Author Topic: hijackthislog (Read 36444 times)

Mars · « **Reply #30 on:** July 10, 2010, 09:33:59 PM »

I think the latest

Dr Jay · « **Reply #31 on:** July 11, 2010, 10:58:30 PM »

Download and run SVCHOST Diag.

Post the log from it when it launches.

Mars · « **Reply #32 on:** July 12, 2010, 06:49:35 PM »

SVCHOST Diag

~~~~~Services loaded under SVCHOST~~~~~

Image Name: svchost.exe
PID: 676
Services: DcomLaunch
PlugPlay
Power

Image Name: svchost.exe
PID: 760
Services: RpcEptMapper
RpcSs

Image Name: svchost.exe
PID: 980
Services: AudioSrv
Dhcp
eventlog
lmhosts
wscsvc

Image Name: svchost.exe
PID: 428
Services: AudioEndpointBuilder
CscService
Netman
PcaSvc
SysMain
TrkWks
UxSms
WdiSystemHost
WPDBusEnum
wudfsvc

Image Name: svchost.exe
PID: 392
Services: AeLookupSvc
Appinfo
AppMgmt
BITS
gpsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
ProfSvc
Schedule
SENS
ShellHWDetection
Themes
Winmgmt
wuauserv

Image Name: svchost.exe
PID: 1116
Services: EventSystem
netprofm
nsi
WdiServiceHost

Image Name: svchost.exe
PID: 1236
Services: CryptSvc
Dnscache
LanmanWorkstation
NlaSvc

Image Name: svchost.exe
PID: 1424
Services: BFE
DPS
MpsSvc

Image Name: svchost.exe
PID: 524
Services: stisvc

Image Name: svchost.exe
PID: 2332
Services: PolicyAgent

Image Name: svchost.exe
PID: 3152
Services: FontCache
SSDPSRV
upnphost

~~~~~Modules loaded under SVCHOST~~~~~

Image Name: svchost.exe
PID: 676
Modules: N/A

Image Name: svchost.exe
PID: 760
Modules: N/A

Image Name: svchost.exe
PID: 980
Modules: N/A

Image Name: svchost.exe
PID: 428
Modules: N/A

Image Name: svchost.exe
PID: 392
Modules: N/A

Image Name: svchost.exe
PID: 1116
Modules: N/A

Image Name: svchost.exe
PID: 1236
Modules: N/A

Image Name: svchost.exe
PID: 1424
Modules: N/A

Image Name: svchost.exe
PID: 524
Modules: N/A

Image Name: svchost.exe
PID: 2332
Modules: N/A

Image Name: svchost.exe
PID: 3152
Modules: N/A

~~~~~SVCHOST service~~~~~

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=hex(7):41,00,65,00,4c,00,6f,00,6f,00,6b,00,75,00,70,00,53,00,76,00,\
63,00,00,00,43,00,65,00,72,00,74,00,50,00,72,00,6f,00,70,00,53,00,76,00,63,\
00,00,00,53,00,43,00,50,00,6f,00,6c,00,69,00,63,00,79,00,53,00,76,00,63,00,\
00,00,6c,00,61,00,6e,00,6d,00,61,00,6e,00,73,00,65,00,72,00,76,00,65,00,72,\
00,00,00,67,00,70,00,73,00,76,00,63,00,00,00,41,00,75,00,64,00,69,00,6f,00,\
53,00,72,00,76,00,00,00,46,00,61,00,73,00,74,00,55,00,73,00,65,00,72,00,53,\
00,77,00,69,00,74,00,63,00,68,00,69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,\
61,00,74,00,69,00,62,00,69,00,6c,00,69,00,74,00,79,00,00,00,49,00,61,00,73,\
00,00,00,49,00,72,00,6d,00,6f,00,6e,00,00,00,4e,00,6c,00,61,00,00,00,4e,00,\
74,00,6d,00,73,00,73,00,76,00,63,00,00,00,4e,00,57,00,43,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,77,00,73,00,\
61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,52,00,61,00,73,00,61,00,75,\
00,74,00,6f,00,00,00,52,00,61,00,73,00,6d,00,61,00,6e,00,00,00,52,00,65,00,\
6d,00,6f,00,74,00,65,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,53,00,45,\
00,4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,\
65,00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\
00,00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,57,00,6d,00,69,00,\
00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,00,00,54,00,65,00,72,\
00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,77,00,75,00,61,00,\
75,00,73,00,65,00,72,00,76,00,00,00,42,00,49,00,54,00,53,00,00,00,53,00,68,\
00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,\
6f,00,6e,00,00,00,4c,00,6f,00,67,00,6f,00,6e,00,48,00,6f,00,75,00,72,00,73,\
00,00,00,50,00,43,00,41,00,75,00,64,00,69,00,74,00,00,00,68,00,65,00,6c,00,\
70,00,73,00,76,00,63,00,00,00,75,00,70,00,6c,00,6f,00,61,00,64,00,6d,00,67,\
00,72,00,00,00,69,00,70,00,68,00,6c,00,70,00,73,00,76,00,63,00,00,00,6d,00,\
73,00,69,00,73,00,63,00,73,00,69,00,00,00,73,00,63,00,68,00,65,00,64,00,75,\
00,6c,00,65,00,00,00,53,00,65,00,73,00,73,00,69,00,6f,00,6e,00,45,00,6e,00,\
76,00,00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,41,00,70,00,70,\
00,4d,00,67,00,6d,00,74,00,00,00,00,00
"LocalService"=hex(7):52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,00,69,\
00,73,00,74,00,72,00,79,00,00,00,57,00,69,00,6e,00,48,00,74,00,74,00,70,00,\
41,00,75,00,74,00,6f,00,50,00,72,00,6f,00,78,00,79,00,53,00,76,00,63,00,00,\
00,73,00,70,00,70,00,75,00,69,00,6e,00,6f,00,74,00,69,00,66,00,79,00,00,00,\
6e,00,65,00,74,00,70,00,72,00,6f,00,66,00,6d,00,00,00,57,00,65,00,62,00,43,\
00,6c,00,69,00,65,00,6e,00,74,00,00,00,00,00
"LocalSystemNetworkRestricted"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,\
00,41,00,75,00,64,00,69,00,6f,00,45,00,6e,00,64,00,70,00,6f,00,69,00,6e,00,\
74,00,42,00,75,00,69,00,6c,00,64,00,65,00,72,00,00,00,64,00,6f,00,74,00,33,\
00,73,00,76,00,63,00,00,00,57,00,50,00,44,00,42,00,75,00,73,00,45,00,6e,00,\
75,00,6d,00,00,00,77,00,6c,00,61,00,6e,00,73,00,76,00,63,00,00,00,00,00
"LocalServiceNoNetwork"=hex(7):50,00,4c,00,41,00,00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"LocalServiceNetworkRestricted"=hex(7):41,00,75,00,64,00,69,00,6f,00,53,00,72,\
00,76,00,00,00,42,00,74,00,68,00,48,00,46,00,53,00,72,00,76,00,00,00,4c,00,\
6d,00,48,00,6f,00,73,00,74,00,73,00,00,00,77,00,73,00,63,00,73,00,76,00,63,\
00,00,00,57,00,50,00,43,00,53,00,76,00,63,00,00,00,00,00
"LocalServiceAndNoImpersonation"=hex(7):53,00,53,00,44,00,50,00,53,00,52,00,56,\
00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,73,00,74,00,00,00,53,00,43,00,\
61,00,72,00,64,00,53,00,76,00,72,00,00,00,54,00,42,00,53,00,00,00,51,00,57,\
00,41,00,56,00,45,00,00,00,77,00,63,00,6e,00,63,00,73,00,76,00,63,00,00,00,\
00,00
"DcomLaunch"=hex(7):50,00,6f,00,77,00,65,00,72,00,00,00,50,00,6c,00,75,00,67,\
00,50,00,6c,00,61,00,79,00,00,00,44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,\
6e,00,63,00,68,00,00,00,00,00
"NetworkService"=hex(7):43,00,72,00,79,00,70,00,74,00,53,00,76,00,63,00,00,00,\
44,00,48,00,43,00,50,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,\
00,69,00,63,00,65,00,00,00,44,00,4e,00,53,00,43,00,61,00,63,00,68,00,65,00,\
00,00,4e,00,61,00,70,00,41,00,67,00,65,00,6e,00,74,00,00,00,6e,00,6c,00,61,\
00,73,00,76,00,63,00,00,00,57,00,69,00,6e,00,52,00,4d,00,00,00,57,00,45,00,\
43,00,53,00,56,00,43,00,00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,\
00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"wcssvc"=hex(7):57,00,63,00,73,00,50,00,6c,00,75,00,67,00,49,00,6e,00,53,00,65,\
00,72,00,76,00,69,00,63,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
"AuthenticationCapabilities"=dword:00002000
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalServiceAndNoImpersonation]
"AuthenticationCapabilities"=dword:00002000
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalServiceNetworkRestricted]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalServiceNoNetwork]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalSystemNetworkRestricted]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\NetworkService]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:0000001c

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\NetworkServiceRemoteDesktopHyperVAgent]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000
"AuthenticationLevel"=dword:00000006

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\NetworkServiceRemoteDesktopPublishing]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000
"AuthenticationLevel"=dword:00000006

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\wcssvc]
"CoInitializeSecurityParam"=dword:00000001
"CoInitializeSecurityAppID"="{CD11FAB6-1C0E-45e1-BA31-5C6008EF2607}"

~~~~~SVCHOST MD5~~~~~

54A47F6B5E09A77E61649109C6A08866 C:\Windows\system32\svchost.exe

~~~~~END OF FILE!~~~~~

Dr Jay · « **Reply #33 on:** July 13, 2010, 10:36:39 PM »

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

Mars · « **Reply #34 on:** July 14, 2010, 01:31:08 PM »

.

[recovering disk space - old attachment deleted by admin]

Dr Jay · « **Reply #35 on:** July 15, 2010, 12:59:19 AM »

Find the svchost.exe that has the highest memory (0,000 K) and click on it so it shows its services.

Take a screen shot of that, and post it in your next reply.

Computer Hope Forum

News:

Author Topic: hijackthislog (Read 36444 times)

Mars

Re: hijackthislog

Dr Jay

Re: hijackthislog

Mars

Re: hijackthislog

Dr Jay

Re: hijackthislog

Mars

Re: hijackthislog

Dr Jay

Re: hijackthislog