Tech Support Forum - View Single Post - Computer has been hijacked

rath · 08-11-2008, 01:40 PM

OK...I went back into services.msc. The service was not listed as Started. I hit Start again and rebooted. Now it's working. I'm on the internet on my laptop right now. I ran CF-querySvc.exe...here's the log:

------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: AUTO_START: Browser : Computer Browser
STOPPED: DEMAND_START: AppMgmt : Application Management
STOPPED: DEMAND_START: dmserver : Logical Disk Manager
STOPPED: DEMAND_START: FastUserSwitchingCompatibility : Fast User Switching Compatibility
STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: NtmsSvc : Removable Storage
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: Wmi : Windows Management Instrumentation Driver Extensions
STOPPED: DEMAND_START: WudfSvc : Windows Driver Foundation - User-mode Driver Framework
STOPPED: DEMAND_START: xmlprov : Network Provisioning Service
STOPPED: DISABLED: Alerter : Alerter
STOPPED: DISABLED: Messenger : Messenger
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access
STOPPED: DISABLED: RemoteRegistry : Remote Registry
STOPPED: DISABLED: SSDPSRV : SSDP Discovery Service
STOPPED: DISABLED: upnphost : Universal Plug and Play Device Host

------ SVCHOST CURRENTLY RUNNING:

1108- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

1224- C:\WINDOWS\system32\svchost -k rpcss
- RpcSs : Remote Procedure Call (RPC)

1320- C:\WINDOWS\System32\svchost.exe -k netsvcs
- AudioSrv : Windows Audio
- BITS : Background Intelligent Transfer Service
- CryptSvc : Cryptographic Services
- Dhcp : DHCP Client
- ERSvc : Error Reporting Service
- EventSystem : COM+ Event System
- helpsvc : Help and Support
- HidServ : HID Input Service
- lanmanserver : Server
- lanmanworkstation : Workstation
- Netman : Network Connections
- Nla : Network Location Awareness (NLA)
- RasMan : Remote Access Connection Manager
- Schedule : Task Scheduler
- seclogon : Secondary Logon
- SENS : System Event Notification
- SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
- ShellHWDetection : Shell Hardware Detection
- srservice : System Restore Service
- TapiSrv : Telephony
- Themes : Themes
- TrkWks : Distributed Link Tracking Client
- w32time : Windows Time
- winmgmt : Windows Management Instrumentation
- wscsvc : Security Center
- wuauserv : Automatic Updates
- WZCSVC : Wireless Zero Configuration

1628- C:\WINDOWS\system32\svchost.exe -k NetworkService
- Dnscache : DNS Client

1688- C:\WINDOWS\system32\svchost.exe -k LocalService
- LmHosts : TCP/IP NetBIOS Helper
- WebClient : WebClient

396- C:\WINDOWS\system32\svchost.exe -k imgsvc
- stisvc : Windows Image Acquisition (WIA)

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

SSDPSRV = 2
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

DMServer = 1
STOPPED: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
RUNNING: SENS: System Event Notification

LanmanServer = 1
STOPPED: Browser: Computer Browser

LanmanWorkstation = 5
STOPPED: Alerter: Alerter
STOPPED: Browser: Computer Browser
STOPPED: Messenger: Messenger
STOPPED: Netlogon: Net Logon
STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator

Netman = 1
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
STOPPED: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 3
RUNNING: RasMan: Remote Access Connection Manager
STOPPED: Fax: Fax
STOPPED: RasAuto: Remote Access Auto Connection Manager

winmgmt = 2
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: wscsvc: Security Center

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 55
RUNNING: aawservice: Lavasoft Ad-Aware Service
RUNNING: AudioSrv: Windows Audio
RUNNING: BITS: Background Intelligent Transfer Service
RUNNING: CCALib8: Canon Camera Access Library 8
RUNNING: CryptSvc: Cryptographic Services
RUNNING: ERSvc: Error Reporting Service
RUNNING: EventSystem: COM+ Event System
RUNNING: EvtEng: EvtEng
RUNNING: helpsvc: Help and Support
RUNNING: HidServ: HID Input Service
RUNNING: Netman: Network Connections
RUNNING: PolicyAgent: IPSEC Services
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RasMan: Remote Access Connection Manager
RUNNING: RegSrvc: RegSrvc
RUNNING: S24EventMonitor: Spectrum24 Event Monitor
RUNNING: SamSs: Security Accounts Manager
RUNNING: Schedule: Task Scheduler
RUNNING: SENS: System Event Notification
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: ShellHWDetection: Shell Hardware Detection
RUNNING: Spooler: Print Spooler
RUNNING: srservice: System Restore Service
RUNNING: stisvc: Windows Image Acquisition (WIA)
RUNNING: TapiSrv: Telephony
RUNNING: TermService: Terminal Services
RUNNING: TrkWks: Distributed Link Tracking Client
RUNNING: WinDefend: Windows Defender
RUNNING: winmgmt: Windows Management Instrumentation
RUNNING: WLANKEEPER: WLANKEEPER
RUNNING: wscsvc: Security Center
RUNNING: WZCSVC: Wireless Zero Configuration
STOPPED: CiSvc: Indexing Service
STOPPED: COMSysApp: COM+ System Application
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: dmserver: Logical Disk Manager
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility
STOPPED: Fax: Fax
STOPPED: gusvc: Google Updater Service
STOPPED: iPod Service: iPod Service
STOPPED: LiveUpdate: LiveUpdate
STOPPED: Messenger: Messenger
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: MSIServer: Windows Installer
STOPPED: NtmsSvc: Removable Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RemoteRegistry: Remote Registry
STOPPED: RSVP: QoS RSVP
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: TlntSvr: Telnet
STOPPED: VSS: Volume Shadow Copy
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: xmlprov: Network Provisioning Service

StiSvc = 1
RUNNING: CCALib8: Canon Camera Access Library 8

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility

08-11-2008, 01:40 PM	#26 (permalink)
rath Registered User Join Date: Jan 2007 Posts: 22 OS: xp pro	Re: Computer has been hijacked - IE/Firefox inoperable OK...I went back into services.msc. The service was not listed as Started. I hit Start again and rebooted. Now it's working. I'm on the internet on my laptop right now. I ran CF-querySvc.exe...here's the log: ------ REGISTRY: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] - HTTPFilter - HTTPFilter - LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV - NetworkService - DnsCache - DcomLaunch - DcomLaunch, TermService - rpcss - RpcSs - imgsvc - StiSvc - termsvcs - TermService - WudfServiceGroup - WUDFSvc - netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 ------ SVCHOST SERVICES NOT RUNNING STOPPED: AUTO_START: Browser : Computer Browser STOPPED: DEMAND_START: AppMgmt : Application Management STOPPED: DEMAND_START: dmserver : Logical Disk Manager STOPPED: DEMAND_START: FastUserSwitchingCompatibility : Fast User Switching Compatibility STOPPED: DEMAND_START: HTTPFilter : HTTP SSL STOPPED: DEMAND_START: NtmsSvc : Removable Storage STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service STOPPED: DEMAND_START: Wmi : Windows Management Instrumentation Driver Extensions STOPPED: DEMAND_START: WudfSvc : Windows Driver Foundation - User-mode Driver Framework STOPPED: DEMAND_START: xmlprov : Network Provisioning Service STOPPED: DISABLED: Alerter : Alerter STOPPED: DISABLED: Messenger : Messenger STOPPED: DISABLED: RemoteAccess : Routing and Remote Access STOPPED: DISABLED: RemoteRegistry : Remote Registry STOPPED: DISABLED: SSDPSRV : SSDP Discovery Service STOPPED: DISABLED: upnphost : Universal Plug and Play Device Host ------ SVCHOST CURRENTLY RUNNING: 1108- C:\WINDOWS\system32\svchost -k DcomLaunch - DcomLaunch : DCOM Server Process Launcher - TermService : Terminal Services 1224- C:\WINDOWS\system32\svchost -k rpcss - RpcSs : Remote Procedure Call (RPC) 1320- C:\WINDOWS\System32\svchost.exe -k netsvcs - AudioSrv : Windows Audio - BITS : Background Intelligent Transfer Service - CryptSvc : Cryptographic Services - Dhcp : DHCP Client - ERSvc : Error Reporting Service - EventSystem : COM+ Event System - helpsvc : Help and Support - HidServ : HID Input Service - lanmanserver : Server - lanmanworkstation : Workstation - Netman : Network Connections - Nla : Network Location Awareness (NLA) - RasMan : Remote Access Connection Manager - Schedule : Task Scheduler - seclogon : Secondary Logon - SENS : System Event Notification - SharedAccess : Windows Firewall/Internet Connection Sharing (ICS) - ShellHWDetection : Shell Hardware Detection - srservice : System Restore Service - TapiSrv : Telephony - Themes : Themes - TrkWks : Distributed Link Tracking Client - w32time : Windows Time - winmgmt : Windows Management Instrumentation - wscsvc : Security Center - wuauserv : Automatic Updates - WZCSVC : Wireless Zero Configuration 1628- C:\WINDOWS\system32\svchost.exe -k NetworkService - Dnscache : DNS Client 1688- C:\WINDOWS\system32\svchost.exe -k LocalService - LmHosts : TCP/IP NetBIOS Helper - WebClient : WebClient 396- C:\WINDOWS\system32\svchost.exe -k imgsvc - stisvc : Windows Image Acquisition (WIA) ------ SVCHOST SUB-DEPENDENTS HTTPFilter = 1 STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service upnphost = 1 STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service SSDPSRV = 2 STOPPED: upnphost: Universal Plug and Play Device Host STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service DMServer = 1 STOPPED: dmadmin: Logical Disk Manager Administrative Service EventSystem = 1 RUNNING: SENS: System Event Notification LanmanServer = 1 STOPPED: Browser: Computer Browser LanmanWorkstation = 5 STOPPED: Alerter: Alerter STOPPED: Browser: Computer Browser STOPPED: Messenger: Messenger STOPPED: Netlogon: Net Logon STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator Netman = 1 RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS) Rasman = 1 STOPPED: RasAuto: Remote Access Auto Connection Manager Tapisrv = 3 RUNNING: RasMan: Remote Access Connection Manager STOPPED: Fax: Fax STOPPED: RasAuto: Remote Access Auto Connection Manager winmgmt = 2 RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS) RUNNING: wscsvc: Security Center TermService = 1 STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility RpcSs = 55 RUNNING: aawservice: Lavasoft Ad-Aware Service RUNNING: AudioSrv: Windows Audio RUNNING: BITS: Background Intelligent Transfer Service RUNNING: CCALib8: Canon Camera Access Library 8 RUNNING: CryptSvc: Cryptographic Services RUNNING: ERSvc: Error Reporting Service RUNNING: EventSystem: COM+ Event System RUNNING: EvtEng: EvtEng RUNNING: helpsvc: Help and Support RUNNING: HidServ: HID Input Service RUNNING: Netman: Network Connections RUNNING: PolicyAgent: IPSEC Services RUNNING: ProtectedStorage: Protected Storage RUNNING: RasMan: Remote Access Connection Manager RUNNING: RegSrvc: RegSrvc RUNNING: S24EventMonitor: Spectrum24 Event Monitor RUNNING: SamSs: Security Accounts Manager RUNNING: Schedule: Task Scheduler RUNNING: SENS: System Event Notification RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS) RUNNING: ShellHWDetection: Shell Hardware Detection RUNNING: Spooler: Print Spooler RUNNING: srservice: System Restore Service RUNNING: stisvc: Windows Image Acquisition (WIA) RUNNING: TapiSrv: Telephony RUNNING: TermService: Terminal Services RUNNING: TrkWks: Distributed Link Tracking Client RUNNING: WinDefend: Windows Defender RUNNING: winmgmt: Windows Management Instrumentation RUNNING: WLANKEEPER: WLANKEEPER RUNNING: wscsvc: Security Center RUNNING: WZCSVC: Wireless Zero Configuration STOPPED: CiSvc: Indexing Service STOPPED: COMSysApp: COM+ System Application STOPPED: dmadmin: Logical Disk Manager Administrative Service STOPPED: dmserver: Logical Disk Manager STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility STOPPED: Fax: Fax STOPPED: gusvc: Google Updater Service STOPPED: iPod Service: iPod Service STOPPED: LiveUpdate: LiveUpdate STOPPED: Messenger: Messenger STOPPED: MSDTC: Distributed Transaction Coordinator STOPPED: MSIServer: Windows Installer STOPPED: NtmsSvc: Removable Storage STOPPED: RasAuto: Remote Access Auto Connection Manager STOPPED: RDSessMgr: Remote Desktop Help Session Manager STOPPED: RemoteAccess: Routing and Remote Access STOPPED: RemoteRegistry: Remote Registry STOPPED: RSVP: QoS RSVP STOPPED: SwPrv: MS Software Shadow Copy Provider STOPPED: TlntSvr: Telnet STOPPED: VSS: Volume Shadow Copy STOPPED: WmiApSrv: WMI Performance Adapter STOPPED: xmlprov: Network Provisioning Service StiSvc = 1 RUNNING: CCALib8: Canon Camera Access Library 8 TermService = 1 STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility