While checking Event Viewer I came across this:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Description:
The SVKP service failed to start due to the following error:
The system cannot find the file specified.

Googling SVKP got me many threads but left me confused. Is it a
legitimate service? It's not in my Services list. Is it a trojan, as I see claimed in some threads?

I can find no file SVKP.SYS anywhere, yet (without really understanding it) I typed this command in Start, Run:

CMD /K SC QC svkp

and got this puzzling result:

SERVICE_NAME: svkp
TYPE : 1 KERNEL_DRIVER
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \??\C:\WINDOWS\System32\SVKP.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SVKP
DEPENDENCIES :
SERVICE_START_NAME :

What on earth is that path '\??\C:\WINDOWS\System32\SVKP.sys' please?

Any insights would be warmly appreciated please.

--
Terry, West Sussex, UK

I see you've been in groups already

http://groups.google.com/groups/sear...YS&qt_s=Search

All I can add is that it is not an XP file but as you have seen some legitimate programs have said file.

You could run thru msconfig and selectively test your startups to see what is loading it.

As to the file path I found this:

Originally Posted by Alec

The reason for the two '??' is sort of a longer story. Basically, there is a whole set of specialized code that runs in ring 0, or "kernel mode" that is collectively referred to as "Executive Services". These executive services range from things like memory management to I/O management to something called the "Object Manager". The object manager is the kernel's method of unifying and organizing the various low-level resources and objects that the kernel needs in order to do its job (ie, things like processes, threads, files, devices, mutexes aka mutants, etc.) Anyway, the object manager can be sort of thought of as imposing some structure on these objects kind of like the filesystem on a drive. There is a "directory" in the object manager called "DosDevices" that ennumerates devices as they were known in DOS (eg, LPT:, COM1:, C:, D: ). That is, the "C:" referrence to the first harddrive that we are all familiar with comes from DOS convention, but isn't necessarily how NT/2000/XP has to refer to the first harddrive. Anyway, the "C:" reference is defined in the object manager under the DosDevices "directory". It turns out that the DosDevices directory is used so much internally, that Microsoft eventually just cryptically renamed it "??" so that it would be first in the search path apparently. It saved a few microseconds per access, I guess.

The reason those two executables in particular show up with the "??" reference in front of them is likely because they are both what's called "Native" API applications. CSRSS and Winlogon aren't written based upon the Win32 API, since they are in fact each partly responsible for, and run prior to, that API. Rather they are written to a lower-level core Windows NT API. Because of this, they probably somehow make reference to the actual "??" DosDevices object manager entity that causes them to show up in process listings with that on there. You can learn much more on all of this by reading Mark Russinovich (of Sysinternals' fame) & David Solomon's "Windows Internals" book. I'm just sort of reciting what I recall.

http://www.wilderssecurity.com/showthread.php?t=87980

I've seen it referred to as a worm as well?
When first run W32/Maibot-A copies itself to &llt;System>\lockx.exe and creates the
following files:

<System>\msdirectx.sys
<System>\svkp.sys
\xz.bat

The file xz.bat is detected as Troj/KillProc-A and the file msdirectx.sys is detected as Troj/NtRootK-F.

svkp.sys is a clean device driver.
http://www.sophos.com/security/analyses/w32maibota.html

Thanks both. That explanation of the ?? path prefix, while mainly over my head, was reassuring. I'd begun to suspect that was evidence of an attempt to hide it!

--
Terry, West Sussex, UK