Author Topic: w?nspool.exe (Read 3363 times)

guestolo · « **Reply #20 on:** January 11, 2005, 11:04:32 AM »

Don't worry too much about it yet Jason

Have you noticed that every log you see on the Internet that has abu.exe in it, also has or had
Stopzilla installed

That's quite the coincidence

You could try this Jason until I can find further info on it
Make sure that known extensions are not hidden
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.

* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Navigate to abu.exe
Right click on it
Rename abu.exe>>>abu.old

If it prompts you it is being used by another program
Open Task Manager (right click the bottom task bar and select Task Manager)
Stop these processes from running related too Stopzilla
Don't worry, they'll start back up when you restart your computer
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\STOPzilla!\Stopzilla.exe

Then try renaming abu again

after that is done
Do another scan with Hijackthis, with all other windows closed and fix this line
O4 - HKLM\..\Run: [abu] abu.exe

Restart your computer and post back a fresh log, thanks

Jason · « **Reply #21 on:** January 11, 2005, 01:25:12 PM »

A few things before I post my log. First thank you so much for your help. People helping people is what the internet is supposed to be all about. With respect to the McAfee problem I was having of the virusscan disabling itself after startup... I removed and then reinstalled the app and now it is fine. As for the DSO EXPLOIT problem, i downloaded a little app called "DSO Stop 2" It removes your vulnerability to this all together. Apparently microsoft isn't too worried about a fix since they seem to not even mention it. It still shows up in Spybot, but seems harmless. I have seen that people manually delete the lines in their registry and not have it seen in Spybot, but honestly I can't even find the lines right now in my hijackthis log. I renamed abu.exe to abu.old and there doesn't seem to bany negative effects. Guess what? 04 - HKLM\..\Run:[abu]abu.exe doesn't even show up in my hijackthis log anymore. I don't know why. Stopzilla works fine. Anyway, here is my current log:

Logfile of HijackThis v1.99.0
Scan saved at 12:10:15 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\windows\system32\drivers\etc\cpuidle\cpuidle.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity_BackUp - Unknown - C:\WINDOWS\system32\gearsec.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: WinFax PRO - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

P.S. My computer seems to spend a little bit more time on the blue shutting down windos screen. I remember with windows 98 SE some little trick to get windows to start faster. Does anything like that exist for XP?? I'm guessing that I just have a lot of processes running and it takes longer to shut down as a result.

My computer is now clear of everything. I used the malware detective in Spyware Doctor and it showed 60 items... any way to get rid of these? I sent a request for help to the techs there. I'm waiting to hear back. Thanks again.

guestolo · « **Reply #22 on:** January 11, 2005, 10:33:06 PM »

Here's some more info I found out about DSO Exploit
This ones been a major pain in the neck for Spybot for quite some time

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

No need to Worry, as I mentioned, your up on your Windows updates
and this was patched a long time ago by Microsoft......

Quote

The first item on the list: DSO Exploit has been explained so many times and there is so much confusing information out in the forums that it is hard to resume all of this in a concise manner. But here goes:

The DSO Exploit was a problem in the way Windows handled the "My Computer Zone". Microsoft released a patch for this long ago. So if you have an updated Windows, you shouldn't be affected by this exploit. The reason Spybot flags it is simple. Before Microsoft came out with this patch, a security firm came out with a workaround "tweak" of the registry to restrict this Zone. Spybot looks for the implementation of that "tweak". If the tweak is not found, it flags the DSO Exploit object. Normally this shouldn't be a problem, you'd just let Spybot fix it and it implements the workaround, end of topic. The problem with 1.3 is that the workaround is not done properly during fix. Hence why Spybot flags it again. This has been fixed in the code and was tested for a while with version 1.3.1 beta.

Solution for now: Just ignore it. It isn't a problem if your windows is patched. When the next version of Spybot - S&D comes out, it will fix this problem.

On a side note: Both Spyware Doctor and Stopzilla are 2 programs I don't use and don't ususally recommend
Not that there's anything wrong with them---But on most hijackthis forums they're not the ones recommended
As said, I don't know much about either of the programs

But I stick with Ad-Aware and Spybot
For silent Spyware Blockers I have Spyware Blaster and IE-Spyad
For Real time prevention against spyware I use SpywareGuard

System has great startup times and shutdowns
I'm curious where Spyware Doctor is finding these bad guys

Does it make a log of some sorts you can post?

I forgot to ask you about this Jason, you said

Quote

Spyware Blaster got rid of a lot of things I apparently didn't need

That's not really Spywareblasters job, it's job is too set registry entries to control bad Active X installs and cookies and also adds sites to the Restricted Zones
As I said, it's a silent spyware blocker
A great defense....

Also, you may want to try this, mind you latest drivers for Nvidia shouldn't effect none of this, but I remember Long shut downs when Nvidia's Driver Helper Service was running
Here's some more info I found
http://www.iamnotageek.com/a/nvsvc32.exe.php

But for now, just for experimental purposes
Go to START>>RUN>>Type in services.msc and click OK

In the next window, look on the right hand side for this service
name---- NVIDIA Driver Helper Service

Double click on it--- STOP the service

Exit out of there and Shut down the computer
Does it shut down quicker?

Also, I assume this entry in your log has been set on purpose
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com

P.S. I use Firefox as my main browser, so no need for a popup blocker
The wife on the otherhand, can't get her away from IE
We use to use the Google Toolbar on our XP machine, but with Service Pack 2 installed I got rid of it and she says that the integrated popup blocker in IE SP2 does a good job

On my 98SE machine we still use the Google Toolbar, still no popups

Jason · « **Reply #23 on:** January 11, 2005, 11:47:25 PM »

thanks for the info. Sorry about not being able to help with abu.exe, but, as you can see, it is no longer a prob.

I'll try what you suggest for the slowdown when, and if, I ever find the time - it's always at a premium.

Until the next crisis,
Jason

Guest · « **Reply #24 on:** January 12, 2005, 03:02:14 PM »

The reference to iden update was from my cellphone uploader app. I deleted the reference. I also deleted the reference to nvidia. This system still takes just as long to shut down. It is not a full minute, but just seems slower than it was.

guestolo · « **Reply #25 on:** January 16, 2005, 02:40:23 PM »

Jason, did you ever get your slow shutdowns figured out?

Post back a fresh log if you still need a hand

Have you tried going into MSCONFIG and disable all unneeded startup entries

This will include your AV software
for troubleshooting purposes

Restart your computer and then try shutting down again

Of course you don't want to be without AV software, as mentioned this is just for troubleshooting purposes
By trial and error you may be able to pinpoint down the program that is causing the problems

Jason · « **Reply #26 on:** January 20, 2005, 03:00:09 PM »

no, I never figured it out. I looked in msconfig startup and just my security stuff loads. I have given up trying to figure it out. It's not so bad as to tell me that I have an obvious problem. One question, though. Any idea why I can't get into internet options under the tools menu from whithin IE? I have to go into the control panel to delete cookies, delete files, and clear my history. I have looked in the advanced section of internet options from the control panel, but no good. It gives me the message "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." I have never seen this before. Any help would be great.

Jason · « **Reply #27 on:** January 20, 2005, 03:03:03 PM »

P.S. what is cpuidle? It does not say that it is a microsoft item. it calls the manufacturer unknown.

guestolo · « **Reply #28 on:** January 20, 2005, 03:06:30 PM »

Your Slowdowns may very well be one of your Security programs

Did you try and disable all of them and then try shutting down
You may have to shutdown twice to notice the difference
The ball's in your court on that one---If your leaving them enabled you may never know if one is the culprit
I don't want you to permanently disable them, but stay disconnected from the Internet and try and figure out which one might be the problem

Disable all Security programs, including the AV
You may be able to track it down....

Also--One of your Security programs has probably disabled you from accessing the Internet options
You will have to enter each one and disable the feature
You have/had so many I couldn't tell you which one without seeing another log

guestolo · « **Reply #29 on:** January 20, 2005, 03:48:37 PM »

Jason, you have a right to be suspicious about that file
I thought it was harmless because it's not regularly fixed, here's some info on this
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE

http://www.neuber.com/taskmanager/process/...srvany.exe.html

But, I figured it was ok and didn't look into it enough
I've also found a couple relationships with it to malware

Can you try something for me please
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
Install it and Restart your computer when prompted
But do not launch it yet

Update it: Right click the link below, select "save link as" or "save target as"
http://www.diamondcs.com.au/tds/radius.td3
Save it to the directory where you installed tds-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

Launch tds-3. In the top bar of tds window click system testing> full system scan.
Let it completely finish scanning
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save it and post the contents of the scandump.txt here

After posting the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Then reboot and post a fresh hijackthis log

Jason · « **Reply #30 on:** January 20, 2005, 09:09:50 PM »

here is the scandump.txt:

Scan Control Dumped @ 20:05:00 20-01-05
Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\drivers\etc\cpuidle\srvany.exe

Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\drivers\etc\cpuidle\srvany.exe

Positive identification (DLL): TrojanDownloader.Win32.PurityScan.l (dll)
File: c:\hjt\backups\backup-20050107-000653-283.dll

Positive identification: Adware.Sahat.a Dropper.a
File: c:\windows\sahagent-mediamotor1002.exe

Positive identification: Adware.Sahat.a Dropper.b
File: c:\windows\sahagent-mediamotor1003.exe

Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\drivers\etc\cpuidle\srvany.exe

I will delete all positive identifications. I will not delete the Hijackthis DLL. I am not sure if I should or not, so I won't.

P.S. how can I correct my internet options problem I told you about?

guestolo · « **Reply #31 on:** January 20, 2005, 09:18:20 PM »

Post a fresh Hijackthis log
After you have restarted the computer

Could you Download and save to desktop ServiceFilter.zip
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Alternate download link for ServiceFilter.zip if that link isn't working

http://www.bleepingcomputer.com/files/wind...rviceFilter.zip

Jason · « **Reply #32 on:** January 20, 2005, 09:48:42 PM »

Here is the hijackthis logfile:

Logfile of HijackThis v1.99.0
Scan saved at 8:42:17 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity_BackUp - Unknown - C:\WINDOWS\system32\gearsec.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe

I noticed : O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

if I remove this line will I be able to access internet options from within IE??

guestolo · « **Reply #33 on:** January 20, 2005, 09:51:59 PM »

Yup,

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: cpuidle - Unknown - C:\windows\system32\drivers\etc\cpuidle\SRVANY.EXE (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer
Can you access the Internet options?

Could I also see the log from ServiceFilter>>>Once you Restart your computer

Jason · « **Reply #34 on:** January 20, 2005, 09:53:36 PM »

Here is the post this.txt:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 20, 2005 8:49:22 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: cpuidle
Display Name: cpuidle
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\drivers\etc\cpuidle\srvany.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: GEARSecurity_BackUp
Display Name: GEARSecurity_BackUp
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: system32\gearsec.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: MpfService
Display Name: McAfee Personal Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee.com\person~1\mpfservice.exe
State: Running
Process ID: 244
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: MskService
Display Name: McAfee SpamKiller Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee\spamki~1\msksrvr.exe
State: Running
Process ID: 344
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 6
Service Name: STOPzilla Local Service
Display Name: STOPzilla Local Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service"
State: Running
Process ID: 1276
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ec8858a8-0419-45ad-998c-bb33a22d213b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: wfxsvc
Display Name: WinFax PRO
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wfxsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 90 Win32 services on this machine.
8 were unrecognized.

Script Execution Time: 8.40625 seconds.

guestolo · « **Reply #35 on:** January 20, 2005, 09:55:14 PM »

Thanks Jason, could you do the fixes with Hijackthis above >>>Restart your computer and then let me see another Service Filter log
Also one last Hijackthis log

Jason · « **Reply #36 on:** January 20, 2005, 09:57:39 PM »

what fixes do I do with hijackthis? i assume there is a line refencing each of the above?

Jason · « **Reply #37 on:** January 20, 2005, 09:58:24 PM »

some of them refer to my security software

guestolo · « **Reply #38 on:** January 20, 2005, 09:58:39 PM »

Right before you posted the ServiceFilter log I posted another fix with Hijackthis

Jason · « **Reply #39 on:** January 20, 2005, 10:09:38 PM »

yes the internet options work again. Here is the post this.txt:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 20, 2005 9:03:43 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: cpuidle
Display Name: cpuidle
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\drivers\etc\cpuidle\srvany.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: GEARSecurity_BackUp
Display Name: GEARSecurity_BackUp
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: system32\gearsec.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: MpfService
Display Name: McAfee Personal Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee.com\person~1\mpfservice.exe
State: Running
Process ID: 328
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: MskService
Display Name: McAfee SpamKiller Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\mcafee\spamki~1\msksrvr.exe
State: Running
Process ID: 456
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 6
Service Name: STOPzilla Local Service
Display Name: STOPzilla Local Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service"
State: Running
Process ID: 1276
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ec8858a8-0419-45ad-998c-bb33a22d213b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: wfxsvc
Display Name: WinFax PRO
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wfxsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 90 Win32 services on this machine.
8 were unrecognized.

Script Execution Time: 3.890625 seconds.

Here is the hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 9:07:06 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity_BackUp - Unknown - C:\WINDOWS\system32\gearsec.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe

News:

Author Topic: w?nspool.exe (Read 3363 times)

Guest