vssrvc.exe DOS window pops up upon boot up...many times!

Posted on 2008-11-12
Last Modified: 2012-05-05
Upon booting this PC I get numerous DOS windows popping up with the \vssrve.exe trying to start up.
I have run several virus scans and removed several virus/spyware apps, but it still has this issue.

Any help would be appreciated!!
Question by:wayneg12345
    LVL 15

    Expert Comment


    The file is a part of MS virtual server. Hope this link explains more.
    LVL 23

    Expert Comment

    A Hijackthis scan log would help to show what is going on on your pc.

    Download here:

    Download the installer. Click on "Do a system scan and save a logfile". Post the scan log here via the "attach code snippet" box below.

    LVL 18

    Expert Comment

    1.Probably caused by a virus/malware. Does it happen in Safe Mode too?
    It sounds as if you're infected. Try a few of the free, online scans listed


    Author Comment


       Sorry I am so slow getting back with you, but attached is my HJT log file.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:25:23 AM, on 11/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    c:\program files\\agent\mcdetect.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\\VSO\mcvsshld.exe
    C:\Program Files\\VSO\oasclnt.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *;localhost
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\\vso\mcvsshl.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\agent\mcupdate.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [Xpyzzf] C:\WINDOWS\system32\d?dplay.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Bcigy] C:\WINDOWS\system32\M?crosoft.NET\j?vaw.exe
    O4 - HKCU\..\Run: [Valws] "C:\Documents and Settings\Owner\My Documents\s?curity\?canregw.exe"
    O4 - HKCU\..\Run: [Xdel] "C:\Documents and Settings\Owner\My Documents\??mantec\m?config.exe"
    O4 - HKCU\..\Run: [Wcjk] "C:\Program Files\Common Files\s?curity\m?dtc.exe"
    O4 - HKCU\..\Run: [Ulg] "C:\Program Files\Common Files\F?nts\?explore.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?ddfb74e499b047368c3a6483cc7d840b
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?ddfb74e499b047368c3a6483cc7d840b
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) -
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
    O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} -
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -
    O20 - AppInit_DLLs: karna.dat
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\\agent\mcdetect.exe
    O23 - Service: McShield (McShield) - McAfee Inc. - c:\PROGRA~1\\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\\Agent\mcupdmgr.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
    End of file - 8651 bytes

    Open in new window

    LVL 23

    Accepted Solution

    These entries are bad:

    O4 - HKCU\..\Run: [Xpyzzf] C:\WINDOWS\system32\d?dplay.exe
    O4 - HKCU\..\Run: [Ulg] "C:\Program Files\Common Files\F?nts\?explore.exe
    O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} -
    O20 - AppInit_DLLs: karna.dat

    I would recommend scanning with Malwarebytes' Antimalware:

    Download the trial version, update it fully, then click on "Perform a quick scan".  Show results then click on "remove selected". Post the log here.

    I would also run Smitfraudfix:

    Run option 2 in safe mode.  Post the log.

    If you still have problems after that, download and run SDFix:

    It would also be a good idea to reset your hosts file:

    Good luck!!!

    Author Comment


       I have already run Malwarebytes on this PC.

    I will run smitfraud next and post the log.  If smitfraud does not fix it, should I run SDFix before contatcting you again?

    Do you want me to remove those entries with HJT??

    LVL 23

    Expert Comment

    If you have run Mbam, could you post the log?

    HJT cannot fix those entries.  If Smitfraud does not help, the next step would be Combofix:

    Please post the smitfraud and combofix logs.  Thanks.

    LVL 47

    Assisted Solution

    Malwarebytes should have removed the 020 entry and its associated files. Did you update malwareBytes before scanning?
    Purityscan infections below which combofix should take care nicely.
    O4 - HKCU\..\Run: [Xpyzzf] C:\WINDOWS\system32\d?dplay.exe
    O4 - HKCU\..\Run: [Bcigy] C:\WINDOWS\system32\M?crosoft.NET\j?vaw.exe
    O4 - HKCU\..\Run: [Valws] "C:\Documents and Settings\Owner\My Documents\s?curity\?canregw.exe
    O4 - HKCU\..\Run: [Xdel] "C:\Documents and Settings\Owner\My Documents\??mantec\m?config.exe"
    O4 - HKCU\..\Run: [Wcjk] "C:\Program Files\Common Files\s?curity\m?dtc.exe"
    O4 - HKCU\..\Run: [Ulg] "C:\Program Files\Common Files\F?nts\?explore.exe"
    Below used to be sign of apropos rootkit, haven't seen apropos in a long time, so must be some other installer.
    O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} -

    Here's also another canned if needed, make sure you turn off antivirus and security shields.

    Please download ComboFix by sUBs:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    LVL 47

    Expert Comment

    I don't know if Smitfraudfix even removes purityscan infection, I would just go for combofix.
    LVL 23

    Expert Comment

    I was thinking that smitfraud would get rid of the karna.dat entry.  I'm surprised mbam didn't pick up the Purityscan files.

    Please could you post a recent mbam scan log.  Thanks.


    Author Comment

    phototropic & rpggamergirl,

    Thank you so much for the time you have spent with me on this virus issue!!  Unfortunatly for some reason this virus has  developed even more issues.  I can no longer run Malware bytes or any other scan for that case, even in safe mode!!!

    I have deceided that it is time to reload the OS and be done with this once and for all.  Since I am new to this forum, can I split the 500 points between the two of you?  I appreciate the time you have spent, and I want to do what is right.

    Please advise what & how is the proceedure to accomplish this.

    Thanks again for your time!
    LVL 23

    Expert Comment

    "...I can no longer run Malware bytes or any other scan for that case, even in safe mode!!!..."
    Sometimes it is necessary to rename av apps. (before you download them) in order to get them to run on an infected pc.

    Sorry to hear that we couldn't get on top of this one.  Question closing FAQs here:


    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now