Can programs hide in Windows 2000?

T

Tony Gilbert

I have been trying for weeks now to track down the source of an apparently
hidden program running on my Win2000 Pro machine. My suspicions were aroused
by a "winlogo" icon (flying windows icon usually indicating a DOS app)
constantly visible in my task switcher panel (alt-tab). It is only there if
other apps
are running (IE, Outlook, Word, etc) and disappears if I close all apps. I
cannot switch to the app.

There is nothing unusual in my Task Manager programs or services - I have
checked each item against known safe lists. I have run Spybot Search and
Destroy over the machine several times, plus Norton Antivirus. I am also
running ZA Pro firewall on medium security. Things do sneak under the
firewall now and then (I just cleaned out Downloadware) but I usually notice
anything that is trying to access the web as ZAP alerts me.

Am I chasing a phantom? Is there another explanation for this odd winlogo
icon that cannot be switched to? Is there somewhere I have not looked yet?
Can a program run in Win 2000 but not be visible in task manager???

TonyG
 
R

Rick

Tony Gilbert said:
I have been trying for weeks now to track down the source of an apparently
hidden program running on my Win2000 Pro machine. My suspicions were aroused
by a "winlogo" icon (flying windows icon usually indicating a DOS app)
constantly visible in my task switcher panel (alt-tab). It is only there if
other apps
are running (IE, Outlook, Word, etc) and disappears if I close all apps. I
cannot switch to the app.

There is nothing unusual in my Task Manager programs or services - I have
checked each item against known safe lists. I have run Spybot Search and
Destroy over the machine several times, plus Norton Antivirus. I am also
running ZA Pro firewall on medium security. Things do sneak under the
firewall now and then (I just cleaned out Downloadware) but I usually notice
anything that is trying to access the web as ZAP alerts me.

Am I chasing a phantom? Is there another explanation for this odd winlogo
icon that cannot be switched to? Is there somewhere I have not looked yet?
Can a program run in Win 2000 but not be visible in task manager???
Click to expand...

Absolutely. Programs can run as a service, device driver etc.
If you want an almost-complete list of startup methods, here
you go:
http://www.diamondcs.com.au/index.php?page=autostarts

Rick
 
S

Steve Parry [MVP]

Tony said:
I have been trying for weeks now to track down the source of an
apparently hidden program running on my Win2000 Pro machine. My
suspicions were aroused by a "winlogo" icon (flying windows icon
usually indicating a DOS app) constantly visible in my task switcher
panel (alt-tab). It is only there if other apps
are running (IE, Outlook, Word, etc) and disappears if I close all
apps. I cannot switch to the app.

There is nothing unusual in my Task Manager programs or services - I
have checked each item against known safe lists. I have run Spybot
Search and Destroy over the machine several times, plus Norton
Antivirus. I am also running ZA Pro firewall on medium security.
Things do sneak under the firewall now and then (I just cleaned out
Downloadware) but I usually notice anything that is trying to access
the web as ZAP alerts me.

Am I chasing a phantom? Is there another explanation for this odd
winlogo icon that cannot be switched to? Is there somewhere I have
not looked yet? Can a program run in Win 2000 but not be visible in
task manager???

TonyG
Click to expand...

If you press
CTRL SHIFT ESC

and select the applications tab what is showing there Tony? Also take a
peek in Processes although a lot of items show there as standard anyway
...
 
T

Tony Gilbert

Hi Steve

When I open Windows Task Manager, the only application showing is my IE
window. There are lots of processes, of course, although I believe I do know
what each of them is (he says confidently)...

System Idle Process
System
hpdev07.exe (psc 700 device driver)
SMSS.exe (Session Manager Subsystem)
CSRSS.exe (C/S Runtime System)
WINLOGON.EXE (Windows Logon Manager)
SERVICES.EXE
LSASS.EXE (Local Security Auth Server)
svchost.exe (3 occurrences)
ccevtmgr.exe (Symantec Event Manager)
spoolsv.exe (Win 2000 print spooler)
BPAloginService (Cable ISP login app)
navapsvc.exe (Norton Antivirus)
nprotect.exe (Norton AV)
nvsvc32.exe (nVidia Driver Helper)
mstask.exe (Task Manager)
vsmon.exe (Zone Alarm Pro component)
taskmgr.exe (Task Manager)
hpoipm07.exe (psc 700 print manager)
iexplore.exe (IE6)
explorer.exe (Windows Explorer)
ccapp.exe (Norton AV)
mmkeybd.exe (Keyboard driver)
cimeter.exe (Crystal Internet Meter)
bpumtray.exe (Cable ISP tracking utility)
acrotray.exe (Adobe Acrobat resident utility)
internat.exe (Keyboard language switcher)
traymon.exe (Task Tray Monitor)
zapro.exe (Zone Alarm Pro)
popupstopper.exe (pop up window killer)
wzqkpick.exe (WinZip resident utility)
remind32.exe (Windows Task Reminder)
hposts07.exe (psc700 scan driver)
hpoevm07.exe (psc700 event manager)
msimn.exe (Outlook Express)

Tony
 
S

Steve Parry [MVP]

In
Tony Gilbert said:
Hi Steve

When I open Windows Task Manager, the only application showing is my
IE window. There are lots of processes, of course, although I believe
I do know what each of them is (he says confidently)...

System Idle Process
System
hpdev07.exe (psc 700 device driver)
SMSS.exe (Session Manager Subsystem)
CSRSS.exe (C/S Runtime System)
WINLOGON.EXE (Windows Logon Manager)
SERVICES.EXE
LSASS.EXE (Local Security Auth Server)
svchost.exe (3 occurrences)
ccevtmgr.exe (Symantec Event Manager)
spoolsv.exe (Win 2000 print spooler)
BPAloginService (Cable ISP login app)
navapsvc.exe (Norton Antivirus)
nprotect.exe (Norton AV)
nvsvc32.exe (nVidia Driver Helper)
mstask.exe (Task Manager)
vsmon.exe (Zone Alarm Pro component)
taskmgr.exe (Task Manager)
hpoipm07.exe (psc 700 print manager)
iexplore.exe (IE6)
explorer.exe (Windows Explorer)
ccapp.exe (Norton AV)
mmkeybd.exe (Keyboard driver)
cimeter.exe (Crystal Internet Meter)
bpumtray.exe (Cable ISP tracking utility)
acrotray.exe (Adobe Acrobat resident utility)
internat.exe (Keyboard language switcher)
traymon.exe (Task Tray Monitor)
zapro.exe (Zone Alarm Pro)
popupstopper.exe (pop up window killer)
wzqkpick.exe (WinZip resident utility)
remind32.exe (Windows Task Reminder)
hposts07.exe (psc700 scan driver)
hpoevm07.exe (psc700 event manager)
msimn.exe (Outlook Express)

Tony
Click to expand...


try killing the program process's one at a time and check to see
if the alt - tab one disappears.

To kill some process's you may need kill.exe from the resource
kit tools that are on the Windows2000 install CD upder the
SUPPORT folder
 
T

Tony Gilbert

Steve Parry said:
In


try killing the program process's one at a time and check to see
if the alt - tab one disappears.

To kill some process's you may need kill.exe from the resource
kit tools that are on the Windows2000 install CD upder the
SUPPORT folder
Click to expand...

Hi Again Steve

I killed all the processes one by one until all I had left were processes
Windows would not let me kill, like CCAPP and NAVAPSVC, plus Explorer. When
I killed Explorer, the DOS icon was gone when the desktop reset itself. I
tried opening a few programs and it did not come back. I am not sure if this
was coincidence or what.

I have rebooted and used TLIST -S to view details of the services running on
the machine.

SERVICES.EXE is running Browser, DHCP, dmserver, Dnscache, Eventlog,
lanmanserver, lanmanworkstation, PlugPlay, ProtectedStorage, seclogon and
Wmi.

SVCHOST.EXE is running EventSystem, Netman, RasAuto, RasMan, SENS,
ShareAccess and TapeSrv. A second SVCHOST.EXE is running wuauserv.

I can't find out much about many of these, so I don't know if they are all
legitimate or not.

Thanks again for your help.

Tony
 
S

Steve Parry [MVP]

In
Tony Gilbert said:
Hi Again Steve

I killed all the processes one by one until all I had left were
processes Windows would not let me kill, like CCAPP and NAVAPSVC,
plus Explorer. When I killed Explorer, the DOS icon was gone when the
desktop reset itself. I tried opening a few programs and it did not
come back. I am not sure if this was coincidence or what.

I have rebooted and used TLIST -S to view details of the services
running on the machine.

SERVICES.EXE is running Browser, DHCP, dmserver, Dnscache, Eventlog,
lanmanserver, lanmanworkstation, PlugPlay, ProtectedStorage, seclogon
and Wmi.

SVCHOST.EXE is running EventSystem, Netman, RasAuto, RasMan, SENS,
ShareAccess and TapeSrv. A second SVCHOST.EXE is running wuauserv.

I can't find out much about many of these, so I don't know if they
are all legitimate or not.

Thanks again for your help.

Tony
Click to expand...


hope this helps

http://support.microsoft.com/default.aspx?scid=kb;en-us;263201

http://support.microsoft.com/default.aspx?scid=kb;en-us;250320
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Strange DOS application in task switcher??? 2
Hide form from Alt-Tab when first run 9
Running a Program in Windows 98 Compatibility Mode 3
explorer crashed, but other programs can still run!! 2
Removable drive locked although no process accessing it 4
Windows 2000 Processes get shortened 1
Programs Menu Startup shortcuts 2
Problem shutting down the machine 6

Top