TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Jason on January 07, 2005, 12:05:30 AM

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 12:05:30 AM

I seem to have a problem with what I believe to be a trojan.  I have McAfee virusscan, Ad-Aware, Spyware Doctor, Sbybot S&D, and Stopzilla installed.  When I open IE, Stopzilla blocks a pop-up that it calls w?nspool.exe and identifies it as spyware/adware.  I did some reseach and believe it to be a trojan named autotroj C.  I hope I'm wrong, because I can't get this thing out.  I used Findit and Hackthis.  Findit in safe mode found it and the Hackthis logfile shows "Default URLSearchHook is missing."  I have noticed this is a sign of the "about: blank" hijacker.  I have seen my homepage revert to this a few times.  I have one of my seemingly endless security programs set to disallow any homepage changes.  Any help that anyone could give would be greatly appreciated.   Hackthis logfile and Findit logfile will follow in another post.  I have to restart in safe to generate them.

Title: w?nspool.exe
Post by: guestolo on January 07, 2005, 12:07:34 AM

Don't restart into safe mode, can't you run one in Normal Mode?
That is the preferred
Don't post a Find.bat log unless required

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 12:23:03 AM

here is the Hackthis logfile from normal mode...

Logfile of HijackThis v1.99.0
Scan saved at 11:18:24 PM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
C:\windows\system32\drivers\etc\cpuidle\cpuidle.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm (http://\"http://www.rr.com/flash/index.cfm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CDC4D0D-B744-5EB3-8450-655579872E4C} - C:\WINDOWS\system32\lcve.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: WinFax PRO - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

Title: w?nspool.exe
Post by: guestolo on January 07, 2005, 12:30:09 AM

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad

In Notepad click FILE>>SAVE AS
Leave the Save as type as txt
Name the file as look.bat
Save this on your desktop

Double click on look.bat

Post the results back here the files.txt info

Quote

dir C:\WINDOWS\system32\w?nspool.exe.exe /a h > files.txt
notepad files.txt

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 12:34:20 AM

the notepad window is as follows:


Volume in drive C has no label.
 Volume Serial Number is ECF7-62FD

 Directory of C:\WINDOWS\system32


 Directory of C:\Documents and Settings\Owner\Desktop



the dos window said file not found

Title: w?nspool.exe
Post by: guestolo on January 07, 2005, 12:49:40 AM

I have to make sure that your anti-spyware programs aren't going to get in our way
I need to see the whole infection

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.


Open Spybot
Click on Mode>>Advanced Mode>>Yes
Tools>>System Startup>>>

Uncheck these from running on startup, you can enable them when your clean

O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

Restart your computer to ensure that there not running, as mentioned, they can get in the way of any permanent fixes

Back in Windows,
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {3CDC4D0D-B744-5EB3-8450-655579872E4C} - C:\WINDOWS\system32\lcve.dll

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer again

Find and delete these files if they exist
C:\Documents and Settings\Owner\Application Data\ttuh.exe <--file
C:\WINDOWS\system32\lcve.dll

Post back with a Fresh hijackthis log afterwards
Don't fix anything else with Hijackthis until I get to see the infection in it's whole

EDIT>>You didn't already try to delete any other files in your System32 folder already have you?
If you tried to delete Winspool.exe and it had a file size on disk of about
4 kb, that was a legitimate file

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 01:14:53 AM

ok sorry it took so long, but I couldn't get Stopzilla to stop starting.  I got it though.

ok.  i did just as you sadi.  when I opened IE to come back to the forum, my home page was "about: blank."
  here is my new hackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 12:08:35 AM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
C:\windows\system32\drivers\etc\cpuidle\cpuidle.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: WinFax PRO - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

Title: w?nspool.exe
Post by: guestolo on January 07, 2005, 01:34:18 AM

Does something stop your homepage from changing?
Any of your Anti-Spyware programs?
I can't see what I need to see, Possibly

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\Run: [abu] abu.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Do a search for this file and delete it if found
abu.exe

Try this again in a different directory

 Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad

In Notepad click FILE>>SAVE AS
Leave the Save as type as txt
Name the file as look.bat
Save this on your desktop

Double click on look.bat

Post the results back here the files.txt info

Quote

dir C:\WINDOWS\system\w?nspool.exe /a h > files.txt
notepad files.txt

Can you Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

Post back a fresh Hijackthis log afterwards

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 01:47:55 AM

ok done again.  

DLL Compare:

 *    DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

1,289 items found:  1,289 files, 0 directories.
Total of file sizes:  282,290,939 bytes    269.21 M

Administrator Account =  True

--------------------End log---------------------


look.bat:

 Volume in drive C has no label.
 Volume Serial Number is ECF7-62FD

 Directory of c:\windows\system


 Directory of C:\Documents and Settings\Owner\Desktop


Hijackthis:

Logfile of HijackThis v1.99.0
Scan saved at 12:43:21 AM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
C:\windows\system32\drivers\etc\cpuidle\cpuidle.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: WinFax PRO - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

Title: w?nspool.exe
Post by: guestolo on January 07, 2005, 01:57:34 AM

Did you access your Internet options and Reset your home page?

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 02:01:28 AM

yes I did.  I did both in the same click of the mouse.  I accessed it through control panel as you asked me to

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 02:06:27 AM

my homepage is now msn.com

Title: w?nspool.exe
Post by: guestolo on January 07, 2005, 02:44:11 AM

Sorry for the delay Jason
If you want you can fix this entry with Hijackthis
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

It a registration reminder for Creative labs products, not needed on startup, up to you

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as search.reg
Save it on the desktop
This will restore your default urlsearch hooks

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Double click to open search.reg and let it merge to the Registry

A great utility to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
A small download, once it's installed
I like to Restart into safe mode
Open the program and click the CleanUP button, Let it complete the scan--When it prompts you to log off simply Restart back to Normal Mode

You should install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection


Post back a fresh hijackthis log

How's everything running?

If your still having problems, and you have more than one user on your computer can you post back a log from the other users account also, thanks

Also, if still problems, please supply a log from Find.bat

Title: w?nspool.exe
Post by: Guest_Jason on January 07, 2005, 01:10:54 PM

WOW...  I/m not exactly sure of everything you had me do, but after I reinstalled Stopzilla and put my homepage back to what I use, everything works great.  No more w?nspool.exe seen and blocked in Stopzilla.  No pop-ups at all.  Spyware Blaster got rid of a lot of things I apparently didn't need.  I can't thank you enough.  One quick run of my registry mechanic and I will be done messing with this thing for this problem.  I'm sure there will be another problem down the road, but my computer is working as intended right now.  Thank you again.


P.S.  here is my new and improved HijackThis log:


Logfile of HijackThis v1.99.0
Scan saved at 12:05:12 PM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
C:\windows\system32\drivers\etc\cpuidle\cpuidle.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm (http://\"http://www.rr.com/flash/index.cfm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: WinFax PRO - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

  For some reason after I reinstalled Stopzilla, that line O4 - HKLM\..\Run: [abu] abu.exe appeared agin.  I don't know if this is related to Stopzilla or not, but it doesn't seem to be causing any problems now.

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 02:06:43 PM

Registry mechanic cleaned up a bunch of stuff too.
I then ran Sbybot S&D and it found DSO EXPLOIT!  I know this is not a good thing.
I fixed it in S&D and then scanned again.  It found it again.  Apparently thid EXPLOIT can not be effectively removed with Spybot S&D.  It makes the following changes to my registry:  (They all seem to have the same path ending, but in different path beginnings.)


HKEY_USERS\S-1-5-18\software\microsoft\windows\currentversion\internet settings\zones\0\1004! = w = 3

also with the same endings in
 

HKEY_USERS\S-1-5-21-1960408961-1532298954-725345543-1003

HKEY_USERS\S-1-5-20

HKEY_USERS\S-1-5-19

HKEY_USERS\Default

these lines above all end with the same path ending as the first one and all lead to
....zones\0\1004! = w = 3


Any help getting rid of this and my computer will actually be problem free.


                                                   Thanx /blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />  /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />  /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />  /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: w?nspool.exe
Post by: Jason on January 07, 2005, 02:47:51 PM

I have noticed now that when I reboot my computer my McAfee Suite (personal firewall, antivirus, and spamkiller)  is patially disabled.  It seems that it loads and enables fine and then something disables my virusscan.   Any clue?

Title: w?nspool.exe
Post by: guestolo on January 09, 2005, 01:42:29 AM

Sorry for the delay Jason
The DSO Exploit is a bug in the Spybot program
You can set Spybot to ignore those entries or just keep fixing them until a permanent fix is out
I know there is a beta fix out, but you may want  to wait for the official release
You could also edit the registry, but it still appears that you are up on your Windows updates and IE has been patched for this issue a long time ago
Read more here
http://www.safer-networking.org/en/faq/36.html (http://\"http://www.safer-networking.org/en/faq/36.html\")


McAfee's problem---When did this start happening?
What version of McAfee's do you have?
Have you been to McAfee's site and ensured that there are no program updates for your version
Especially important after installing Service Pack 2

Could you do me a favor, I've seen abu.exe asked to be removed on so many other logs I didn't look into it close enough

Could you do a search on your computer for that file
Right click on it>>left click properties..Version tab if there is one
Let me know what you can find out about it
What it's related too

You could run it through this online malware scan
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Give the link time to load
Then use the Browse button and navigate to the file
Right click on it and Select it and then use the Submit button
Wait for the Scanner results and post back the findings

Title: w?nspool.exe
Post by: Jason on January 10, 2005, 05:31:31 AM

Here is the Jetti scan of abu.exe:


Service load:  0%        100%  
 
File:  abu.exe  
Status:  OK  
Packers detected:  None
   
AntiVir  No viruses found (0.15 seconds taken)
Avast  No viruses found (1.51 seconds taken)
BitDefender  No viruses found (0.39 seconds taken)
ClamAV  No viruses found (0.36 seconds taken)
Dr.Web  No viruses found (0.53 seconds taken)
F-Prot Antivirus  No viruses found (0.07 seconds taken)
Kaspersky Anti-Virus  No viruses found (0.64 seconds taken)
mks_vir  No viruses found (0.22 seconds taken)
NOD32  No viruses found (0.35 seconds taken)
Norman Virus Control  No viruses found (0.48 seconds taken)


The McAfee question will have to wait until after work for me to have the time to address it.

Title: w?nspool.exe
Post by: guestolo on January 10, 2005, 08:59:45 PM

Could you do a search on your computer for that file
Right click on it>>left click properties..Version tab if there is one
Let me know what you can find out about it
What it's related too

 /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: w?nspool.exe
Post by: Jason on January 11, 2005, 06:31:12 AM

Version 1.0.0.1
  size is 20,480 kb



I can't find any info about it online.  I searched McAfee.com and it is not a know virus.  All the other references I found to it have been in other peoples' hijackthis logs.  I have no idea what it is.

Title: w?nspool.exe
Post by: guestolo on January 11, 2005, 11:04:32 AM

Don't worry too much about it yet Jason

Have you noticed that every log you see on the Internet that has abu.exe in it, also has or had  
Stopzilla installed

That's quite the coincidence

You could try this Jason until I can find further info on it
Make sure that known extensions are not hidden
 * Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.

* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Navigate to abu.exe
Right click on it
Rename abu.exe>>>abu.old

If it prompts you it is being used by another program
Open Task Manager (right click the bottom task bar and select Task Manager)
Stop these processes from running related too Stopzilla
Don't worry, they'll start back up when you restart your computer
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\STOPzilla!\Stopzilla.exe

Then try renaming abu again

after that is done
Do another scan with Hijackthis, with all other windows closed and fix this line
O4 - HKLM\..\Run: [abu] abu.exe

Restart your computer and post back a fresh log, thanks

Title: w?nspool.exe
Post by: Jason on January 11, 2005, 01:25:12 PM

A few things before I post my log.  First thank you so much for your help.  People helping people is what the internet is supposed to be all about.  With respect to the McAfee problem I was having of the virusscan disabling itself after startup... I removed and then reinstalled the app and now it is fine.  As for the DSO EXPLOIT problem, i downloaded a little app called  "DSO Stop 2"  It removes your vulnerability to this all together.  Apparently microsoft isn't too worried about a fix since they seem to not even mention it.  It still shows up in Spybot, but seems harmless.  I have seen that people manually delete the lines in their registry and not have it seen in Spybot, but honestly I can't even find the lines right now in my hijackthis log.  I renamed abu.exe to abu.old  and there doesn't seem to bany negative effects.  Guess what?  04 - HKLM\..\Run:[abu]abu.exe  doesn't even show up in my hijackthis log anymore.  I don't know why.  Stopzilla works fine.  Anyway, here is my current log:

Logfile of HijackThis v1.99.0
Scan saved at 12:10:15 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\windows\system32\drivers\etc\cpuidle\cpuidle.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm (http://\"http://www.rr.com/flash/index.cfm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity_BackUp - Unknown - C:\WINDOWS\system32\gearsec.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: WinFax PRO - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE



P.S.  My computer seems to spend a little bit more time on the blue shutting down windos screen.  I remember with windows 98 SE some little trick to get windows to start faster.  Does anything like that exist for XP??  I'm guessing that I just have a lot of processes running and it takes longer to shut down as a result.  

        My computer is now clear of everything.  I used the malware detective in Spyware Doctor and it showed 60 items... any way to get rid of these?  I sent a request for help to the techs there.  I'm waiting to hear back.  Thanks again.

Title: w?nspool.exe
Post by: guestolo on January 11, 2005, 10:33:06 PM

Here's some more info I found out about DSO Exploit
This ones been a major pain in the neck for Spybot for quite some time  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

No need to Worry, as I mentioned, your up on your Windows updates
and this was patched a long time ago by Microsoft......

Quote

The first item on the list: DSO Exploit has been explained so many times and there is so much confusing information out in the forums that it is hard to resume all of this in a concise manner. But here goes:

The DSO Exploit was a problem in the way Windows handled the "My Computer Zone". Microsoft released a patch for this long ago. So if you have an updated Windows, you shouldn't be affected by this exploit. The reason Spybot flags it is simple. Before Microsoft came out with this patch, a security firm came out with a workaround "tweak" of the registry to restrict this Zone. Spybot looks for the implementation of that "tweak". If the tweak is not found, it flags the DSO Exploit object. Normally this shouldn't be a problem, you'd just let Spybot fix it and it implements the workaround, end of topic. The problem with 1.3 is that the workaround is not done properly during fix. Hence why Spybot flags it again. This has been fixed in the code and was tested for a while with version 1.3.1 beta.

Solution for now: Just ignore it. It isn't a problem if your windows is patched. When the next version of Spybot - S&D comes out, it will fix this problem.

On a side note: Both Spyware Doctor and Stopzilla are 2 programs I don't use and don't ususally recommend
Not that there's anything wrong with them---But on most hijackthis forums they're not the ones recommended
As said, I don't know much about either of the programs

But I stick with Ad-Aware and Spybot
For silent Spyware Blockers I have Spyware Blaster and IE-Spyad
For Real time prevention against spyware I use SpywareGuard

System has great startup times and shutdowns
I'm curious where Spyware Doctor is finding these bad guys

Does it make a log of some sorts you can post?

I forgot to ask you about this Jason, you said

Quote

Spyware Blaster got rid of a lot of things I apparently didn't need

That's not really Spywareblasters job, it's job is too set registry entries to control bad Active X installs and cookies and also adds sites to the Restricted Zones
As I said, it's a silent spyware blocker
A great defense....

Also, you may want to try this, mind you latest drivers for Nvidia shouldn't effect none of this, but I remember Long shut downs when Nvidia's Driver Helper Service was running
Here's some more info I found
http://www.iamnotageek.com/a/nvsvc32.exe.php (http://\"http://www.iamnotageek.com/a/nvsvc32.exe.php\")

But for now, just for experimental purposes
Go to START>>RUN>>Type in services.msc and click OK

In the next window, look on the right hand side for this service
name---- NVIDIA Driver Helper Service

Double click on it--- STOP the service

Exit out of there and Shut down the computer
Does it shut down quicker?

Also, I assume this entry in your log has been set on purpose
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com

P.S. I use Firefox as my main browser, so no need for a popup blocker
The wife on the otherhand, can't get her away from IE
We use to use the Google Toolbar on our XP machine, but with Service Pack 2 installed I got rid of it and she says that the integrated popup blocker in IE SP2 does a good job

On my 98SE machine we still use the Google Toolbar, still no popups

Title: w?nspool.exe
Post by: Jason on January 11, 2005, 11:47:25 PM

thanks for the info.  Sorry about not being able to help with abu.exe, but, as you can see, it is no longer a prob.

I'll try what you suggest for the slowdown when, and if, I ever find the time - it's always at a premium.




                                                            Until the next crisis,
                                                                      Jason

Title: w?nspool.exe
Post by: Guest on January 12, 2005, 03:02:14 PM

The reference to iden update was from my cellphone uploader app.  I deleted the reference.  I also deleted the reference to nvidia.  This system still takes just as long to shut down.  It is not a full minute, but just seems slower than it was.

Title: w?nspool.exe
Post by: guestolo on January 16, 2005, 02:40:23 PM

Jason, did you ever get your slow shutdowns figured out?

Post back a fresh log if you still need a hand

Have you tried going into MSCONFIG and disable all unneeded startup entries

This will include your AV software
for troubleshooting purposes

Restart your computer and then try shutting down again

Of course you don't want to be without AV software, as mentioned this is just for troubleshooting purposes
By trial and error you may be able to pinpoint down the program that is causing the problems

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 03:00:09 PM

no, I never figured it out.  I looked in msconfig startup and just my security stuff loads.  I have given up trying to figure it out.  It's not so bad as to tell me that I have an obvious problem.  One question, though.   Any idea why I can't get into internet options under the tools menu from whithin IE?  I have to go into the control panel to delete cookies, delete files, and clear my history.  I have looked in the advanced section of internet options from the control panel, but no good.  It gives me the message "This operation has been cancelled due to restrictions in effect on this computer.  Please contact your system administrator."  I have never seen this before.  Any help would be great.

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 03:03:03 PM

P.S.  what is cpuidle?  It does not say that it is a microsoft item.  it calls the manufacturer unknown.

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 03:06:30 PM

Your Slowdowns may very well be one of your Security programs

Did you try and disable all of them and then try shutting down
You may have to shutdown twice to notice the difference
The ball's in your court on that one---If your leaving them enabled you may never know if one is the culprit
I don't want you to permanently disable them, but stay disconnected from the Internet and try and figure out which one might be the problem

Disable all Security programs, including the AV
You may be able to track it down....

Also--One of your Security programs has probably disabled you from accessing the Internet options
You will have to enter each one and disable the feature
You have/had so many I couldn't tell you which one without seeing another log

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 03:48:37 PM

Jason, you have a right to be suspicious about that file
I thought it was harmless because it's not regularly fixed, here's some info on this
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE

http://www.neuber.com/taskmanager/process/...srvany.exe.html (http://\"http://www.neuber.com/taskmanager/process/srvany.exe.html\")

But, I figured it was ok and didn't look into it enough
I've also found a couple relationships with it to malware

Can you try something for me please
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
Install it and Restart your computer when prompted
But do not launch it yet

Update it: Right click the link below, select "save link as" or "save target as"
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed tds-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

Launch tds-3. In the top bar of tds window click system testing> full system scan.
Let it completely finish scanning
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save it and post the contents of the scandump.txt here

After posting the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Then reboot and post a fresh hijackthis log

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 09:09:50 PM

here is the scandump.txt:


Scan Control Dumped @ 20:05:00 20-01-05
Positive identification: Riskware.Tool.ServiceRunner.d
  File: c:\windows\system32\drivers\etc\cpuidle\srvany.exe

Positive identification: Riskware.Tool.ServiceRunner.d
  File: c:\windows\system32\drivers\etc\cpuidle\srvany.exe

Positive identification (DLL): TrojanDownloader.Win32.PurityScan.l (dll)
  File: c:\hjt\backups\backup-20050107-000653-283.dll

Positive identification: Adware.Sahat.a Dropper.a
  File: c:\windows\sahagent-mediamotor1002.exe

Positive identification: Adware.Sahat.a Dropper.b
  File: c:\windows\sahagent-mediamotor1003.exe

Positive identification: Riskware.Tool.ServiceRunner.d
  File: c:\windows\system32\drivers\etc\cpuidle\srvany.exe



I will delete all positive identifications.  I will not delete the Hijackthis DLL.  I am not sure if I should or not, so I won't.


P.S.  how can I correct my internet options problem I told you about?

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 09:18:20 PM

Post a fresh Hijackthis log
After you have restarted the computer

Could you Download and save to desktop ServiceFilter.zip (http://\"http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip\")
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Alternate download link for ServiceFilter.zip if that link isn't working

http://www.bleepingcomputer.com/files/wind...rviceFilter.zip (http://\"http://www.bleepingcomputer.com/files/windows/ServiceFilter.zip\")

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 09:48:42 PM

Here is the hijackthis logfile:


Logfile of HijackThis v1.99.0
Scan saved at 8:42:17 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm (http://\"http://www.rr.com/flash/index.cfm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm (http://\"http://www.rr.com/flash/index.cfm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab (http://\"http://www.ipix.com/download/ipixx.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity_BackUp - Unknown - C:\WINDOWS\system32\gearsec.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe


I noticed : O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

if I remove this line will I be able to access internet options from within IE??

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 09:51:59 PM

Yup,

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer
Can you access the Internet options?

Could I also see the log from ServiceFilter>>>Once you Restart your computer

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 09:53:36 PM

Here is the post this.txt:


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 20, 2005 8:49:22 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: cpuidle
Display Name: cpuidle
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\drivers\etc\cpuidle\srvany.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: GEARSecurity_BackUp
Display Name: GEARSecurity_BackUp
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: system32\gearsec.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: MpfService
Display Name: McAfee Personal Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee.com\person~1\mpfservice.exe
State: Running
Process ID: 244
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: MskService
Display Name: McAfee SpamKiller Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee\spamki~1\msksrvr.exe
State: Running
Process ID: 344
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 6
Service Name: STOPzilla Local Service
Display Name: STOPzilla Local Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service"
State: Running
Process ID: 1276
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ec8858a8-0419-45ad-998c-bb33a22d213b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: wfxsvc
Display Name: WinFax PRO
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wfxsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 90 Win32 services on this machine.
8 were unrecognized.

Script Execution Time: 8.40625 seconds.

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 09:55:14 PM

Thanks Jason, could you do the fixes with Hijackthis  above >>>Restart your computer and then let me see another Service Filter log
Also one last Hijackthis log

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 09:57:39 PM

what fixes do I do with hijackthis?  i assume there is a line refencing each of the above?

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 09:58:24 PM

some of them refer to my security software

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 09:58:39 PM

Right before you posted the ServiceFilter log I posted another fix with Hijackthis

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 10:09:38 PM

yes the internet options work again.  Here is the post this.txt:


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 20, 2005 9:03:43 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: cpuidle
Display Name: cpuidle
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\drivers\etc\cpuidle\srvany.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: GEARSecurity_BackUp
Display Name: GEARSecurity_BackUp
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: system32\gearsec.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: MpfService
Display Name: McAfee Personal Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee.com\person~1\mpfservice.exe
State: Running
Process ID: 328
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: MskService
Display Name: McAfee SpamKiller Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee\spamki~1\msksrvr.exe
State: Running
Process ID: 456
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 6
Service Name: STOPzilla Local Service
Display Name: STOPzilla Local Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service"
State: Running
Process ID: 1276
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ec8858a8-0419-45ad-998c-bb33a22d213b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: wfxsvc
Display Name: WinFax PRO
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wfxsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 90 Win32 services on this machine.
8 were unrecognized.

Script Execution Time: 3.890625 seconds.



Here is the hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 9:07:06 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm (http://\"http://www.rr.com/flash/index.cfm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm (http://\"http://www.rr.com/flash/index.cfm\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab (http://\"http://www.ipix.com/download/ipixx.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity_BackUp - Unknown - C:\WINDOWS\system32\gearsec.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 10:25:01 PM

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as cpuidle.reg
Save it on the desktop

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_cpuidle][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpuidle]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_cpuidle]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cpuidle]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_cpuidle]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cpuidle]

Double click on cpuidle.reg and allow to merge

Open Windows CleanUp! and use the Cleanup button
When it's done
Restart your computer one last time and let me see another ServiceFilter log

Can you also see if you can delete this folder
c:\windows\system32\drivers\etc\cpuidle <--folder

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 10:36:17 PM

here os my post this after doing your last step:


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 20, 2005 9:32:44 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: cpuidle
Display Name: cpuidle
Start Mode: Unknown
Start Name:
Description: ...
Service Type: Unknown
Path:
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: GEARSecurity_BackUp
Display Name: GEARSecurity_BackUp
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: system32\gearsec.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: MpfService
Display Name: McAfee Personal Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee.com\person~1\mpfservice.exe
State: Running
Process ID: 328
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: MskService
Display Name: McAfee SpamKiller Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee\spamki~1\msksrvr.exe
State: Running
Process ID: 456
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 6
Service Name: STOPzilla Local Service
Display Name: STOPzilla Local Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service"
State: Running
Process ID: 1276
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ec8858a8-0419-45ad-998c-bb33a22d213b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: wfxsvc
Display Name: WinFax PRO
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wfxsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 90 Win32 services on this machine.
8 were unrecognized.

Script Execution Time: 3.078125 seconds.

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 10:46:01 PM

http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\") and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Copy and paste this in the dialog box: cpuidle
After a while a prompt will come up.(About 10 seconds) Click OK to write the results to wordpad or notepad and post them

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 10:49:38 PM

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "cpuidle" 1/20/2005 9:46:39 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE\0000]
"Service"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE\0000]
"DeviceDesc"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE\0000]
"Service"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE\0000]
"DeviceDesc"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE\0000]
"Service"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE\0000]
"DeviceDesc"="cpuidle"

[HKEY_USERS\S-1-5-21-1960408961-1532298954-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"j"="C:\\Documents and Settings\\Owner\\Desktop\\cpuidle.reg"

[HKEY_USERS\S-1-5-21-1960408961-1532298954-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\reg]
"a"="C:\\Documents and Settings\\Owner\\Desktop\\cpuidle.reg"

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 10:57:41 PM

Not sure why it's still there>>are the Shutdowns getting quicker?

Let's try this again

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as cpuidle2.reg
Save it on the desktop

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE]

Restart into safe mode and double click on cpuidle2.reg
and allow to merge

Restart back to Normal mode

Again paste this in the RegSrch.vbs dialog box: CPUIDLE
and post back the results

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 11:05:20 PM

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "CPUIDLE" 1/20/2005 10:01:59 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE\0000]
"Service"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE\0000]
"DeviceDesc"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE\0000]
"Service"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE\0000]
"DeviceDesc"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE\0000]
"Service"="cpuidle"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE\0000]
"DeviceDesc"="cpuidle"

[HKEY_USERS\S-1-5-21-1960408961-1532298954-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"e"="C:\\Documents and Settings\\Owner\\Desktop\\cpuidle2.reg"

[HKEY_USERS\S-1-5-21-1960408961-1532298954-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"j"="C:\\Documents and Settings\\Owner\\Desktop\\cpuidle.reg"

[HKEY_USERS\S-1-5-21-1960408961-1532298954-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\reg]
"a"="C:\\Documents and Settings\\Owner\\Desktop\\cpuidle.reg"

[HKEY_USERS\S-1-5-21-1960408961-1532298954-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\reg]
"b"="C:\\Documents and Settings\\Owner\\Desktop\\cpuidle2.reg"


it seems to still be there

Title: w?nspool.exe
Post by: guestolo on January 20, 2005, 11:21:29 PM

Were you able to delete this subfolder?
c:\windows\system32\drivers\etc\cpuidle

Are the shutdowns a bit quicker?

Let me find some more info on cpuidle in that location
Cpuidle should be running from the Program Files folder

Title: w?nspool.exe
Post by: Jason on January 20, 2005, 11:28:06 PM

I was able to delete that folder.  shut downs seem to be the same.

It's getting late.  I need to go to bed now.  I will get back to the board as soon as I can.  Thanx again.  


P.S.  how did you learn so much about this?

Title: w?nspool.exe
Post by: guestolo on January 21, 2005, 12:41:59 AM

Try this when you get a chance Jason
May be best to try in Safe mode

Go to Start>Run and typeregedit

Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CPUIDLE

Left click once to highlight LEGACY_CPUIDLE
and then Right click and delete it

Do the same for
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CPUIDLE

and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CPUIDLE

Remember your just out to Delete the Legacy_CPUIDLE entries

Exit Registry Editor

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permissions
Under the Security tab>>Advanced
Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Title: w?nspool.exe
Post by: Jason on January 21, 2005, 06:59:16 PM

O.K.  I did as you instructed me to and here is the Service Filter Log:

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 21, 2005 5:53:57 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: GEARSecurity_BackUp
Display Name: GEARSecurity_BackUp
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: system32\gearsec.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: MpfService
Display Name: McAfee Personal Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee.com\person~1\mpfservice.exe
State: Running
Process ID: 756
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 4
Service Name: MskService
Display Name: McAfee SpamKiller Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee\spamki~1\msksrvr.exe
State: Running
Process ID: 876
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 5
Service Name: STOPzilla Local Service
Display Name: STOPzilla Local Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service"
State: Running
Process ID: 1276
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #6
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ec8858a8-0419-45ad-998c-bb33a22d213b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: wfxsvc
Display Name: WinFax PRO
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wfxsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---


It seems to be gone now.  I will run Cleanit! and reboot.  I will then run a regsearch and post the results back.