. According to Processes svchost.exe basically utilises all system resources. If I kill internet activity with Zone Alarm I get continual messages saying slserver and ipsecs.exe are tring to connect.

I have run my virus protection, Ad-aware, Spybot, Spyware Doctor, X-Cleaner Free and anything else I could get my hands on to no avail.

It is even extremely difficult to post a log from HijackThis as a scan when not connected to the Internet works fine (see HijackThis_B4_log.txt) but once connected the scan works fine but it has extreme difficulty in creating the logfile. Had to use task manager to stop svchost to get enough system resources for notepad to run. I then only get a couple of minutes to add the attachments to this post as once CPU is at 100%, the browse window won't open.

Any help in rectifying this would be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:45:38 PM, on 20/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ipsecs.exe
C:\WINDOWS\System32\slserver.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskmgr.exe
D:\Temp_Virus\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\tftp.exe
C:\WINDOWS\system32\slserves.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcnews.com.au/latest.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcnews.com.au/latest.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: PhishingNet BHO - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows IP Security Service] ipsecs.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKLM\..\RunServices: [Windows IP Security Service] ipsecs.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Windows IP Security Service] ipsecs.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ipsecs.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A395B3-B94D-47ED-9631-05CEEB4B5B74}: NameServer = 203.134.24.70 203.134.26.70
O18 - Filter: text/html - {99FEA1B2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


CheersAttached File  hijackthis_log.txt   6.63KB   230 downloadsAttached File  hijackthis_b4_log.txt   6.33KB   230 downloads

Edited by OldTimer, 26 March 2005 - 08:45 PM.

  • 0

Advertisements


#2
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hello harrassment and welcome to the GTG forums. After reviewing your log I see a few items that require our attention. Please proceed with the following steps in order.

Step #1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [Windows IP Security Service] ipsecs.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKLM\..\RunServices: [Windows IP Security Service] ipsecs.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\Run: [Windows IP Security Service] ipsecs.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ipsecs.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\ipsecs.exe
C:\WINDOWS\System32\slserver.exe

Next, let's clean up the temporary folders:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select the following items and then click the OK button.* Temp Setup Files
* Downloaded Program Files
* Temp Internet Files
* Debug Dump Files
* Office Setup Files
* old chkdsk files
* Recycle Bin
* Temp Remote Desktop Files
* Setup Log Files
* Temp Files
* WebClient temp files
[/list]OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
  • 0

#3
harrassment

harrassment

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
G'day OldTimer,

Thanks for the assistance. I have followed all your instructions, removed ipsecs.exe, slserver.exe as well as slserves.exe. Following is new log from HijackThis just prior to logging on which is the same as what I get once connected. I also removed the item at O17 but it came back after reboot.

Additional processes running once connected are csrss.exe, firefox.exe, HijackThis.exe, naPrdMgr.exe, notepad.exe and 3 more versions of svchost.exe. Would send this log but would have to reboot and logon again!

PC is still exhibiting the same problem with CPU Usage to 100% within 2mins of logging on. Once this occurs Windows Task Manager is locked out, as is the Network button on the taskbar (can't disconnect without manually killing modem). svchost.exe is still taking the system resources until I end it. Is there any way to see what processes are using it. I know this sounds like a virus but I update McAfee again yesterday and it found nothing.

Much appreciated.

Regards

Rod



Logfile of HijackThis v1.99.1
Scan saved at 5:40:36 PM, on 28/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
D:\Temp_Virus\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcnews.com.au/latest.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcnews.com.au/latest.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: PhishingNet BHO - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Desktop Armor\GeekSuperheroX.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A395B3-B94D-47ED-9631-05CEEB4B5B74}: NameServer = 203.134.64.66 203.134.65.66
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hey harrassment. Your log is now clean. Congratulations! We have a couple of last steps to perform and then you're all set. Before we get to that let's talk about your CPU usage issue. Here's what I want you to do. Download Sysinternals Free Process Explorer. Unzip it to a directory and then start the executable. This will monitor all of the processes running on your computer and the cpu usage. Start IE and watch which svchost process is utilizing all of the cpu cycles. If you click on the process the bottom of the screen will tell you the executable tied to that svchost process. Report back here with your findings. My guess is that it is going to be McAfee, but that's just a guess.

Also, I did not ask you to remove the 017 line because it is set by your ISP and is needed for internet connectivity. Do not remove that line with HijackThis.

Now we have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster, SpywareGuard and IESpy-Ad. They will add 1000's of sites to your resticted zone and block some hijacks from happening.

You should also have a good firewall and anti-virus application like the ones you are currently using. It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your system up to date and clean visit Windows Update monthly, run AdAware SE and Spybot Search & Destroy weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster, SpywareGuard and IESpy-Ad. They will add 1000's of sites to your resticted zone and block some hijacks from happening.

You should also have a good firewall and anti-virus application like the ones you are currently using. It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your system up to date and clean visit Windows Update monthly, run AdAware SE and Spybot Search & Destroy weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
  • 0

#5
harrassment

harrassment

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
G'day OT,

Thanks again for all the help. Nice to know my PC is now free from malware and best of all you have given me some more knowledge in how to fight it and stay clean. I have also followed your other instructions and will not remove O17 again, although it came back upon reconnection. :tazz:

Now if I can just get my CPU issue sorted out, I will again have a fully functional PC.

The Sysinternals Process Explorer looks really good but I'm a bit unsure of how to capture what you need to see. The svchost process that is sucking up my CPU as I write this has PID 844 under parent services.exe (640). When I look at the Properties of the svchost process in the "Threads" tab it shows most CPU usage consistently > 90%) has a start address of "RPCRT4.dll+0x15dd"..

I'd need a rough idea of what to look for in the lower pane and whether to look under Handles or DLLs. Under DLLs virtually everything comes from Microsoft with the exceptiuon of some .nls and .clb. Under handles is a large number of directories, events, files, keys, mutants, ports, processes etc. There doesn't seem to be an obvious way to record this information either.

Again, much obliged.

Rod
  • 0

#6
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hey harrassment. That dll file is used for Romote Procedure Calls. It might be a valid process that is misbehaving and it might be a rogue process. I have had a few instances of valid programs utilizing cpu cycles that I had to kill.

Let's do this. In the top pane, click on the RPCRT4.dll item under services. Then click on File>Save to save the information to a text file. Post that file back here as a reply to this topic and I will look at it when it comes in. If it is a valid program that is doing this then you will need to decide whether you want to allow it and live with it or uninstall the application that it belongs to. If it is a rogue process then we will have to come up with a way to kill it.

Cheers.

OT
  • 0

#7
harrassment

harrassment

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
G'day OT,

Please see attached for two logs taken with Process Explorer just after the CPU occurred. One is with the DLL list for svchost, the other with the handles. It also is interesting that the normal Windows Task Manager Window and Dial-up status window cannot be bought up once the svchost process takes the system resources, nor does it improve once I end the svchost process.

Interestingly I believe I saw tftp.exe as a sub-task of svchost just after the CPU had gone to 100%. For the moment I have Zone Alarm set to block this application till I can work out if it is a valid process and what is using it and whether it is actually needed. I have currently been logged on for 20 minutes without a problem as well!

Again, many thanks for yout time and assistance.

Cheers

Harrassment

Attached Files


  • 0

#8
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi harrassment. I didn't see anything out of the ordinary in the 2 logs that you posted regarding the svchost.exe. They showed normal entries for a dial-up modem. The tftp.exe file is used for Trivial File Transfer Protocol. If you have it blocked by your firewall try and do a manual update of your anti-virus and Microsoft Update to see if they work. If they do not I still think that what is happening is that one of those is performing an update in the background and bringing everything else to a stand still. Just a thought.

Cheers.

OT
  • 0

#9
harrassment

harrassment

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
G'day OT,

Sorry for the delay in getting back to you again but work has prevented me from spending anytime at home with my PC which worked OK for a couple of days after blocking tftp.exe but has since started up again. I tried renaming tftp.exe in the system32 directory so it couldn't run but it looks like it pulled a backup from dllcache. I got filemon from sysinternals.com on the advice of a friend and actually logged what svchost.exe is doing when CPU goes to 100%. See below for relevant portion from log.

It looks as though svchost is looking for winlite.exe which from what I can find is some sort of virus and is not actually on my PC anyway. Any idea what could be causing svchost to look for this file and hot to stop it?

Thanks again for all your help.

Cheers

Rod


36 4:07:34 PM firefox.exe:4000 OPEN C:\Program Files\Mozilla Firefox\res\builtin\ SUCCESS Options: Open Directory Access: All
37 4:07:34 PM firefox.exe:4000 DIRECTORY C:\Program Files\Mozilla Firefox\res\builtin\ NO SUCH FILE FileBothDirectoryInformation: userHTMLBindings.xml
38 4:07:34 PM firefox.exe:4000 CLOSE C:\Program Files\Mozilla Firefox\res\builtin\ SUCCESS
39 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 17613824 Length: 512
40 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
41 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 377984 Length: 128
42 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
43 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 12015616 Length: 512
44 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
45 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 9217536 Length: 8192
46 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
47 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 23954944 Length: 8192
48 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
49 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 9247232 Length: 512
50 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
51 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 38962304 Length: 8192
52 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
53 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 24558144 Length: 8192
54 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
55 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 48072192 Length: 8192
56 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
57 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 38962304 Length: 8192
58 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
59 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 48154112 Length: 8192
60 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
61 4:07:34 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 9196864 Length: 3648
62 4:07:34 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
63 4:07:36 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 3350016 Length: 512
64 4:07:36 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
65 4:07:36 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 74304 Length: 128
66 4:07:36 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
67 4:07:36 PM OUTLOOK.EXE:3868 READ C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Offset: 24969344 Length: 8192
68 4:07:36 PM OUTLOOK.EXE:3868 QUERY INFORMATION C:\Documents and Settings\Rod\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst SUCCESS Length: 51249152
69 4:07:36 PM explorer.exe:1872 QUERY INFORMATION C:\WINDOWS\system32\NETSHELL.dll SUCCESS Attributes: A
70 4:07:44 PM explorer.exe:1872 QUERY INFORMATION C:\Program Files\Mozilla Firefox\firefox.exe SUCCESS Attributes: A
71 4:07:44 PM explorer.exe:1872 OPEN C:\Program Files\Mozilla Firefox\firefox.exe SUCCESS Options: Open Access: Execute
72 4:07:44 PM explorer.exe:1872 QUERY INFORMATION C:\Program Files\Mozilla Firefox\firefox.exe SUCCESS Length: 6621794
73 4:07:44 PM explorer.exe:1872 CLOSE C:\Program Files\Mozilla Firefox\firefox.exe SUCCESS
74 4:07:44 PM vsmon.exe:1500 QUERY INFORMATION C:\WINDOWS\system32\shell32.dll SUCCESS Attributes: A
75 4:07:44 PM vsmon.exe:1500 OPEN C:\WINDOWS\system32\shell32.dll SUCCESS Options: Open Access: All
76 4:07:44 PM vsmon.exe:1500 QUERY INFORMATION C:\WINDOWS\system32\shell32.dll SUCCESS Attributes: A
77 4:07:44 PM vsmon.exe:1500 SET INFORMATION C:\WINDOWS\system32\shell32.dll SUCCESS FileBasicInformation
78 4:07:44 PM vsmon.exe:1500 READ C:\WINDOWS\system32\shell32.dll SUCCESS Offset: 0 Length: 12
79 4:07:44 PM vsmon.exe:1500 QUERY INFORMATION C:\WINDOWS\system32\shell32.dll SUCCESS Length: 8336384
80 4:07:44 PM vsmon.exe:1500 QUERY INFORMATION C:\WINDOWS\system32\shell32.dll SUCCESS Length: 8336384
81 4:07:44 PM vsmon.exe:1500 CLOSE C:\WINDOWS\system32\shell32.dll SUCCESS
82 4:07:45 PM firefox.exe:4000 WRITE C:\Documents and Settings\Rod\Application Data\Mozilla\Firefox\Profiles\fb8xsntt.default\Cache\_CACHE_003_ SUCCESS Offset: 389120 Length: 8192
83 4:07:45 PM firefox.exe:4000 WRITE C:\Documents and Settings\Rod\Application Data\Mozilla\Firefox\Profiles\fb8xsntt.default\Cache\_CACHE_001_ SUCCESS Offset: 304128 Length: 512
84 4:07:47 PM firefox.exe:4000 OPEN C:\Documents and Settings\Rod\Application Data\Mozilla\Firefox\Profiles\fb8xsntt.default\Cache\64663DB3d01 SUCCESS Options: OpenIf Access: All
85 4:07:47 PM firefox.exe:4000 WRITE C:\Documents and Settings\Rod\Application Data\Mozilla\Firefox\Profiles\fb8xsntt.default\Cache\64663DB3d01 SUCCESS Offset: 0 Length: 16384
86 4:07:47 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\rpcss.dll SUCCESS Attributes: A
87 4:07:47 PM svchost.exe:832 OPEN C:\WINDOWS\system32\rpcss.dll SUCCESS Options: Open Access: Execute
88 4:07:47 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\rpcss.dll SUCCESS Length: 260608
89 4:07:47 PM svchost.exe:832 CLOSE C:\WINDOWS\system32\rpcss.dll SUCCESS
90 4:07:48 PM firefox.exe:4000 WRITE C:\Documents and Settings\Rod\Application Data\Mozilla\Firefox\Profiles\fb8xsntt.default\Cache\64663DB3d01 SUCCESS Offset: 16384 Length: 16384
91 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\debug SUCCESS Attributes: D
92 4:07:49 PM svchost.exe:832 OPEN C:\WINDOWS\debug\NetSetup.LOG SUCCESS Options: OpenIf Access: All
93 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\debug\NetSetup.LOG SUCCESS Length: 8071
94 4:07:49 PM svchost.exe:832 WRITE C:\WINDOWS\debug\NetSetup.LOG SUCCESS Offset: 8071 Length: 82
95 4:07:49 PM svchost.exe:832 WRITE C:\WINDOWS\debug\NetSetup.LOG SUCCESS Offset: 8153 Length: 50
96 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\tftp.exe SUCCESS Attributes: A
97 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\tftp.exe SUCCESS Attributes: A
98 4:07:49 PM svchost.exe:832 OPEN C:\WINDOWS\System32\tftp.exe SUCCESS Options: Open Access: All
99 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\tftp.exe SUCCESS Length: 16896
100 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\tftp.exe SUCCESS Attributes: A
101 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\tftp.exe SUCCESS Length: 16896
102 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\tftp.exe SUCCESS Attributes: A
103 4:07:49 PM svchost.exe:832 OPEN C:\ SUCCESS Options: Open Directory Access: All
104 4:07:49 PM svchost.exe:832 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: WINDOWS
105 4:07:49 PM svchost.exe:832 CLOSE C:\ SUCCESS
106 4:07:49 PM svchost.exe:832 OPEN C:\WINDOWS\ SUCCESS Options: Open Directory Access: All
107 4:07:49 PM svchost.exe:832 DIRECTORY C:\WINDOWS\ SUCCESS FileBothDirectoryInformation: system32
108 4:07:49 PM svchost.exe:832 CLOSE C:\WINDOWS\ SUCCESS
109 4:07:49 PM svchost.exe:832 OPEN C:\WINDOWS\system32\ SUCCESS Options: Open Directory Access: All
110 4:07:49 PM svchost.exe:832 DIRECTORY C:\WINDOWS\system32\ SUCCESS FileBothDirectoryInformation: tftp.exe
111 4:07:49 PM svchost.exe:832 CLOSE C:\WINDOWS\system32\ SUCCESS
112 4:07:49 PM svchost.exe:832 OPEN C:\WINDOWS\System32\tftp.exe.Manifest FILE NOT FOUND Options: Open Access: All
113 4:07:49 PM svchost.exe:832 CLOSE C:\WINDOWS\System32\tftp.exe SUCCESS
114 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
115 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
116 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
117 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system\winlite.exe FILE NOT FOUND Attributes: Error
118 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
119 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
120 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
121 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\Wbem\winlite.exe FILE NOT FOUND Attributes: Error
122 4:07:49 PM tftp.exe:4084 QUERY INFORMATION C:\WINDOWS\System32\tftp.exe SUCCESS FileNameInformation
123 4:07:49 PM tftp.exe:4084 OPEN C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS Options: Open Access: All
124 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\PROGRA~1\ULTRAE~1\winlite.exe FILE NOT FOUND Attributes: Error
125 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
126 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
127 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
128 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system\winlite.exe FILE NOT FOUND Attributes: Error
129 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
130 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
131 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
132 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\Wbem\winlite.exe FILE NOT FOUND Attributes: Error
133 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\PROGRA~1\ULTRAE~1\winlite.exe FILE NOT FOUND Attributes: Error
134 4:07:49 PM Mcshield.exe:1304 OPEN C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS Options: Open Access: All
135 4:07:49 PM Mcshield.exe:1304 SET INFORMATION C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS FileBasicInformation
136 4:07:49 PM Mcshield.exe:1304 CLOSE C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS
137 4:07:49 PM Mcshield.exe:1304 OPEN C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS Options: Open Access: All
138 4:07:49 PM Mcshield.exe:1304 SET INFORMATION C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS FileBasicInformation
139 4:07:49 PM Mcshield.exe:1304 CLOSE C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS
140 4:07:49 PM Mcshield.exe:1304 OPEN C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS Options: Open Access: All
141 4:07:49 PM Mcshield.exe:1304 SET INFORMATION C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS FileBasicInformation
142 4:07:49 PM Mcshield.exe:1304 READ C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf SUCCESS Offset: 0 Length: 4096
143 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
144 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
145 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
146 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system\winlite.exe FILE NOT FOUND Attributes: Error
147 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
148 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
149 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
150 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\Wbem\winlite.exe FILE NOT FOUND Attributes: Error
151 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\PROGRA~1\ULTRAE~1\winlite.exe FILE NOT FOUND Attributes: Error
152 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
153 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
154 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
155 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system\winlite.exe FILE NOT FOUND Attributes: Error
156 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
157 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
158 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
159 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\Wbem\winlite.exe FILE NOT FOUND Attributes: Error
160 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\PROGRA~1\ULTRAE~1\winlite.exe FILE NOT FOUND Attributes: Error
161 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
162 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
163 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
164 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system\winlite.exe FILE NOT FOUND Attributes: Error
165 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
166 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
167 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
168 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\Wbem\winlite.exe FILE NOT FOUND Attributes: Error
169 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\PROGRA~1\ULTRAE~1\winlite.exe FILE NOT FOUND Attributes: Error
170 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
171 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
172 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\System32\winlite.exe FILE NOT FOUND Attributes: Error
173 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system\winlite.exe FILE NOT FOUND Attributes: Error
174 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
175 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\system32\winlite.exe FILE NOT FOUND Attributes: Error
176 4:07:49 PM svchost.exe:832 QUERY INFORMATION C:\WINDOWS\winlite.exe FILE NOT FOUND Attributes: Error
  • 0

#10
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi harrassment. Winlite is bad. It might have been installed and still has some remnants left over or registry entries left behind. Let's try this:

Download and install the Microsoft AntiSpyware Beta. Update the program and let it do a complete scan. This may take a little while so be patient. Perform the fixes that it suggests.

See if anything regarding winlite shows up in any of the fixes that were proposed, especially registry fixes.

Then run FileMon again and see if the svchost process searches for winlite.exe again.

If the problem persists, we'll move on to the next step.

Cheers.

OT

Edited by OldTimer, 08 April 2005 - 08:50 AM.

  • 0

#11
harrassment

harrassment

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
G'day OT,

I downloaded and updated the Windows Antispyware Beta and did a full scan and it didn't find anything. No issues with the registry or any files.

I did a search for winlite in regedit and found no entries.

Any suggestions on where else to look (and for what) would be much appreciated.

Cheers

Rod
  • 0

#12
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi harrassment. Ok, let's do this:

Download getservices.zip and unzip it to its own folder. Double-click on the getservices.bat file and after a few moments Notepad whould open up with a log. Copy/paste the entire log back here and let me have a look.

This log will tell us all of the services that are installed on your computer. If winlite is not there (which I suspect) then I have a couple of other places to look.

Cheers.

OT
  • 0

#13
harrassment

harrassment

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
G'day OT,

Please see following of log with getservices. I did it whilst connected but not whilst the problem is active as Notepad won't open when it is. Problem also seems to not be happening all the time although it soon occurs if tftp.exe is active. I've taken to renaming it to tftp_exe.old for the meantime although it does have a habit of reappearing even with the version in dllcache renamed as well.

Hope this helps.

Cheers

Harrassment


PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Uses idle network bandwidth to transfer data.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : LanmanWorkstation
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\fxssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fax
DEPENDENCIES : TapiSrv
: RpcSs
: PlugPlay
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: hwclock
Enables a computer to save and restore system time information using the hardware clock. Stopping or disabling this service will result in system instability.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\hwclock.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Hardware Clock Driver
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : None DELAY: 0 seconds
: None DELAY: 0 seconds
: None DELAY: 0 seconds

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: InCDsrv
Helper service for the InCD filesystem driver
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Ahead\InCD\InCDsrv.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : InCD Helper
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: iPodService
iPod hardware management services
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\iPod\bin\iPodService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : iPod Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: LPDSVC
Provides a TCP/IP-based printing service that uses the Line Printer protocol.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\tcpsvcs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TCP/IP Print Server
DEPENDENCIES : Tcpip
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: McAfeeFramework
Shared component framework for McAfee products
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee Framework Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: McShield
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Network Associates\VirusScan\Mcshield.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Associates McShield
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: McTaskManager
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Associates Task Manager
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: minilog
Writes alert text to a log file.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\ZoneLabs\minilog.exe -service
LOAD_ORDER_GROUP : TrueVector Group
TAG : 0
DISPLAY_NAME : TrueVector Basic Logging Client
DEPENDENCIES : vsmon
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: Service
: ommb
: 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry
DEPENDENCIES : RPCSS
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP : SmartCardGroup
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: NLA
: RasMan
: ALG
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{DA3C59A6-3046-4FDA-AC9F-21BDEC93D4E8}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telnet
DEPENDENCIES : RPCSS
: TCPIP
: NTLMSSP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: uploadmgr
Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Upload Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: vsmon
Monitors internet traffic and generates alerts for disallowed access.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
LOAD_ORDER_GROUP : TrueVector Group
TAG : 0
DISPLAY_NAME : TrueVector Internet Monitor
DEPENDENCIES : Afd
: RpcSs
: vsdatant
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 5 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
: Eventlog
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSp
Retrieves the serial number of any portable music player connected to your computer
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem
  • 0

#14
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi harrassment. Well, I don't see anything in services log. Let's do this:

Download Agent Ransack and install it.

Start Agent Ransack and do the following:
  • In the File name box type *.* for all files
  • Check the checkbox for Containing text and type winlite in the textboc
  • In the Look in textbox type c:\windows
  • Click the Start search button to begin the search
Agent Ransack will search every file for the specified term (including binaries) and display each file in the lower left-hand pane. If you click on any file in the left-hand pane it will show the contents of the file in the lower right-hand pane. Post your results back here or click File>Save Seaarch Results and post the results back here and I will review them.

Cheers.

OT
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP