# Solved: Explorer - another program is currently using this file



## EssenceRare (Aug 2, 2007)

Hi, 

I am having a variety of issues with my pc but so far the only consistent error I have is when trying to run explorer I get the message 'Another program is currently using this file'.

If I try to run explorer during the pc start up it works but once the pc has fully started it never works. Sometimes this error applies to other applications as well (e.g. if I try to open 2 versions of Firefox it sometimes errors).

I have tried various spyware / malware products suggested in this forum but to be honest I am thrashing about in the dark. Any suggestions of how to proceed would be gratefully received.

Thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare*.

Welcome to TSG.

Lets take a look:








*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## EssenceRare (Aug 2, 2007)

Thanks for your reply, here is the HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:45, on 02/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFncKy.exe
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\TOSHIBA\TME3\TMEDevRm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185404912317
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Alerter - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Infrared Monitor (Irmon) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: TCP/IP NetBIOS Helper Service (LmHosts) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINNT\System32\lsass.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINNT\System32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: IPSEC Policy Agent (PolicyAgent) - Unknown owner - C:\WINNT\System32\lsass.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINNT\system32\svchost.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINNT\system32\lsass.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINNT\system32\MSTask.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: RunAs Service (seclogon) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINNT\system32\svchost.exe
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINNT\system32\spoolsv.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: THotkey (THOTKEY) - Unknown owner - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINNT\System32\mspmspsv.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINNT\system32\Services.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\system32\svchost.exe
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\WINNT\System32\svchost.exe

--
End of file - 11614 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare* 

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## EssenceRare (Aug 2, 2007)

Sorry for the delay (I have been trying to cook dinner at the same time). Here are the logs:

SDFix: Version 1.94

Run by Administrator on Thu 02/08/2007 at 22:12

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\system32\i - Deleted

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Finished

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21:03, on 02/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\TOSHIBA\TME3\TMEDevRm.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFncKy.exe
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe

O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185404912317
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Alerter - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Infrared Monitor (Irmon) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: TCP/IP NetBIOS Helper Service (LmHosts) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINNT\System32\lsass.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINNT\System32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: IPSEC Policy Agent (PolicyAgent) - Unknown owner - C:\WINNT\System32\lsass.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINNT\system32\svchost.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINNT\system32\lsass.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINNT\system32\MSTask.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: RunAs Service (seclogon) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINNT\system32\svchost.exe
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINNT\system32\spoolsv.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINNT\System32\svchost.exe
O23 - Service: THotkey (THOTKEY) - Unknown owner - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINNT\System32\mspmspsv.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINNT\system32\Services.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\system32\svchost.exe
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\WINNT\System32\svchost.exe

--
End of file - 11598 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare* 

Some of the Services in your computer seems to have wrong image paths.

Please download the enclosed folder. Save and extract its contents to the desktop. A *Win2KQuery* folder will be created. open this folder and double click on the *Query.bat *file therein and post back its report.

Lets take a deeper look:

Download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *Non Microsoft *
In the *Win32 Services * group click *Non Microsoft*
In the *Driver Services * group click *Non Microsoft*
In the *Registry* group click *Non Microsoft *
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *Non Microsoft *
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## EssenceRare (Aug 2, 2007)

Hi JSntgRvr,

Many thanks for your help so far. 

I have attached the log files from Win2KQuery and WinPFind3U (Unfortunately the WinPFind3U file is larger than the upload limit so I have divided into two)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare* 

I still seeing weird entries. Microsoft files are not being recognized with its signature.

Please download the enclosed folder. Save and extract its contents to the desktop. It is a batch file. Once extracted, doubleclick on the batch file and post the resulting report. It may take a few minutes to complete the scanning.


----------



## EssenceRare (Aug 2, 2007)

Here are the results of the locate files job:

"C:\WINNT\system32\LSASS.EXE" 33552 19/12/04 23:30 
"C:\WINNT\system32\dllcache\lsass.exe" 33552 19/12/04 23:30 
"C:\WINNT\$NtServicePackUninstall$\lsass.exe" 33552 08/05/01 14:00 
"C:\WINNT\ServicePackFiles\i386\lsass.exe" 33552 19/06/03 12:05 
"C:\WINNT\SoftwareDistribution\Download\1ecefd93e6869cae3c59975999e09db0\lsass.exe" 33552 19/12/04 23:30 
"C:\WINNT\$NtUpdateRollupPackUninstall$\lsass.exe" 33552 19/06/03 12:05 
. 
. 
. 
"C:\WINNT\system32\CSRSS.EXE" 5392 19/06/03 12:05 
"C:\WINNT\$NtServicePackUninstall$\csrss.exe" 5392 08/05/01 14:00 
"C:\WINNT\ServicePackFiles\i386\csrss.exe" 5392 19/06/03 12:05 
. 
. 
. 
"C:\WINNT\explorer.exe" 243472 19/06/03 12:05 
"C:\WINNT\$NtServicePackUninstall$\explorer.exe" 242960 08/05/01 14:00 
"C:\WINNT\ServicePackFiles\i386\explorer.exe" 243472 19/06/03 12:05 
. 
. 
. 
"C:\WINNT\system32\mspmspsv.exe" 53520 08/08/00 12:32 
. 
. 
. 
"C:\WINNT\system32\SERVICES.EXE" 92944 08/04/05 12:51 
"C:\WINNT\system32\dllcache\services.exe" 92944 08/04/05 12:51 
"C:\WINNT\$NtServicePackUninstall$\services.exe" 88848 08/05/01 14:00 
"C:\WINNT\ServicePackFiles\i386\services.exe" 89360 19/06/03 12:05 
"C:\WINNT\SoftwareDistribution\Download\1ecefd93e6869cae3c59975999e09db0\services.exe" 92944 08/04/05 12:51 
"C:\WINNT\$NtUpdateRollupPackUninstall$\services.exe" 89360 19/06/03 12:05 
. 
. 
. 
"C:\WINNT\system32\spoolsv.exe" 47376 12/07/05 05:59 
"C:\WINNT\system32\dllcache\spoolsv.exe" 47376 12/07/05 05:59 
"C:\WINNT\$NtServicePackUninstall$\spoolsv.exe" 44816 08/05/01 14:00 
"C:\WINNT\ServicePackFiles\i386\spoolsv.exe" 45328 19/06/03 12:05 
"C:\WINNT\SoftwareDistribution\Download\1ecefd93e6869cae3c59975999e09db0\spoolsv.exe" 48400 08/04/05 12:51 
"C:\WINNT\SoftwareDistribution\Download\2137d15f20275d1427c87a17c5da0ade\spoolsv.exe" 47376 12/07/05 05:59 
"C:\WINNT\$NtUninstallKB896423$\spoolsv.exe" 45328 19/06/03 12:05 
. 
. 
.


----------



## JSntgRvr (Jul 1, 2003)

EssenceRare said:


> Here are the results of the locate files job:
> 
> "C:\WINNT\system32\LSASS.EXE" 33552 19/12/04 23:30
> "C:\WINNT\system32\dllcache\lsass.exe" 33552 19/12/04 23:30
> ...


Files seems to be legit. I am trying to get hold on a Win2K machine to compare registry entries. I will get back to you soon.


----------



## EssenceRare (Aug 2, 2007)

Dear JSntgRvr,

Thanks for your patience. I need to go out now for a while so don't worry about posting soon. If you think this is going to be a long process and it will be easier to re-build the pc please let me know and I will stop using your time.


----------



## JSntgRvr (Jul 1, 2003)

EssenceRare said:


> Dear JSntgRvr,
> 
> Thanks for your patience. I need to go out now for a while so don't worry about posting soon. If you think this is going to be a long process and it will be easier to re-build the pc please let me know and I will stop using your time.


The way I see it, it will require a major registry repair. Modification of the registry can be *EXTREMELY* dangerous. If given the option, I would prefer to backup all personal data and reinstall the Operating System. To give you an example here is how the entry looks in your registry:



> HKEY_LOCAL_MACHINE\system\currentcontrolset\services\alerter
> Type	REG_DWORD 32 (0x20)
> Start	REG_DWORD 3 (0x3)
> ErrorControl	REG_DWORD 1 (0x1)
> ...


This is How it is suppose to look:



> HKEY_LOCAL_MACHINE\system\currentcontrolset\services\alerter
> Type	REG_DWORD 32 (0x20)
> Start	REG_DWORD 2 (0x2)
> ErrorControl	REG_DWORD 1 (0x1)
> ...


The entries in red are either missing, or contains the wrong information. This is only one entry. There are at least other 16 similar entries. I wanted to confirm this information with a Win2K machine first, as we may mess-up the registry if the wrong information is included.

Your choice.


----------



## EssenceRare (Aug 2, 2007)

Dear JSntgRvr,

I think I will go for the back up / rebuild option. If you don't mind I have a few final questions:

1/. Do you have any idea how I got in this mess?

2/. Is it safe to continue using the machine for another week (I am away from home at the moment so can't get access the OP cds until I get home.

3/. Do you have any recommendations for preventing this in the future? (before this incident I used AVG anti virus and Spyware Doctor)

Regards


----------



## JSntgRvr (Jul 1, 2003)

EssenceRare said:


> Dear JSntgRvr,
> 
> I think I will go for the back up / rebuild option. If you don't mind I have a few final questions:
> 
> ...


Please disregard my alert above. After reviewing two other log from different machines, I find no difference in contents in the registry. Thanks to *MFDnNC* and *cybertech* for their cooperation. I will take another look at the WinpFinf3u report and get back to you. The appearance of these services as 023 lines in Hijackthis fool me. They usually do not. Please do not reinstall yet.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare* 

The log shows no sign of malware. Is there a reason you have not upgraded to Internet Explorer 6.0?


----------



## EssenceRare (Aug 2, 2007)

Hi JSntgRvr,

I rarely use Internet Explorer (I usually use Firefox instead) so I have not considered upgrading it.

 

I don't know if this is relevant or not but I have noticed that in task manager Explorer.exe is listed as a running process (but is not listed as an application). As an experiment I ended this process but this caused the icon bar and desktop items to disappear as well.


----------



## JSntgRvr (Jul 1, 2003)

EssenceRare said:


> Hi JSntgRvr,
> I don't know if this is relevant or not but I have noticed that in task manager Explorer.exe is listed as a running process (but is not listed as an application). As an experiment I ended this process but this caused the icon bar and desktop items to disappear as well.


That is Normal. Upgrade to Version 6.0 and post a fresh Hijackthis log afterward.








Download *Deckard's System Scanner (DSS)* from *here* or *here* to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on *dss.exe *to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt *<- this one will be maximized and *extra.txt *<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the *main.txt* and the *extra.txt* in your next reply.
If the files are too long, attach them to a reply:

Scroll down and click the [*Manage Attachments*] button
Browse to the following folder:
*C:\Deckard\System Scanner*

Click *Upload* to upload these files one by one
*Submit *your reply


----------



## EssenceRare (Aug 2, 2007)

Hi JSntgRvr,

I tried to install ie6setup.exe but got the message 'The download location information is damaged. Please clear Internet Exploxer browser cache and retry setup'.
So far I have not been able to get around this issue.

However I have run the DSS utility and have attached the logfiles.

I will continue trying to get the IE6 install to work and will send you a new hijack log if I succeed.

Thanks & Regards


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare* 

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINNT\system32\Perflib_Perfdata_4c8.dat
C:\WINNT\system32\Perflib_Perfdata_4fc.dat
C:\WINNT\system32\Perflib_Perfdata_4cc.dat
C:\WINNT\system32\Perflib_Perfdata_48c.dat
C:\WINNT\system32\Perflib_Perfdata_4ec.dat
C:\WINNT\system32\Perflib_Perfdata_498.dat
C:\WINNT\system32\Perflib_Perfdata_44c.dat
C:\WINNT\system32\Perflib_Perfdata_404.dat
C:\WINNT\system32\Perflib_Perfdata_3fc.dat
C:\WINNT\system32\Perflib_Perfdata_440.dat
C:\WINNT\system32\Perflib_Perfdata_408.dat
C:\WINNT\system32\Perflib_Perfdata_3f8.dat
C:\WINNT\system32\Perflib_Perfdata_410.dat
C:\WINNT\system32\Perflib_Perfdata_424.dat
C:\WINNT\system32\Perflib_Perfdata_464.dat
C:\WINNT\system32\Perflib_Perfdata_460.dat
C:\WINNT\system32\Perflib_Perfdata_3d4.dat
C:\WINNT\system32\Perflib_Perfdata_3f4.dat
C:\WINNT\msiinst.tmp
C:\WINNT\jautoexp.dat
C:\WINNT\system32\Perflib_Perfdata_3ec.dat
C:\WINNT\C
C:\WINNT\_
C:\WINNT\K
C:\WINNT\system32\Perflib_Perfdata_3c8.dat
C:\WINNT\system32\Perflib_Perfdata_164.dat*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
*If able, copy everything on the Results window to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it on a note pad document. Save it on the desktop and post its contents in your next reply.

Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

There are a couple of errors logged in the event viewer. One calls for the following fix:

Go to Start->Run, type CMD and click Ok. The MSDOS window will be displayed. At the prompt type the following and press Enter after each line:

*winmgmt /clearadap
winmgmt /resyncperf 
Exit*

The other issue requires a registry fix.

First perform a Full Backup of the Registry:

Go to *Start*->*Run*, Type *Regedit.exe * and click Ok.
The Registry Editor will be displayed.
Click on *My Computer * in the Editor to highlight it.
Select *Registry* (File on XP) from the *Menu*, then *Export*
Name the export *Backup*
Save it on C:\

You now have a backup of your registry on C:\ (*C:\Backup.reg*).

I have enclosed the *SvchostFix.reg*, as explained on the link below:

http://djlizard.net/category/windows-2000

Download the file, and once extracted, double click on it and select Yes when prompted to merge it into the registry.

Restart the computer and Test.

*Post a fresh Hijackthis log and let me know how is the computer doing?*


----------



## EssenceRare (Aug 2, 2007)

Hi JSntgRvr,

I completed the HiJack this instruction and the MoveIt job (see MoveIt results below).

However when I tried to run winmgmt /clearadap I got the following error:

'The process cannot access the file because it is being used by another process'

Should I continue with the registry fix instructions or is it dependent on the previous step?

Thanks & Regards  

C:\WINNT\system32\Perflib_Perfdata_4c8.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_4fc.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_4cc.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_48c.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_4ec.dat moved successfully.
File/Folder C:\WINNT\system32\Perflib_Perfdata_498.dat not found.
C:\WINNT\system32\Perflib_Perfdata_44c.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_404.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_3fc.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_440.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_408.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_3f8.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_410.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_424.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_464.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_460.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_3d4.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_3f4.dat moved successfully.
C:\WINNT\msiinst.tmp moved successfully.
C:\WINNT\jautoexp.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_3ec.dat moved successfully.
C:\WINNT\C moved successfully.
C:\WINNT\_ moved successfully.
C:\WINNT\K moved successfully.
C:\WINNT\system32\Perflib_Perfdata_3c8.dat moved successfully.
C:\WINNT\system32\Perflib_Perfdata_164.dat moved successfully.

Created on 08/05/2007 17:44:11


----------



## JSntgRvr (Jul 1, 2003)

> Should I continue with the registry fix instructions or is it dependent on the previous step?


They are two different isuues. I would go for it. Make sure you backtup the registry.


----------



## JSntgRvr (Jul 1, 2003)

Download Getservices.zip from *Here* and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called getservice. Inside the C:\getservice directory will be a file called getservice.bat . Simply double-click on the getservice.bat file and when it is completed a notepad will open with a lot of information. You can th en copy the entire contents of that notepad to a reply.

Download pv.zip from *Here* and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called PV. Inside the C:\PV directory will be a file called runme.bat . Simply double-click on the runme.bat file. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post. Please do option 2 for Internet Explorer dlls too.


----------



## EssenceRare (Aug 2, 2007)

Hi JSntgRvr,

I have done the registry fix and run the latest tools that you suggested (see below for logs).

Thanks again for all the time you are spending on this and remember that I can do a rebuild if you are getting bored trying to track down the problem.

Regards 

PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: AcrSch2Svc
Provides task scheduling for Acronis applications.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Acronis Scheduler2 Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Alerter
 DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AVG Anti-Spyware Guard
(null)
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : AVG Anti-Spyware Guard
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7Alrt
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : AVG7 Alert Manager Server
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7UpdSvc
(null)
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : AVG7 Update Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AVGEMS
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : AVG E-mail Scanner
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k BITSgroup
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : Rpcss
: SENS
: Wmi
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
(null)
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\cisvc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\clipsrv.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Administrative service for disk management requests
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\dmadmin.exe /com
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Logical Disk Manager Watchdog Service
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EPSONStatusAgent2
(null)
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : EPSON Printer Status Agent2
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Provides automatic distribution of events to subscribing COM components.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Helps you send and receive faxes
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\faxsvc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Fax Service
DEPENDENCIES : TapiSrv
: RpcSs
: PlugPlay
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Irmon
Supports infrared devices installed on the computer and detects other devices that are in range.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Infrared Monitor
DEPENDENCIES : irda
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Provides RPC support and file, print, and named pipe sharing.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Provides network connections and communications.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper Service
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Allows authorized people to remotely access your Windows desktop using NetMeeting.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\mnmsrvc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\msiexec.exe /V
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for dynamic data exchange (DDE).
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages shared dynamic data exchange and is used by Network DDE
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES : 
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: ted Transaction Coordinator
: trative Service
: `
: 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
Manages removable media, drives, and libraries.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Manages device installation and configuration and notifies programs of device changes.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : IPSEC Policy Agent
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PREVXAgent
(null)
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Prevx2\PXAgent.exe" -f
LOAD_ORDER_GROUP : PrevxAgentGroup
TAG : 1
DISPLAY_NAME : Prevx Agent
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
 BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Allows remote registry manipulation.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\regsvc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Remote Registry Service
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart	DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\locator.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost -k rpcss
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\rsvp.exe -s
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\lsass.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Provides support for legacy smart card readers attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
Enables a program to run at a designated time.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\MSTask.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: sdAuxService
Provides auxiliary Spyware Doctor services. If this service is disabled spyware protection will be reduced.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Spyware Doctor\svcntaux.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Spyware Doctor Auxiliary Service
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: sdCoreService
Provides spyware and malware protection for the system. If this service is disabled spyware protection will be disabled.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Spyware Doctor\swdsvc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Spyware Doctor Service
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : RunAs Service
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Internet Connection Sharing
DEPENDENCIES : RasMan
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Configures performance logs and alerts.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\smlogsvc.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: THOTKEY
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\SYSTEM32\THOTKEY.EXE
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : THotkey
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TlntSvr
Allows a remote user to log on to the system and run console programs using the command line.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\tlntsvr.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Telnet
DEPENDENCIES : RpcSs
: TcpIp
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Tmesbs
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Tmesbs3
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Tmesrv
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Tmesrv3
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Sends notifications of files moving between NTFS volumes in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\ups.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UtilMan
Starts and configures accessibility tools from one window 
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\UtilMan.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Utility Manager
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Sets the computer clock.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WinMgmt
Provides system management information.
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\System32\WBEM\WinMgmt.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart	DELAY: 60000 seconds
: Restart	DELAY: 60000 seconds

SERVICE_NAME: WMDM PMSP Service
(null)
TYPE : 10 WIN32_OWN_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\mspmspsv.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : WMDM PMSP Service
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\Services.exe
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k wugroup
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides authenticated network access control using IEEE 802.1x for wired and wireless Ethernet networks.
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Configuration
DEPENDENCIES : RpcSs
: Ndisuio
: ProtectedStorage
: WMI
SERVICE_START_NAME: LocalSystem


----------



## EssenceRare (Aug 2, 2007)

Here are the PV logs:

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 
ntdll.dll 77f80000 507904 C:\WINNT\system32\ntdll.dll 5.00.2195.7006 NT Layer DLL
ADVAPI32.DLL 7c2d0000 413696 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.7038 Advanced Windows 32 Base API
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.7006 Windows NT BASE API Client DLL
RPCRT4.dll 77d30000 491520 C:\WINNT\system32\RPCRT4.dll 5.00.2195.7020 Remote Procedure Call Runtime
GDI32.DLL 77f40000 245760 C:\WINNT\system32\GDI32.DLL 5.00.2195.7133 GDI Client DLL
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7133 Windows 2000 USER API Client DLL
SHLWAPI.DLL 70bd0000 311296 C:\WINNT\system32\SHLWAPI.DLL 5.50.4134.600 Shell Light-weight Utility Library
COMCTL32.DLL 71700000 565248 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.6717 Shim Engine DLL
AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.6717 Windows 2000 Shim Accessory DLL
SHELL32.dll 7cf30000 2383872 C:\WINNT\system32\SHELL32.dll 5.00.3900.7105 Windows Shell Common Dll
OLE32.DLL 7ce20000 1052672 C:\WINNT\system32\OLE32.DLL 5.00.2195.7034 Microsoft OLE for Windows
CLBCATQ.DLL 7c950000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522 
MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent
SHDOCVW.DLL 70fe0000 1159168 C:\WINNT\system32\SHDOCVW.DLL 5.50.4134.600 Shell Doc Object and Control Library
browseui.dll 71110000 823296 C:\WINNT\System32\browseui.dll 5.50.4134.600 Shell Browser UI Library
LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2195.7009 Windows Volume Tracking
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 7cdc0000 339968 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.7038 Net Win32 API DLL
DNSAPI.dll 77980000 147456 C:\WINNT\system32\DNSAPI.dll 5.00.2195.7003 DNS Client API DLL
WSOCK32.dll 75050000 32768 C:\WINNT\system32\WSOCK32.dll 5.00.2195.6603 Windows Socket 32-Bit DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
WLDAP32.DLL 77950000 176128 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.7017 Win32 LDAP API DLL
SECUR32.DLL 7c340000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
SAMLIB.dll 75150000 65536 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6944 SAM Library DLL
USERENV.DLL 7c0f0000 409600 C:\WINNT\system32\USERENV.DLL 5.00.2195.7002 Userenv
mydocs.dll 76df0000 69632 C:\WINNT\system32\mydocs.dll 5.00.3502.6601 My Documents Folder UI
MPR.DLL 76620000 69632 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6824 Microsoft® Lan Manager
NETUI0.dll 75210000 86016 C:\WINNT\System32\NETUI0.dll 5.00.2195.6601 NT LM UI Common Code - GUI Classes
NETUI1.dll 751d0000 229376 C:\WINNT\System32\NETUI1.dll 5.00.2134.1 NT LM UI Common Code - Networking classes
NETSHELL.dll 76f20000 487424 C:\WINNT\system32\NETSHELL.dll 5.00.2195.6604 Network Connections Shell
webcheck.dll 70320000 270336 C:\WINNT\System32\webcheck.dll 5.50.4134.600 Web Site Monitor
stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.6601 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.6601 Battery Meter Helper DLL
SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.6601 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL
MSI.DLL 745e0000 2908160 C:\WINNT\system32\MSI.DLL 3.1.4000.2435 Windows Installer
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
WININET.DLL 70200000 487424 C:\WINNT\system32\WININET.DLL 5.50.4134.600 Internet Extensions for Win32
TAPI32.dll 77530000 139264 C:\WINNT\system32\TAPI32.dll 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
browselc.dll 71920000 45056 C:\WINNT\System32\browselc.dll 5.50.4134.600 Shell Browser UI Library
ssv.dll 6d7c0000 495616 C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll 6.0.10.6 Java(TM) Platform SE binary
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
MSVCR71.dll 2100000 352256 C:\Program Files\Java\jre1.6.0_01\bin\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
LgMousHk.dll 2260000 32768 C:\PROGRA~1\MOUSEW~1\SYSTEM\LgMousHk.dll 9.11.62 Logitech Mouse Hook Library
urlmon.dll 70290000 471040 C:\WINNT\system32\urlmon.dll 5.50.4134.600 OLE32 Extensions for Win32
mlang.dll 70420000 557056 C:\WINNT\system32\mlang.dll 5.50.4134.600 Multi Language Support DLL
mshtml.dll 70c30000 2756608 C:\WINNT\System32\mshtml.dll 5.50.4134.600 Microsoft (R) HTML Viewer
shdoclc.dll 718a0000 401408 C:\WINNT\System32\shdoclc.dll 5.50.4134.600 Shell Doc Object and Control Library
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
webvw.dll 658f0000 1130496 C:\WINNT\System32\webvw.dll 5.00.3900.7009 Shell WebView Content & Control Library
klg.dat 5a000000 122880 C:\Program Files\Spyware Doctor\klg.dat 
es.dll 76290000 249856 C:\WINNT\System32\es.dll 2000.2.3511.0 
TxfAux.Dll 6de80000 409600 C:\WINNT\System32\TxfAux.Dll 2000.2.3511.0 Support routines for TXF
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2195.6612 Microsoft Video for Windows DLL
AVIFIL32.DLL 2eb0000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2195.6612 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider
SASSEH.DLL 10000000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1008 ShellExecuteHook
USP10.DLL 66650000 344064 C:\WINNT\system32\USP10.DLL 1.0325.2195.6692 Uniscribe Unicode script processor



Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 73728 C:\Program Files\Internet Explorer\iexplore.exe 5.00.2920.0000 Internet Explorer
ntdll.dll 77f80000 507904 C:\WINNT\system32\ntdll.dll 5.00.2195.7006 NT Layer DLL
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.7006 Windows NT BASE API Client DLL
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7133 Windows 2000 USER API Client DLL
GDI32.dll 77f40000 245760 C:\WINNT\system32\GDI32.dll 5.00.2195.7133 GDI Client DLL
SHLWAPI.dll 70bd0000 311296 C:\WINNT\system32\SHLWAPI.dll 5.50.4134.600 Shell Light-weight Utility Library
ADVAPI32.dll 7c2d0000 413696 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.7038 Advanced Windows 32 Base API
RPCRT4.dll 77d30000 491520 C:\WINNT\system32\RPCRT4.dll 5.00.2195.7020 Remote Procedure Call Runtime
klg.dat 5a000000 122880 C:\Program Files\Spyware Doctor\klg.dat 
oleaut32.dll 779b0000 634880 C:\WINNT\system32\oleaut32.dll 2.40.4522 
ole32.dll 7ce20000 1052672 C:\WINNT\system32\ole32.dll 5.00.2195.7034 Microsoft OLE for Windows
shdocvw.dll 70fe0000 1159168 C:\WINNT\system32\shdocvw.dll 5.50.4134.600 Shell Doc Object and Control Library
MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library
COMCTL32.dll cc0000 565248 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library
SHELL32.dll 7cf30000 2383872 C:\WINNT\system32\SHELL32.dll 5.00.3900.7105 Windows Shell Common Dll
BROWSEUI.dll 71110000 823296 C:\WINNT\system32\BROWSEUI.dll  5.50.4134.600 Shell Browser UI Library
CLBCATQ.DLL 7c950000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 
browselc.dll 71920000 45056 C:\WINNT\system32\browselc.dll 5.50.4134.600 Shell Browser UI Library
WININET.DLL 70200000 487424 C:\WINNT\system32\WININET.DLL 5.50.4134.600 Internet Extensions for Win32
TAPI32.dll 77530000 139264 C:\WINNT\system32\TAPI32.dll 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent
LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2195.7009 Windows Volume Tracking
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 7cdc0000 339968 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.7038 Net Win32 API DLL
DNSAPI.dll 77980000 147456 C:\WINNT\system32\DNSAPI.dll 5.00.2195.7003 DNS Client API DLL
WSOCK32.dll 75050000 32768 C:\WINNT\system32\WSOCK32.dll 5.00.2195.6603 Windows Socket 32-Bit DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
WLDAP32.DLL 77950000 176128 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.7017 Win32 LDAP API DLL
SECUR32.DLL 7c340000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
SAMLIB.dll 75150000 65536 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6944 SAM Library DLL
shdoclc.dll 718a0000 401408 C:\WINNT\system32\shdoclc.dll 5.50.4134.600 Shell Doc Object and Control Library
pxbho.dll 10000000 98304 C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll 1.0.0.3 Prevx Malicious URL Detector
ssv.dll 6d7c0000 495616 C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll 6.0.10.6 Java(TM) Platform SE binary
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
MSVCR71.dll 10e0000 352256 C:\Program Files\Java\jre1.6.0_01\bin\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare* 

I find nothing wrong in those logs. I will consult this issue with a colleague who is a Windows Shell Expert, and will get back to you

I am under the impression that its is a small setting causing this issue. Don't do anything yet. I'll be back with you.


----------



## JSntgRvr (Jul 1, 2003)

Download Windows Script 5.6 for Windows 2000 and see if that makes a difference:

http://www.microsoft.com/downloads/...43-7E4B-4622-86EB-95A22B832CAA&displaylang=en


----------



## EssenceRare (Aug 2, 2007)

5.6 did at least install but I have still have the problem. I also tried installing IE6 again but that will still not install.

I am not sure if this is relevant but when I ran the last batch jobs I ran them from explorer (by opening it during windows start-up). Could that effect the results?


----------



## Rollin' Rog (Dec 9, 2000)

Some questions:

1 >


> If I try to run explorer during the pc start up it works but once the pc has fully started it never works. Sometimes this error applies to other applications as well (e.g. if I try to open 2 versions of Firefox it sometimes errors).


Are you here referring to Explorer the "file manager" -- analogous to "My Computer". What happens if you navigate files using the latter?

2 > when did this problem begin? Any prior software installs, configuration changes or other coincident issues?

3 > I see you are using Internet Connection Sharing and yet you also seem to have broadband or Wifi? What's up with this?

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe

Is anyone else networked to the computer in any way?

4 > If you so a "Safe Mode" boot without Networking, do you have the same problem? If not, how about with Networking?


----------



## EssenceRare (Aug 2, 2007)

Hi Rollin Rog,

Thanks for your interest. I will try to answer your questions to the best of my ability.

1/. By explorer I meant 'Windows Explorer' as activated from the Start menu or by directly typing 'explorer' in the run command box. If I navigate to file manager via the 'My Computer' desk top icon it works fine (to be honest I had not even thought of trying this ).

2/. This is where it starts to get complicated. The pc belongs to my wife and I only noticed that there was a problem when she complained about poor performance a week ago and then reported that AVG had found some trojans (which it healed) but the same ones kept returning (unfortunately she did not keep a note of what they were). Whilst investigating the issue I downloaded a number of anti spyware softwares (e.g. SuperAntiSpyware) but the various scans did not reveal anything. I have tried to see what has recently been installed on the machine and the only thing I can find are some microsoft security updates and some software for a broadband modem (Thomson Speedtouch - see 3 below for more about this)

3/. This is where my ignorance will become even more apparent. At our home we use a wifi broadband connection but we are currently staying at a friends place for a few months where we are using his ADSL line via a USB port connection to a Thomson modem. Does this answer your question?, I am not sure what you mean by 'Internet Connection Sharing'
No one is be networked to the computer (as far as I am aware)

4/. In Safe mode I don't have the problem - I will test it without networking and let you know.

Sorry for my lack of knowledge.


----------



## Rollin' Rog (Dec 9, 2000)

Instead of typing "explorer" in the run command, open the Start Menu > Accessories and look for "Explorer" there.

Or use My Computer to navigate to C:\WINNT\Explorer.EXE and open it from there.

If no issues, right click on it and send it to the desktop as a shortcut.

Do a file search for "explorer" and see if there are any copies not in the 

c:\winnt

folder.

Beware of anything not in the winnt folder or which has a .com or extension other than.exe. Right click on anything suspicious and select Properties > Version and see if it has a Microsoft copyright.

We'll ignore the internet connection sharing issue for now, I'm not sure whether you need it at your friends house or not. Do they not have a router you can connect to?

Finally, did the problem with "explorer" begin before or after installing new antispyware programs? Which ones if so?


----------



## JSntgRvr (Jul 1, 2003)

Use the enclosed file. Overwrite the previous one. This batchfile will give you a list of files that starts with Explorer.


----------



## EssenceRare (Aug 2, 2007)

Hi,

Start > Programs > Accessories > Windows Explorer does not work (same error)

If I double click on c:\winnt\explorer.exe (via My Computer) it does not work (same error)

However there is windows explorer command file (c:\winnt\explorer). If I double click on that explorer is launched (after a couple of seconds).

There are no versions of explorer.exe outside of the c:\winnt directory.

I am not completely certain but I think this issue started before I downloaded any spyware.

I raised this call originally because I thought this was a symptom of a bigger (more sinister) issue but are you suggesting that it might just be a problem with explorer?

Finally, our friend does not a router. 

Thanks for you help.


----------



## EssenceRare (Aug 2, 2007)

Hi JSntgRvr  

I ran the Locate Files batch file and this is the result:

"C:\WINNT\explorer.scf" 80 08/05/01 14:00 
"C:\WINNT\explorer.exe" 243472 19/06/03 12:05 
"C:\WINNT\$NtServicePackUninstall$\explorer.exe" 242960 08/05/01 14:00 
"C:\WINNT\ServicePackFiles\i386\explorer.exe" 243472 19/06/03 12:05 
"C:\I386\EXPLORER.EX_" 93503 08/05/01 14:00 
"C:\I386\EXPLORER.SC_" 181 08/05/01 14:00 

As I mentioned before I have just discovered that if I double click on the Windows Explorer Command file it launches ok but if I double click directly on the explorer.exe I get the original error.


----------



## Rollin' Rog (Dec 9, 2000)

And you've verified this problem does not occur if you start in Safe Mode?

What about if you disconnect from the modem and reboot? No internet connectivity?

Let's try a couple of tests.

Open the Task Manager and terminate all processes with a User Name EXCEPT "Explorer".

Now if you open Explorer does the error occur?

You will have to reboot to re-enable the startups.

We can also try "clean boot" troubleshooting -- but you will have to "install" msconfig and use it much as one would in XP.

http://www2.whidbey.net/djdenham/Msconfig.htm

In clean booting you would essentially follow the instructions here -- being careful to HIDE all Microsoft services before disabling other services.

Run *msconfig* and select the "Services" tab. *Check "Hide Microsoft Services"* and then disable the rest. Also uncheck "load startup group" on the general page.

See this link for detailed information:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353

Now restart and test the issue at hand

If no problems, run *msconfig* and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in "selective" startup mode - you should note what these are before beginning. They will need to be de-selected again.


----------



## EssenceRare (Aug 2, 2007)

Hi Rollin Rog,

Sorry, I realised that I did not answer all of your questions before. It does work in safe mode but does not work if I restart the computer normally with no internet connection.

I am not quite sure what you mean about terminating processes with a User Name except explorer. I did start to end some processes but it appeared that some were essential and another (lsass.exe I think) caused the computer to re-boot.

I did try out the clean boot troubleshooting that you suggested. When disabling all services explorer works but when I enabled half of the services I hit a userinit.exe - application error (The application failed to initialize properly (0xc0000043)...) and the pc would not start at all. The wife has now told me that she has seen this error before except that it usually continues to start up after encountering it.

Unfortunately I am running out of time because I need to go away for a few days so please do not spend any more time on this. When I get back I will experiment some more with the clean boot troubleshooting and if that does not reveal anything I will re-build.

Thanks for your all help


----------



## Rollin' Rog (Dec 9, 2000)

"User Name" simply means processes that are owned by the logged on user or programs installed by that person. You will see a "user name" after all NON-System processes, including Explorer.


I don't know what's up with the "userinit" error -- you did hide the "microsoft" services before disabling others -- yes?


Try starting in Last Known Good Configuration or in Safe Mode. You may need to choose the built-in Administrator account.

Good luck, when you are ready to continue, just PM me.


----------



## JSntgRvr (Jul 1, 2003)

The userinit entry in the registry is an important entry in the logon process. We haven't review that enty.

Download the enclosed folder. Save and extract its content on the *Win2Kquery* folder downloaded earlier. It wont work on the desktop. Once extracted, doubleclick on the Query_2.bat file and post the report it will produce.


----------



## EssenceRare (Aug 2, 2007)

Hi JSntgRvr,

I have run the batch file that you sent to me and the results are listed at the bottom of this post.

One thing that I have noticed is that the 'userinit.exe - Application error' usually occurs if I start the pc but do not enter the Administrator password straight away (i.e. leave it at the log in screen for a couple of minutes). Doing this usually causes this error and sometimes others.

As I mentioned to Rolling Rog earlier I have to go away for a few days so won't be able to work on this so please treat this as low priority or ignore it all together until I back.

Many Thanks  


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
AutoRestartShell	REG_DWORD 1 (0x1)
DefaultUserName	REG_SZ Administrator
LegalNoticeCaption	REG_SZ 
LegalNoticeText	REG_SZ 
PowerdownAfterShutdown	REG_SZ 0
ReportBootOk	REG_SZ 1
Shell	REG_SZ Explorer.exe
ShutdownWithoutLogon	REG_SZ 1
System	REG_SZ 
Userinit	REG_SZ C:\WINNT\system32\userinit.exe,
VmApplet	REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota	REG_DWORD -1 (0xffffffff)
allocatecdroms	REG_SZ 0
allocatedasd	REG_SZ 0
allocatefloppies	REG_SZ 0
cachedlogonscount	REG_SZ 10
passwordexpirywarning	REG_DWORD 14 (0xe)
scremoveoption	REG_SZ 0
DebugServerCommand	REG_SZ no
SFCDisable	REG_DWORD 0 (0x0)
ShowLogonOptions	REG_DWORD 1 (0x1)
AltDefaultUserName	REG_SZ Administrator
AltDefaultDomainName	REG_SZ RORAIMA02
AutoAdminLogon	REG_SZ 0
DefaultDomainName	REG_SZ RORAIMA02
BufferPolicyReads	REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify


----------



## Rollin' Rog (Dec 9, 2000)

I don't have too much for you at this point in any event except to see why the problem does not occur in Safe Mode.

This involves disabling or terminating startups and services not related to Microsoft Windows itself on a selective basis and narrowing them down if the problem does not occur.

Seems like you were on your way to doing that when the "userinit" error occured.


----------



## EssenceRare (Aug 2, 2007)

Hi JSntrRvr & Rollin' Rog  ,

I think I may have fixed it (by accident). I noticed that Spyware Doctor was using a lot of memory and CPU all the time so I decided to uninstall it. Now the pc seems to work fine and explorer launches without any errors although I have not had much time to test everything yet. Spyware Doctor had been running on the machine for over a year without any problems but of course it does update itself every now and again - do you think that one of the updates could have failed and caused the problems that I have been having?

Can you recommend any anti-spyware products to try?

Once again thanks for all your help - I will raid the wife's paypal to send you a donation.
Regards


----------



## JSntgRvr (Jul 1, 2003)

Seems that Spyware Doctor hooked these programs. Try *SuperAntispyware*.

Download *Superantispyware (SAS)*

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click *Yes*.
Under *Configuration and Preferences*, click the *Preferences* button.
Click the *Scanning Control *tab.
Under *Scanner Options *make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.

On the main screen, under *Scan for Harmful Software *click *Scan your computer*.
On the left check *C:\Fixed Drive*.
On the right, under *Complete Scan*, choose *Perform Complete Scan*.
Click *Next* to start the scan. *Please be patient while it scans your computer*.
After the scan is complete a summary box will appear. Click *OK*.
Make sure everything in the white box has a check next to it, then click *Next*.
It will quarantine what it found and if it asks if you want to reboot, click *Yes*.
To retrieve the removal information, please do the following:
After reboot, double-click the *SUPERAntispyware* icon on your desktop.
Click Preferences. Click the Statistics/Logs tab.
Under Scanner Logs, double-click *SUPERAntiSpyware* Scan Log.
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything in the notepad, then right-click and choose copy.

Click close and close again to exit the program.
Please paste that information in your next reply.


----------



## EssenceRare (Aug 2, 2007)

Hi JSntrRvr, 

Just when I thought I was out of the woods the SAS scan has found some trojans (see log below). Thankfully SAS reported that it was able to remove all of them.

Is that it? or are there other checks that I need to do?

Thanks & Regards 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/07/2007 at 09:22 PM

Application Version : 3.9.1008

Core Rules Database Version : 3280
Trace Rules Database Version: 1291

Scan type : Complete Scan
Total Scan Time : 00:50:59

Memory items scanned : 341
Memory threats detected : 1
Registry items scanned : 4009
Registry threats detected : 3
File items scanned : 29324
File threats detected : 3

Trojan.Downloader-Gen
C:\WINNT\SYSTEM32\URDVXC.EXE
C:\WINNT\SYSTEM32\URDVXC.EXE
HKLM\System\ControlSet001\Services\MSWindows
HKLM\System\ControlSet002\Services\MSWindows
HKLM\System\CurrentControlSet\Services\MSWindows

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt


----------



## JSntgRvr (Jul 1, 2003)

Hi, *EssenceRare* 



> Just when I thought I was out of the woods the SAS scan has found some trojans (see log below). Thankfully SAS reported that it was able to remove all of them.


Different programs will detect different variants. No way to control that.

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------

