Found a Service that is not Listed

[k0n5t4nt]

Today while going through Black Viper's list of Windows XP SP3 services, and at the same time looking at my services(I use his list as a guide for what I need or don't need).  I found a service in my service list called "User Privilege Service"  it is set to manual and not started.  Also it lists no dependencies. Does anyone know what this is and/or where it may have come from. Is it a spying thing, or is it needed.  I also noticed that it is not in Black Vipers list at all,  telling me it did not come with Windows.  Any feedback would be appreciated.
Thank You

[k0n5t4nt]

apologize for the 2nd post but cannot find edit button.  Here are a couple screens of the service.

(http://i54.photobucket.com/albums/g93/jimikc/UPSPIC.jpg)
(http://i54.photobucket.com/albums/g93/jimikc/UPS2PIC.jpg)

[Black Viper]

apologize for the 2nd post but cannot find edit button.

New members cannot edit posts.
A quick look on Google did not net anything and I have not seen this particular service installed on default configurations.

[couttsj]

What I have been able to find out so far is:
 Category: None
 Company Name: Microsoft Corporations
 Date: 10/8/2004
 Event ID: 7022
 File Name: netevent.dll
 File Version: 5.1.2600.0
 Product Name: Microsoft Windows Operating..
 Product Vers: 5.1.2600.0
 Source: Service Control Manager
 Time: 3:48:58 PM
 Type: None

Svchost.exe is a container used by Microsoft to load .dll based services. You can confirm the name of the file by using the command:
C:\>tasklist /M netevent.dll
at the command prompt. If nothing shows up, then just use tasklist /M and look for the file under one of the svchost listings (it may be a long list).

Once you have confirmed the name of the file, then navigate to it using the Windows Explorer, right button click on it, click properties, and then click the details tab. It should be in the \windows\system32\ directory, and it should list it as a Microsoft file with a version and size.

I don't know what it does yet, but let's just confirm the filename first.

J.A. Coutts

Addendum. Looks like what I found was simply an Event Log entry with reference to netevent.dll not being able to find the service file. Netevent.dll appears to be the library file used to report service problems to the event logger. You still need to find the name of the actual .dll file being loaded under one of the svchost.exe containers. You can use the tasklist program as described above.

[k0n5t4nt]

Ok used the tasklist command and have found the file   netevent.dll
It is in my C:\WINDOWS\system32       folder
also there is another one sitting in C:\pebuilder3110a\BartPE\I386\SYSTEM32  folder

I know what pebuilder is and does it lets me make a bootable CD in case of disaster. 

So hopefully this isn't a bad thing, please correct me if I'm wrong.





 

[couttsj]

Ok used the tasklist command and have found the file   netevent.dll
It is in my C:\WINDOWS\system32       folder
also there is another one sitting in C:\pebuilder3110a\BartPE\I386\SYSTEM32  folder

I know what pebuilder is and does it lets me make a bootable CD in case of disaster. 

So hopefully this isn't a bad thing, please correct me if I'm wrong.

As I said in the addendum to my post, netevent.dll is on every system and is not the file we are looking for. Your original post shows this service being loaded by svchost.exe -k netsvcs. Because we know that Network Manager usually exists in that same group, we can use the command:
tasklist /M /FI "SERVICES eq netman"
to find all the library files in use by that particular process.

But before you do that, it is quite possible that this file is a leftover from a viral infection that you had on your computer sometime in the past. The easy way to confirm that is to try and start the service. If it fails to start, then that is a good indication that it is indeed a leftover. If it starts, then we have some more work to do.

J.A. Coutts

[k0n5t4nt]

Tried starting the service and I get this

Could not start the User Privilege service on Local Computer
Error 1053: The service did not respond to the start or control request in a timely fashion.

I also did the tasklist /m /FI "services eq netman"          command  and this is result

http://s54.photobucket.com/albums/g93/jimikc/?action=view&current=tasklist.jpg

[couttsj]

Tried starting the service and I get this

Could not start the User Privilege service on Local Computer
Error 1053: The service did not respond to the start or control request in a timely fashion.

This confirms that it is not an active service or a dependency is missing, and more than likely it is a leftover from a viral infection. Services are difficult to remove, and must be done via the registry or low level calls to the operating system. Whatever you used to remove the virus was not able to remove the service activation. Unless it bothers you, I would simply disable the service. If it reactivates, then we will have to look deeper.

J.A. Coutts

[k0n5t4nt]

Service disabled. If it reactivates I will post back in this thread. Issue resolved as far as I'm concerned.  I really appreciate you taking time to help me on this. Puts my mind at ease a bit about this service.

Thank You,
Jimi

[couttsj]

All the searches I did on the Internet indicated that this service was part of a random popup generator for Internet Explorer with a service name of "usprserv". You can verify that by looking in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services using regedit. If you find that name, then you should be able to track down the file name & location. More than likely, the file has already been deleted from the disk. If you still want to remove the service, I would try using HiJackThis, as it is much safer than trying to do it manually. HiJackThis uses system calls to perform this magic.

J.A. Coutts

[k0n5t4nt]

used regedit and did a search for  "User Privelage Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_USPRSERV\0000     in key DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usprserv                              in key DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_USPRSERV\0000     in key DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usprserv                              in key DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_USPRSERV\0000     in key DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv                          in key DisplayName


Also here is a HiJack this log.      If anyone has knowledge of this stuff.

BV EDIT: HijackThis log files are not allowed on these forums.

[couttsj]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv


Also here is a HiJack this log.      If anyone has knowledge of this stuff.

BV does not allow posting of HiJackThis logs and will probably delete it. Go to the section in the registry key above, and find the name of the file and it's directory location. Then go to that location and verify that the file has been deleted.

J.A. Coutts

[k0n5t4nt]

Apologize for the hijack log, won't happen again.  Navigated to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv
Under ImagePath it says:

%SystemRoot%\System32\svchost.exe -k netsvcs

searched for this location and it can't find it

[couttsj]

Apologize for the hijack log, won't happen again.  Navigated to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv
Under ImagePath it says:

%SystemRoot%\System32\svchost.exe -k netsvcs

searched for this location and it can't find it

ImagePath only shows the container that it was loaded under. Under Description and perhaps DisplayName, it will show the actual file name. For example, the Remote Access Connection Manager (RasMan) shows:
@%systemroot%\system32\rasmans.dll,-201
%Systemroot% is the system name for what is usually the \Windows\ directory (but can be any directory). The full path name for this file is \windows\system32\rasmans.dll. You will also find this name listed under ServiceDll for the "parameters" key.

J.A. Coutts

[k0n5t4nt]

Ok found the Display Name entry but no Description entry. 
Here is a screen
(http://i54.photobucket.com/albums/g93/jimikc/regedit.jpg)