Sign in with
Sign up | Sign in
Your question

Which svchost service is causing a problem?

Last response: in Windows XP
Share
Anonymous
July 2, 2005 12:16:12 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Hi,

In Windows Task Manager an instance of svchost.exe (with a PID number
of 972) is continuously accessing my hard drive at a frequency of just
under once per second.

With the help I got on a related post I've used tasklist.exe to
establish that svchost.exe (PID 972) has the following components:

AudioSrv, BITS, Browser, CryptSvc, Dhcp,
ERSvc, EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC

Bearing in mind I'm a novice what I would like to do (subject to
advice!) is disable each service one by one in an attempt to narrow
down the source of the problem?

Would this be a realistic way to go about the problem? If so what
would be the best way to do it & would I need to reboot each time I
disable a service?

Hope you can help :) 

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 2, 2005 12:16:13 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

From: "John Latter" <jorolat@tiscali.co.uk>

| Hi,
|
| In Windows Task Manager an instance of svchost.exe (with a PID number
| of 972) is continuously accessing my hard drive at a frequency of just
| under once per second.
|
| With the help I got on a related post I've used tasklist.exe to
| establish that svchost.exe (PID 972) has the following components:
|
| AudioSrv, BITS, Browser, CryptSvc, Dhcp,
| ERSvc, EventSystem, helpsvc, lanmanserver,
| lanmanworkstation, Netman, Nla, RasMan,
| Schedule, seclogon, SENS, SharedAccess,
| ShellHWDetection, srservice, TapiSrv,
| Themes, TrkWks, W32Time, winmgmt, wscsvc,
| wuauserv, WZCSVC
|
| Bearing in mind I'm a novice what I would like to do (subject to
| advice!) is disable each service one by one in an attempt to narrow
| down the source of the problem?
|
| Would this be a realistic way to go about the problem? If so what
| would be the best way to do it & would I need to reboot each time I
| disable a service?
|
| Hope you can help :) 
|
| --
|
| John Latter
|
| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
|
| 'Where Darwin meets Lamarck?' Discussion Egroup
| http://groups.yahoo.com/group/evomech

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 2, 2005 12:16:13 AM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support (More info?)

Disabling each and restarting the system will take about as much time as
David's suggestion - I'd say go with his suggestion as it will eliminate
most, if not all, malware on your system. If you go the disable route, once
you isolate the process then you'll have to figure out what's causing it, and
then figure out the fix for it. Dave's way is simpler!

"John Latter" wrote:

> Hi,
>
> In Windows Task Manager an instance of svchost.exe (with a PID number
> of 972) is continuously accessing my hard drive at a frequency of just
> under once per second.
>
> With the help I got on a related post I've used tasklist.exe to
> establish that svchost.exe (PID 972) has the following components:
>
> AudioSrv, BITS, Browser, CryptSvc, Dhcp,
> ERSvc, EventSystem, helpsvc, lanmanserver,
> lanmanworkstation, Netman, Nla, RasMan,
> Schedule, seclogon, SENS, SharedAccess,
> ShellHWDetection, srservice, TapiSrv,
> Themes, TrkWks, W32Time, winmgmt, wscsvc,
> wuauserv, WZCSVC
>
> Bearing in mind I'm a novice what I would like to do (subject to
> advice!) is disable each service one by one in an attempt to narrow
> down the source of the problem?
>
> Would this be a realistic way to go about the problem? If so what
> would be the best way to do it & would I need to reboot each time I
> disable a service?
>
> Hope you can help :) 
>
> --
>
> John Latter
>
> Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
> http://members.aol.com/jorolat/TEM.html
>
> 'Where Darwin meets Lamarck?' Discussion Egroup
> http://groups.yahoo.com/group/evomech
>
Related resources
Anonymous
July 2, 2005 12:59:26 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Fri, 1 Jul 2005 15:24:41 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat@tiscali.co.uk>
>
>| Hi,
>|
>| In Windows Task Manager an instance of svchost.exe (with a PID number
>| of 972) is continuously accessing my hard drive at a frequency of just
>| under once per second.
>|
>| With the help I got on a related post I've used tasklist.exe to
>| establish that svchost.exe (PID 972) has the following components:
>|
>| AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>| ERSvc, EventSystem, helpsvc, lanmanserver,
>| lanmanworkstation, Netman, Nla, RasMan,
>| Schedule, seclogon, SENS, SharedAccess,
>| ShellHWDetection, srservice, TapiSrv,
>| Themes, TrkWks, W32Time, winmgmt, wscsvc,
>| wuauserv, WZCSVC
>|
>| Bearing in mind I'm a novice what I would like to do (subject to
>| advice!) is disable each service one by one in an attempt to narrow
>| down the source of the problem?
>|
>| Would this be a realistic way to go about the problem? If so what
>| would be the best way to do it & would I need to reboot each time I
>| disable a service?
>|
>| Hope you can help :) 
>|
>| --
>|
>| John Latter
>|
>| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
>| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
>|
>| 'Where Darwin meets Lamarck?' Discussion Egroup
>| http://groups.yahoo.com/group/evomech
>
>Dump the contents of the IE Temporary Internet Folder cache (TIF)
>Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
>Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>Tools --> Options --> Privacy --> Cache --> Clear
>
>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
>viruses and various other malware.
>
>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>This will bring up the initial menu of choices and should be executed in Normal Mode. This
>way all the components can be downloaded from each AV vendor’s web site.
>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
>You can choose to go to each menu item and just download the needed files or you can
>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>file.
>
>To use this utility, perform the following...
>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>Choose; Unzip
>Choose; Close
>
>Execute; C:\AV-CLS\StartMenu.BAT
>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>
>NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
>through your FireWall to allow them to download the needed AV vendor related files.
>
>* * * Please report back your results * * *

Thankyou Dave, I won't be able to do anything until the weekend (at
the earliest), and although this kinda stuff is new to me, I'll give
it a go :) 

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 2, 2005 8:14:58 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Fri, 1 Jul 2005 15:24:41 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
>viruses and various other malware.

>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

David, I've run Trend's online scanner before. Worked pretty well.
Is there any difference between running your automated Trend vs
running their web-based app?

Also, I didn't know that Sophos had a web-based (free) scanner, or are
you using the trial version of their resident scanner? If they do
have a web-based version, would you mind posting the URL?
Anonymous
July 2, 2005 9:39:39 AM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support (More info?)

On Fri, 1 Jul 2005 17:30:01 -0700, usasma
<usasma@discussions.microsoft.com> wrote:

>Disabling each and restarting the system will take about as much time as
>David's suggestion - I'd say go with his suggestion as it will eliminate
>most, if not all, malware on your system. If you go the disable route, once
>you isolate the process then you'll have to figure out what's causing it, and
>then figure out the fix for it. Dave's way is simpler!
>

Being a novice I would be happier disabling things and I was wondering
if something other than malware could be responsible - just a bit
concerned that I might be heading into unknown territory, hit a snag
or two, and end up wasting more time than I can spare at the moment.

Jorolat

>"John Latter" wrote:
>
>> Hi,
>>
>> In Windows Task Manager an instance of svchost.exe (with a PID number
>> of 972) is continuously accessing my hard drive at a frequency of just
>> under once per second.
>>
>> With the help I got on a related post I've used tasklist.exe to
>> establish that svchost.exe (PID 972) has the following components:
>>
>> AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>> ERSvc, EventSystem, helpsvc, lanmanserver,
>> lanmanworkstation, Netman, Nla, RasMan,
>> Schedule, seclogon, SENS, SharedAccess,
>> ShellHWDetection, srservice, TapiSrv,
>> Themes, TrkWks, W32Time, winmgmt, wscsvc,
>> wuauserv, WZCSVC
>>
>> Bearing in mind I'm a novice what I would like to do (subject to
>> advice!) is disable each service one by one in an attempt to narrow
>> down the source of the problem?
>>
>> Would this be a realistic way to go about the problem? If so what
>> would be the best way to do it & would I need to reboot each time I
>> disable a service?
>>
>> Hope you can help :) 
>>
>> --
>>
>> John Latter
>>
>> Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
>> http://members.aol.com/jorolat/TEM.html
>>
>> 'Where Darwin meets Lamarck?' Discussion Egroup
>> http://groups.yahoo.com/group/evomech
>>

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 2, 2005 11:17:13 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Fri, 1 Jul 2005 15:24:41 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat@tiscali.co.uk>
>
>| Hi,
>|
>| In Windows Task Manager an instance of svchost.exe (with a PID number
>| of 972) is continuously accessing my hard drive at a frequency of just
>| under once per second.
>|
>| With the help I got on a related post I've used tasklist.exe to
>| establish that svchost.exe (PID 972) has the following components:
>|
>| AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>| ERSvc, EventSystem, helpsvc, lanmanserver,
>| lanmanworkstation, Netman, Nla, RasMan,
>| Schedule, seclogon, SENS, SharedAccess,
>| ShellHWDetection, srservice, TapiSrv,
>| Themes, TrkWks, W32Time, winmgmt, wscsvc,
>| wuauserv, WZCSVC
>|
>| Bearing in mind I'm a novice what I would like to do (subject to
>| advice!) is disable each service one by one in an attempt to narrow
>| down the source of the problem?
>|
>| Would this be a realistic way to go about the problem? If so what
>| would be the best way to do it & would I need to reboot each time I
>| disable a service?
>|
>| Hope you can help :) 
>|
>| --
>|
>| John Latter
>|
>| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
>| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
>|
>| 'Where Darwin meets Lamarck?' Discussion Egroup
>| http://groups.yahoo.com/group/evomech
>
>Dump the contents of the IE Temporary Internet Folder cache (TIF)
>Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
>Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>Tools --> Options --> Privacy --> Cache --> Clear
>
>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
>viruses and various other malware.
>
>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>This will bring up the initial menu of choices and should be executed in Normal Mode. This
>way all the components can be downloaded from each AV vendor’s web site.
>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>

I appreciate your help David but this program is not for a novice like
me. I didn't know whether I should down all 3 or what so I downloaded
McAfee. I tried to close the command window & windows said it couldn't
be closed but then prompltly rebooted the machine. I was asked for my
password to enter windows & as I haven't set one this threw me for a
bit.

I've tried several times, there have been varying amounts of files in
the McAfee folder but they keep disappearing. Having downloaded McAfee
I'm not sure what I'm supposed to do next - and the stuff in the help
file talking about bootable floppies is beyond me.

Jorolat

>You can choose to go to each menu item and just download the needed files or you can
>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>file.
>
>To use this utility, perform the following...
>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>Choose; Unzip
>Choose; Close
>
>Execute; C:\AV-CLS\StartMenu.BAT
>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>
>NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
>through your FireWall to allow them to download the needed AV vendor related files.
>
>* * * Please report back your results * * *

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 2, 2005 1:14:08 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

From: "John Latter" <jorolat@tiscali.co.uk>


| I appreciate your help David but this program is not for a novice like
| me. I didn't know whether I should down all 3 or what so I downloaded
| McAfee. I tried to close the command window & windows said it couldn't
| be closed but then prompltly rebooted the machine. I was asked for my
| password to enter windows & as I haven't set one this threw me for a
| bit.
|
| I've tried several times, there have been varying amounts of files in
| the McAfee folder but they keep disappearing. Having downloaded McAfee
| I'm not sure what I'm supposed to do next - and the stuff in the help
| file talking about bootable floppies is beyond me.
|
| Jorolat
|


I have written the scripts specifically for the novice and not the experienced because each
sub-process is a semi complicated process.

The scripts provide a front end to download the needed files to run the McAfee, Sophos and
Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
may catch what the others did not.

You do not want to manually close the Command Console window. It is not meant to be
manually closed, The scripts will handle that all for you. If you do, it would log you
off, it shouldn't shutdown the PC.

Using McAfee as the example... If you are in Normal Mode then the first thing that will be
performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
or not. If you click on "Yes" then it will ask you if you would like to "...scan a
particular folder or location..". You would click on "No" becuase you want to scan the
whole system. It will then run the McAfee CLS.

If you were to choose to not scan at that time you would be brought back to the menu and the
objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
the "start Menu" process again and choose McAfee and it will scan the computer. The reason
being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.

The Boot Disk information is for the really stubborn infectors where you will need to clean
the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
NTFS4DOS. Most users will NOT need to do this but it is an option.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 2, 2005 1:19:50 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

From: "_RR" <_RR@nomail.org>


|
| David, I've run Trend's online scanner before. Worked pretty well.
| Is there any difference between running your automated Trend vs
| running their web-based app?
|
| Also, I didn't know that Sophos had a web-based (free) scanner, or are
| you using the trial version of their resident scanner? If they do
| have a web-based version, would you mind posting the URL?

The Sysclean utility uses the same Pattern File as the web based scanner. However, since it
is NOT predicated on Internet Explorer and it can be executed in Safe Mode it is more
effective than its Web Based Scanner cousin.

The Sophos scanner used is not trialware. It is a "On Demand" scanner only and not a fully
functioning Windows application that also provides "On Access" scanning capabilities. As
with Sysclean, becuase it is not predicated on Internet Explorer and it can be executed in
Safe Mode. I am not aware of a Sophos web based scanner.

Below are some web based AV scanners...

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html

{ note some may detect but not remove such as the McAfee online scanner }


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 2, 2005 1:21:10 PM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support (More info?)

From: "John Latter" <jorolat@tiscali.co.uk>


| Being a novice I would be happier disabling things and I was wondering
| if something other than malware could be responsible - just a bit
| concerned that I might be heading into unknown territory, hit a snag
| or two, and end up wasting more time than I can spare at the moment.
|
| Jorolat
|

If you are that concerned than you should NOT be questioning what goes on with the OS and
should not be mucking around.

However, malware is the mosty likely culpriit.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 3, 2005 1:06:27 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Sat, 2 Jul 2005 09:14:08 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat@tiscali.co.uk>
>
>
>| I appreciate your help David but this program is not for a novice like
>| me. I didn't know whether I should down all 3 or what so I downloaded
>| McAfee. I tried to close the command window & windows said it couldn't
>| be closed but then prompltly rebooted the machine. I was asked for my
>| password to enter windows & as I haven't set one this threw me for a
>| bit.
>|
>| I've tried several times, there have been varying amounts of files in
>| the McAfee folder but they keep disappearing. Having downloaded McAfee
>| I'm not sure what I'm supposed to do next - and the stuff in the help
>| file talking about bootable floppies is beyond me.
>|
>| Jorolat
>|
>
>
>I have written the scripts specifically for the novice and not the experienced because each
>sub-process is a semi complicated process.
>
>The scripts provide a front end to download the needed files to run the McAfee, Sophos and
>Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
>may catch what the others did not.
>
>You do not want to manually close the Command Console window. It is not meant to be
>manually closed, The scripts will handle that all for you. If you do, it would log you
>off, it shouldn't shutdown the PC.
>
>Using McAfee as the example... If you are in Normal Mode then the first thing that will be
>performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
>or not. If you click on "Yes" then it will ask you if you would like to "...scan a
>particular folder or location..". You would click on "No" becuase you want to scan the
>whole system. It will then run the McAfee CLS.
>
>If you were to choose to not scan at that time you would be brought back to the menu and the
>objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
>the "start Menu" process again and choose McAfee and it will scan the computer. The reason
>being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.
>
>The Boot Disk information is for the really stubborn infectors where you will need to clean
>the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
>NTFS4DOS. Most users will NOT need to do this but it is an option.

Thankyou David.

This is the scan report of McAfee:

Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /MIME /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [MR01-G4]
Scanning C:\*.*
C:\Program Files\ICQToolbar\toolbaru.inf ... Found potentially
unwanted program Adware-Softomate.
The file or process has been deleted.
C:\System Volume
Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP2\A0000144.inf
.... Found potentially unwanted program Adware-Softomate.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 195771
Clean: ................. 195633
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 2
Non-critical Error(s): 3
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:46.46

During the scan there were quite a few files that couldn't be opened
(password protected). I had hoped to save the info but right clicking
on the command window during the scan had no effect. A number of these
files were in the system32 folder. I'm now going to try one of the
other two options and will try and make some notes. Because of the
foregoing I'm not doing safe mode scans yet.

Jorolat

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 3, 2005 1:15:04 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Sat, 02 Jul 2005 21:06:27 +0100, John Latter
<jorolat@tiscali.co.uk> wrote:

>On Sat, 2 Jul 2005 09:14:08 -0400, "David H. Lipman"
><DLipman~nospam~@Verizon.Net> wrote:
>
>>From: "John Latter" <jorolat@tiscali.co.uk>
>>
>>
>>| I appreciate your help David but this program is not for a novice like
>>| me. I didn't know whether I should down all 3 or what so I downloaded
>>| McAfee. I tried to close the command window & windows said it couldn't
>>| be closed but then prompltly rebooted the machine. I was asked for my
>>| password to enter windows & as I haven't set one this threw me for a
>>| bit.
>>|
>>| I've tried several times, there have been varying amounts of files in
>>| the McAfee folder but they keep disappearing. Having downloaded McAfee
>>| I'm not sure what I'm supposed to do next - and the stuff in the help
>>| file talking about bootable floppies is beyond me.
>>|
>>| Jorolat
>>|
>>
>>
>>I have written the scripts specifically for the novice and not the experienced because each
>>sub-process is a semi complicated process.
>>
>>The scripts provide a front end to download the needed files to run the McAfee, Sophos and
>>Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
>>may catch what the others did not.
>>
>>You do not want to manually close the Command Console window. It is not meant to be
>>manually closed, The scripts will handle that all for you. If you do, it would log you
>>off, it shouldn't shutdown the PC.
>>
>>Using McAfee as the example... If you are in Normal Mode then the first thing that will be
>>performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
>>or not. If you click on "Yes" then it will ask you if you would like to "...scan a
>>particular folder or location..". You would click on "No" becuase you want to scan the
>>whole system. It will then run the McAfee CLS.
>>
>>If you were to choose to not scan at that time you would be brought back to the menu and the
>>objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
>>the "start Menu" process again and choose McAfee and it will scan the computer. The reason
>>being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.
>>
>>The Boot Disk information is for the really stubborn infectors where you will need to clean
>>the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
>>NTFS4DOS. Most users will NOT need to do this but it is an option.
>
>Thankyou David.
>
>This is the scan report of McAfee:
>
>Options:
>/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
>/PROGRAM /MIME /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
>
>Scanning C: [MR01-G4]
>Scanning C:\*.*
>C:\Program Files\ICQToolbar\toolbaru.inf ... Found potentially
>unwanted program Adware-Softomate.
> The file or process has been deleted.
>C:\System Volume
>Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP2\A0000144.inf
>... Found potentially unwanted program Adware-Softomate.
> The file or process has been deleted.
>
>Summary report on C:\*.*
>File(s)
> Total files: ........... 195771
> Clean: ................. 195633
> Possibly Infected: ..... 0
> Cleaned: ............... 0
> Deleted: ............... 2
>Non-critical Error(s): 3
>Master Boot Record(s): ......... 1
> Possibly Infected: ..... 0
>Boot Sector(s): ................ 1
> Possibly Infected: ..... 0
>
>
>Time: 00:46.46
>
>During the scan there were quite a few files that couldn't be opened
>(password protected). I had hoped to save the info but right clicking
>on the command window during the scan had no effect. A number of these
>files were in the system32 folder. I'm now going to try one of the
>other two options and will try and make some notes. Because of the
>foregoing I'm not doing safe mode scans yet.
>
>Jorolat

I just tried to use Trend but my antivirus (Avast) came up with an
alert saying "C:\AV-CLS\Trend\sysclean.exezz - VBS:Redlof". I don't
know how to bypass this.

Jorolat

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 3, 2005 1:15:05 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

From: "John Latter" <jorolat@tiscali.co.uk>


|
| I just tried to use Trend but my antivirus (Avast) came up with an
| alert saying "C:\AV-CLS\Trend\sysclean.exezz - VBS:Redlof". I don't
| know how to bypass this.
|
| Jorolat
|
| --
|
| John Latter
|
| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
|
| 'Where Darwin meets Lamarck?' Discussion Egroup
| http://groups.yahoo.com/group/evomech


Disable AVAST. It is a well known and often noted False Positive declaration by AVAST.

BTW: Based upon the time that has lapsed, one would think this would have been corrected by
now !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 3, 2005 1:22:10 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

I'm just starting to run sofos now. This is the kind of thing that
McAfee picked up at the beginning of its scan:

Could not open c:\WINDOWS\system32\config\system.LOG

The above line is all that sofos has displayed so far, the cursor is
spinning but nothing else is happening - I'll give it a few more
minutes!

Jorolat

-

On Sat, 02 Jul 2005 21:15:04 +0100, John Latter
<jorolat@tiscali.co.uk> wrote:

>On Sat, 02 Jul 2005 21:06:27 +0100, John Latter
><jorolat@tiscali.co.uk> wrote:
>
>>On Sat, 2 Jul 2005 09:14:08 -0400, "David H. Lipman"
>><DLipman~nospam~@Verizon.Net> wrote:
>>
>>>From: "John Latter" <jorolat@tiscali.co.uk>
>>>
>>>
>>>| I appreciate your help David but this program is not for a novice like
>>>| me. I didn't know whether I should down all 3 or what so I downloaded
>>>| McAfee. I tried to close the command window & windows said it couldn't
>>>| be closed but then prompltly rebooted the machine. I was asked for my
>>>| password to enter windows & as I haven't set one this threw me for a
>>>| bit.
>>>|
>>>| I've tried several times, there have been varying amounts of files in
>>>| the McAfee folder but they keep disappearing. Having downloaded McAfee
>>>| I'm not sure what I'm supposed to do next - and the stuff in the help
>>>| file talking about bootable floppies is beyond me.
>>>|
>>>| Jorolat
>>>|
>>>
>>>
>>>I have written the scripts specifically for the novice and not the experienced because each
>>>sub-process is a semi complicated process.
>>>
>>>The scripts provide a front end to download the needed files to run the McAfee, Sophos and
>>>Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
>>>may catch what the others did not.
>>>
>>>You do not want to manually close the Command Console window. It is not meant to be
>>>manually closed, The scripts will handle that all for you. If you do, it would log you
>>>off, it shouldn't shutdown the PC.
>>>
>>>Using McAfee as the example... If you are in Normal Mode then the first thing that will be
>>>performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
>>>or not. If you click on "Yes" then it will ask you if you would like to "...scan a
>>>particular folder or location..". You would click on "No" becuase you want to scan the
>>>whole system. It will then run the McAfee CLS.
>>>
>>>If you were to choose to not scan at that time you would be brought back to the menu and the
>>>objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
>>>the "start Menu" process again and choose McAfee and it will scan the computer. The reason
>>>being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.
>>>
>>>The Boot Disk information is for the really stubborn infectors where you will need to clean
>>>the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
>>>NTFS4DOS. Most users will NOT need to do this but it is an option.
>>
>>Thankyou David.
>>
>>This is the scan report of McAfee:
>>
>>Options:
>>/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
>>/PROGRAM /MIME /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
>>
>>Scanning C: [MR01-G4]
>>Scanning C:\*.*
>>C:\Program Files\ICQToolbar\toolbaru.inf ... Found potentially
>>unwanted program Adware-Softomate.
>> The file or process has been deleted.
>>C:\System Volume
>>Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP2\A0000144.inf
>>... Found potentially unwanted program Adware-Softomate.
>> The file or process has been deleted.
>>
>>Summary report on C:\*.*
>>File(s)
>> Total files: ........... 195771
>> Clean: ................. 195633
>> Possibly Infected: ..... 0
>> Cleaned: ............... 0
>> Deleted: ............... 2
>>Non-critical Error(s): 3
>>Master Boot Record(s): ......... 1
>> Possibly Infected: ..... 0
>>Boot Sector(s): ................ 1
>> Possibly Infected: ..... 0
>>
>>
>>Time: 00:46.46
>>
>>During the scan there were quite a few files that couldn't be opened
>>(password protected). I had hoped to save the info but right clicking
>>on the command window during the scan had no effect. A number of these
>>files were in the system32 folder. I'm now going to try one of the
>>other two options and will try and make some notes. Because of the
>>foregoing I'm not doing safe mode scans yet.
>>
>>Jorolat
>
>I just tried to use Trend but my antivirus (Avast) came up with an
>alert saying "C:\AV-CLS\Trend\sysclean.exezz - VBS:Redlof". I don't
>know how to bypass this.
>
>Jorolat

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 3, 2005 1:22:11 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

From: "John Latter" <jorolat@tiscali.co.uk>

| I'm just starting to run sofos now. This is the kind of thing that
| McAfee picked up at the beginning of its scan:
|
| Could not open c:\WINDOWS\system32\config\system.LOG
|
| The above line is all that sofos has displayed so far, the cursor is
| spinning but nothing else is happening - I'll give it a few more
| minutes!
|
| Jorolat
|

Ther File Handle is held open by the operting system and thus can't be scanned.

Normal operation.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 3, 2005 2:23:32 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Sat, 2 Jul 2005 16:19:15 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat@tiscali.co.uk>
>
>
>|
>| I just tried to use Trend but my antivirus (Avast) came up with an
>| alert saying "C:\AV-CLS\Trend\sysclean.exezz - VBS:Redlof". I don't
>| know how to bypass this.
>|
>| Jorolat
>|
>| --
>|
>| John Latter
>|
>| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
>| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
>|
>| 'Where Darwin meets Lamarck?' Discussion Egroup
>| http://groups.yahoo.com/group/evomech
>
>
>Disable AVAST. It is a well known and often noted False Positive declaration by AVAST.
>
>BTW: Based upon the time that has lapsed, one would think this would have been corrected by
>now !

Okay Dave and thankyou :) 

Its nearly 10.30 pm now so I'll continue in the morning.

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 3, 2005 6:48:42 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Sat, 2 Jul 2005 18:05:53 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat@tiscali.co.uk>
>
>| I'm just starting to run sofos now. This is the kind of thing that
>| McAfee picked up at the beginning of its scan:
>|
>| Could not open c:\WINDOWS\system32\config\system.LOG
>|
>| The above line is all that sofos has displayed so far, the cursor is
>| spinning but nothing else is happening - I'll give it a few more
>| minutes!
>|
>| Jorolat
>|
>
>Ther File Handle is held open by the operting system and thus can't be scanned.
>
>Normal operation.

Hi David,

I've done the sophos scan in normal mode & these are the results:

Full Scanning

Could not open c:\WINDOWS\system32\config\system.LOG
Could not open c:\WINDOWS\Temp\_avast4_\Webshlock.txt
Could not open c:\WINDOWS\Temp\JET7908.tmp
Could not open c:\WINDOWS\Temp\JET82FB.tmp
Scan aborted by user.

8861 files swept in 10 minutes and 24 seconds.
4 errors were encountered.
No viruses were discovered.
Ending Sophos Anti-Virus.

I've ended up having less spare time than I expected this weekend but
I should be able to do the trend scan in a couple of hours.

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 3, 2005 8:24:51 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Here is the results of the Trend scan in normal mode:



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-07-03, 15:43:01, Running scanner "c:\AV-CLS\Trend\TSC.BIN"...
2005-07-03, 15:43:13, Scanner "c:\AV-CLS\Trend\TSC.BIN" has finished
running.
2005-07-03, 15:43:13, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Sun Jul 03 2005 15:43:02

Load Damage Cleanup Template (DCT) "c:\AV-CLS\Trend\tsc.ptn" (version
618) [success]

Complete time : Sun Jul 03 2005 15:43:13
Execute pattern count(3678), Virus found count(0), Virus clean
count(0), Clean failed count(0)

2005-07-03, 15:44:11, An error occurred while scanning file
"C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-07-03, 15:44:11, An error occurred while scanning file
"C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-07-03, 15:44:11, An error occurred while scanning file
"C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-07-03, 15:44:11, An error occurred while scanning file
"C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-07-03, 15:44:11, An error occurred while scanning file
"C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-07-03, 15:44:12, An error occurred while scanning file
"C:\WINDOWS\system32\config\DEFAULT": Access is denied.
2005-07-03, 15:44:12, An error occurred while scanning file
"C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-07-03, 15:44:12, An error occurred while scanning file
"C:\WINDOWS\system32\config\SOFTWARE": Access is denied.
2005-07-03, 15:44:12, An error occurred while scanning file
"C:\WINDOWS\system32\config\SYSTEM": Access is denied.
2005-07-03, 15:44:12, An error occurred while scanning file
"C:\WINDOWS\system32\config\SAM": Access is denied.
2005-07-03, 15:45:28, An error occurred while scanning file
"C:\WINDOWS\Temp\JET8DC8.tmp": Access is denied.
2005-07-03, 15:47:24, An error occurred while scanning file
"C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is
denied.
2005-07-03, 15:47:24, An error occurred while scanning file
"C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is
denied.
2005-07-03, 15:47:25, An error occurred while scanning file
"C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-07-03, 15:47:25, An error occurred while scanning file
"C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-07-03, 15:47:25, An error occurred while scanning file
"C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is
denied.
2005-07-03, 15:47:25, An error occurred while scanning file
"C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-07-03, 15:47:25, An error occurred while scanning file
"C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-07-03, 15:47:25, An error occurred while scanning file
"C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-07-03, 15:47:28, An error occurred while scanning file
"C:\Documents and Settings\John Robert\ntuser.dat.LOG": Access is
denied.
2005-07-03, 15:47:28, An error occurred while scanning file
"C:\Documents and Settings\John Robert\ntuser.dat": Access is denied.
2005-07-03, 15:47:29, An error occurred while scanning file
"C:\Documents and Settings\John Robert\Local
Settings\Temp\Perflib_Perfdata_b08.dat": Access is denied.
2005-07-03, 15:47:37, An error occurred while scanning file
"C:\Documents and Settings\John Robert\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-07-03, 15:47:37, An error occurred while scanning file
"C:\Documents and Settings\John Robert\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-07-03, 15:57:38, Running scanner
"c:\AV-CLS\Trend\VSCANTM.BIN"...
2005-07-03, 16:14:19, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/3/2005 15:57:38
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 711 (104126 Patterns) (2005/06/30) (271100)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND
/LD /LC /LCF /NM /NB C:\*.* /P=c:\AV-CLS\Trend

63883 files have been read.
63883 files have been checked.
50311 files have been scanned.
121689 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/3/2005 16:14:19
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-03, 16:14:19, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/3/2005 15:57:38
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 711 (104126 Patterns) (2005/06/30) (271100)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND
/LD /LC /LCF /NM /NB C:\*.* /P=c:\AV-CLS\Trend

63883 files have been read.
63883 files have been checked.
50311 files have been scanned.
121689 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/3/2005 16:14:19 16 minutes 41 seconds (1000.41
seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-03, 16:14:19, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/3/2005 15:57:38
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 711 (104126 Patterns) (2005/06/30) (271100)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND
/LD /LC /LCF /NM /NB C:\*.* /P=c:\AV-CLS\Trend

63883 files have been read.
63883 files have been checked.
50311 files have been scanned.
121689 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/3/2005 16:14:19 16 minutes 41 seconds (1000.41
seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-03, 16:14:19, Scanner "c:\AV-CLS\Trend\VSCANTM.BIN" has
finished running.

Should I do safe mode now? Also, I've just looked at the help file
again and I'm not too sure what's involved in a boot scan - mind you,
I'm pushed for time again & I might understand it better later!

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 3, 2005 8:24:52 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

From: "John Latter" <jorolat@tiscali.co.uk>


| Should I do safe mode now? Also, I've just looked at the help file
| again and I'm not too sure what's involved in a boot scan - mind you,
| I'm pushed for time again & I might understand it better later!
|
| --
|
| John Latter
|
| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
|
| 'Where Darwin meets Lamarck?' Discussion Egroup
| http://groups.yahoo.com/group/evomech

No. I think you have proven that your PC is clean and it is definitely not a virus !

That's good ;-)

However, now the original probelm needs exploration. That problem noted....

"In Windows Task Manager an instance of svchost.exe (with a PID number
of 972) is continuously accessing my hard drive at a frequency of just
under once per second."

The question -- What is the causitive factor in all this activity ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 3, 2005 11:27:05 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Sun, 3 Jul 2005 13:34:47 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat@tiscali.co.uk>
>
>
>| Should I do safe mode now? Also, I've just looked at the help file
>| again and I'm not too sure what's involved in a boot scan - mind you,
>| I'm pushed for time again & I might understand it better later!
>|
>| --
>|
>| John Latter
>|
>| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
>| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
>|
>| 'Where Darwin meets Lamarck?' Discussion Egroup
>| http://groups.yahoo.com/group/evomech
>
>No. I think you have proven that your PC is clean and it is definitely not a virus !
>
>That's good ;-)
>
>However, now the original probelm needs exploration. That problem noted....
>
>"In Windows Task Manager an instance of svchost.exe (with a PID number
>of 972) is continuously accessing my hard drive at a frequency of just
>under once per second."
>
>The question -- What is the causitive factor in all this activity ?

Thanks for helping me eliminate malware Dave :) 

Still stuck with the original problem though. I haven't had much time
over the weekend and I'm facing a busy week!

My original post said:

"In Windows Task Manager an instance of svchost.exe (with a PID number
of 972) is continuously accessing my hard drive at a frequency of just
under once per second.

With the help I got on a related post I've used tasklist.exe to
establish that svchost.exe (PID 972) has the following components:

AudioSrv, BITS, Browser, CryptSvc, Dhcp,
ERSvc, EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC

Bearing in mind I'm a novice what I would like to do (subject to
advice!) is disable each service one by one in an attempt to narrow
down the source of the problem?"

Apparently therre's a way to access services via the commandline (cos
not all are listed in windows) but before I follow that path
(disabling) I ought to find out whether I can do so safely, do I need
to reboot each time, so if anyone has any ideas I'ld love to hear
them!

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 3, 2005 11:44:04 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

i haven't seen anything of significance in the event log viewer but
remembering those log files that couldn't be opened during the scans -
are there any that can be viewed that might give some clues?

Jorolat

On Sun, 3 Jul 2005 13:34:47 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat@tiscali.co.uk>
>
>
>| Should I do safe mode now? Also, I've just looked at the help file
>| again and I'm not too sure what's involved in a boot scan - mind you,
>| I'm pushed for time again & I might understand it better later!
>|
>| --
>|
>| John Latter
>|
>| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
>| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
>|
>| 'Where Darwin meets Lamarck?' Discussion Egroup
>| http://groups.yahoo.com/group/evomech
>
>No. I think you have proven that your PC is clean and it is definitely not a virus !
>
>That's good ;-)
>
>However, now the original probelm needs exploration. That problem noted....
>
>"In Windows Task Manager an instance of svchost.exe (with a PID number
>of 972) is continuously accessing my hard drive at a frequency of just
>under once per second."
>
>The question -- What is the causitive factor in all this activity ?

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 13, 2005 7:35:25 PM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Fri, 01 Jul 2005 20:16:12 +0100, John Latter
<jorolat@tiscali.co.uk> wrote:

>Hi,
>
>In Windows Task Manager an instance of svchost.exe (with a PID number
>of 972) is continuously accessing my hard drive at a frequency of just
>under once per second.
>
>With the help I got on a related post I've used tasklist.exe to
>establish that svchost.exe (PID 972) has the following components:
>
>AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>ERSvc, EventSystem, helpsvc, lanmanserver,
>lanmanworkstation, Netman, Nla, RasMan,
>Schedule, seclogon, SENS, SharedAccess,
>ShellHWDetection, srservice, TapiSrv,
>Themes, TrkWks, W32Time, winmgmt, wscsvc,
>wuauserv, WZCSVC
>
>Bearing in mind I'm a novice what I would like to do (subject to
>advice!) is disable each service one by one in an attempt to narrow
>down the source of the problem?
>
>Would this be a realistic way to go about the problem? If so what
>would be the best way to do it & would I need to reboot each time I
>disable a service?
>
>Hope you can help :) 

I've just installed XP slipstreamed with SP2 onto a new hard drive
(but I'm back on the old OS & HDD now) and as soon as I installed the
modem drivers the svchost disc activity started. I uninstalled the
drivers & the problem went away.

I ain't gotta clue why this is so & it'll be a few days before I can
spend some time on it. In the meantime, if anyone has any ideas I'ld
be glad to hear them!

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
July 14, 2005 9:45:38 AM

Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

On Fri, 01 Jul 2005 20:16:12 +0100, John Latter
<jorolat@tiscali.co.uk> wrote:

>Hi,
>
>In Windows Task Manager an instance of svchost.exe (with a PID number
>of 972) is continuously accessing my hard drive at a frequency of just
>under once per second.
>
>With the help I got on a related post I've used tasklist.exe to
>establish that svchost.exe (PID 972) has the following components:
>
>AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>ERSvc, EventSystem, helpsvc, lanmanserver,
>lanmanworkstation, Netman, Nla, RasMan,
>Schedule, seclogon, SENS, SharedAccess,
>ShellHWDetection, srservice, TapiSrv,
>Themes, TrkWks, W32Time, winmgmt, wscsvc,
>wuauserv, WZCSVC
>
>Bearing in mind I'm a novice what I would like to do (subject to
>advice!) is disable each service one by one in an attempt to narrow
>down the source of the problem?
>
>Would this be a realistic way to go about the problem? If so what
>would be the best way to do it & would I need to reboot each time I
>disable a service?
>
>Hope you can help :) 

This would account for some of the 'anomalies' associated with the
problem:

"I/O doesn't necessarily refer to your hard drive. Input and output of
data are also part of the normal functioning of your modem, which
would be my guess at the cause of the numbers you are watching."

Hope to have time to look into it further at the weekend.

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
!