Dave is right, AVG and AdAware are both good programs and you need to have an antivirus program installed. Spybot is a good program too, hopefully it'll get easier to use once your system gets cleaned up. I don't know why all that stuff came back; hopefully Dave's way will work.

As for SP2, do not install it until after your system has been cleaned up, it will only magnify the problems. You should, however, make sure you have all the other critical updates. After your computer is clean, check this thread to help you decide whether or not to upgrade to SP2:
http://www.daniweb.com/techtalkforums/thread10031.html

Also, SpywareBlaster is another good program to have.

:rolleyes: Ok, I have a few questions:

you said to:
alt + ctrl + del
end the following processes:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe

and
Basically we need to remove any instances of the following files:
winupd.exe, winxp2.exe, syswin32.exe, spoolcsv.exe and svcload.exe. So if you see them anywhere else in your log, tick them.


1)What are these?
2)Why should I delete them?
3)Aren't they essential to Windows?

I'm a little nervous about deleting things after accidently deleting spoolsv.exe instead of spoolcsv.exe. I was very blurry eyed when I did it and they are all starting to look the same to me.

I looked in my recycle bin for spoolsv.exe and it's gone.

1) Is there somewhere I can download it to get it back?
2) If not, is it essential?

I have Ad-Aware 6.0 Personal. A friend sent it to me and it's been great. Is the one you mentioned better or are they the same?

My computer is running a lot better. My pages are loading without errors, pics are showing up, and I haven't had one instance of that dreaded "Page cannot be displayed. The page you are looking for is currently unavailable."

I found PC=cillin on Trend Micro's website. I'm thinking of running the free scan and then downloading the free evaluation version for future use. Good idea or not?

I haven't put system restore back yet. I was waiting until I know I'm nasty free. Good Idea or not?

I want to thank all of you for helping me. You people have been the best. You have been so patient with me. I know almost nothing about what I have been doing nor about viruses/trojans/spyware. I'm slowly learning that Nyquil will not cure these things..... :lol:

I would say I'm almost there. Things are better than they were when I first started this thread, so it looks like things are looking up and I have you guys to thank.

I'll check back later today and check out the answers to my questions. Then I'll do the next set of cleanup stuff that was suggested. I'm falling asleep here..... :lol:

One more thing. While typing this....Spybot detected that something called "Avenue A"----a know threat was trying to download. Spybot asked me if I wanted to block this and I said YES. This came up 5 times.

1)What is "Avenue A"?

Cheers'
Meredith
(mereannjen@yahoo.com)

lol they are virus files. Virus writers are now naming files to look like system files, which is probably why you're worried. Anyway, if you google them all, you come up with the following info:

C:\WINDOWS\System32\winupd.exe - created by the bagle worms.
http://www.sysinfo.org/startuplist.p...ter=winupd.exe
http://www.trendmicro.com/vinfo/viru...ame=PE_BAGLE.P
You might actually want to try Symantec's free removal tool: http://securityresponse.symantec.com...oval.tool.html

C:\WINDOWS\System32\winxp2.exe
maybe http://sarc.com/avcenter/venc/data/p...howbehind.html
inany case other people are reccomending its removal: http://216.239.59.104/search?q=cache...nxp2.exe&hl=en
http://www.google.com/search?hl=en&l...xe&btnG=Search

C:\WINDOWS\System32\svcload.exe
http://www.google.com/search?hl=en&lr=&q=svcload.exe
if it was legit then LIUtilties would be top of the list. As it is there is simple a much reduced list and every time it occurs it is in a HJT log and marked to be removed. so...

C:\WINDOWS\System32\syswin32.exe
http://startup.iamnotageek.com/srch-syswin32.exe.html
http://computercops.biz/startuplist-5439.html

And spoolcsv.exe (though it's not a running process)
http://www.google.com/search?&q=spoolcsv.exe

I think it's essential for printing. I will zip it and email it to you later when I get home, assuming you're happy to accept exe files from me!

Same program, but the link I gave is to a newer version - they've changed the numbering system and gone to 1.05 for some reason. If you press the update button on your version it should tell you that. I think updates have been suspended on your version, so it might be a good idea to download the new version when you have time.

It is a very good idea. We usually recommend that you do the panda activescan as well.
http://www.pandasoftware.com/actives..._principal.htm

Yes, very good idea!

We're all here to help. Well, mostly lol.

It's a tracking cookie I think, so it doesn't really matter. Spybot is well known for complaining about it.

As Dave said, it's a tracking cookie. You can set SpyBot to automatically block things like that without asking for confirmation each time:

Under the "Immunize" section of SpyBot's settings, put a check mark in the "Enable permanent blocking of bad addresses..." box and choose "Block all pages silently" from the pull-down menu.

:surprised Ok guys, here is the latest:

I ran Panda Active Scan and it found Sasser.B Worm. I used the link they gave me to update my Windows Security for that and all the other security updates as well. I figured why not since I was already there.

I also downloaded PQ Remote for Sasser.B Worm from Panda and had it remove it. It was in Windows/System32/lsass.exe. I just check and lsass.exe is still there. Should I delete it and all instances of it?

I then scanned my whole computer with Housecall PC-cillin. It found nothing.

I then scanned with Spyware Doctor and it found nothing. I also checked for updates for it and there weren't any yet.

I then scanned with Spybot S&D and it found 4 entries for "FunWeb Products". I did have Cursor Mania at one time, but uninstalled it. Looks like I might have some of it remaining. They are in a Recovery folder. I found it along with all of the DSO Exploits Spybot has ever found. It looks like this folder is for all the bad things Spybot has ever found. Should I delete the whole folder?

I then ran AVG and it found nothing. By the way, AVG never found the Sasser.B Worm.

I did another Hijack This and here is the log:


Logfile of HijackThis v1.98.2
Scan saved at 12:13:57 AM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\svcnhost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meredith\Local Settings\Temporary Internet Files\Content.IE5\SIYMAG98\WindowsXP-KB835732-x86-ENU[1].EXE
c:\5604a1a333c461e9f902f4d5cf8104\xpsp1hfm.exe
c:\5604a1a333c461e9f902f4d5cf8104\sp2\update\update.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS 1\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [svcnhost] svcnhost.exe
O4 - HKLM\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [svcnhost] svcnhost.exe
O4 - HKLM\..\RunServices: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://free.grisoft.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com

Everything is running great, but I'll wait until you analyze that log, before I put on system restore again. All the problems I mentioned in my first thread are all gone. No reoccurances either. You guys are the best. I'm telling all of my family and friends about you and DaniWeb!!!

Questions:

1) What do you think of Incredimail? I had it for about a year before all this mess started. I really loved it and never had any problems with it. Is it ok to use? Are there any nasties that might come with it?

Also, and this is a question from a friend...

1)Any free websites or downloads for free cursors that have no problem with nasties? He used Cursor Mania like I did and got a few spyware problems with My Web Search Toolbar that comes with it.

I think that's it. Thanks guys. ((((HUGE HUGS)))) Looks like I can keep my comp for a few more years. I didn't really want to have to throw it into a deep dark well. It was a Christmas present from a close friend.... :lol:

Thanks For All Your Help Dave, DMR, dlh6213, Sphyenx and Nexonflux....

Meredith
(mereannjen@yahoo.com)

Your log indicates that you still have problems, and those problems are not the same as the originals. You've either gotten further infections (not unusual) or the infections that you originally had have "morphed" (also not unusual).

I need to log off now, but hopefully one of our other members will pick up on this shortly. If not, I'll repost here tomorrow.

Don't delete Windows/System32/lsass.exe, the worm should be gone, you can scan with Panda again to make sure. Not all AV programs find everything; unfortunately PC's don't like to run with more then one AV installed, that's why the free online scans (like Panda and TrendMicro) are so useful.

If you haven't done so already, get SpywareBlaster (link in DMR's signature), update it, and have it 'enable all protection.' This may help prevent reinfections.

Wait for advice from someone else before deleting the Spybot folder you mentioned -- I'm not sure how Spybot works, but this may be where it keeps it's 'Immunize' files.

Don't turn System Restore back on just yet -- almost there though

It may have just been a coincidence, but I tried Incredimail once and immediately after that started having problems. (Oddly enough, that's what eventually led me to DaniWeb.) I know there are people that have used it for a long time though with no problems so I'm not going to tell you it's not safe.

I see you got the spoolsv.exe back

You need to empty all the Temp and Temporary Internet folders for all users on the computer.

Now for your log. Close all browser windows, scan with HJT and have it fix the following entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [svcnhost] svcnhost.exe
O4 - HKLM\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunServices: [svcnhost] svcnhost.exe
O4 - HKLM\..\RunServices: [Win32 SSL Driver] winssv.exe

Reboot and then do a search for each of these:
syswin32.exe
svcnhost.exe
winssv.exe
svcnhost.exe
winssv.exe
If they're not gone, let us know where they are located in your next post.

I'm a bit curious about this: C:\Program Files\Windows NT\Accessories\WORDPAD.EXE because of the capital letters, the way I normally see it is C:\Program Files\Windows NT\Accessories\wordpad.exe, does anyone know if this is a problem?

Once again, make sure all browser windows are closed, scan with HJT, and post a new log.

They are in a Recovery folder. I found it along with all of the DSO Exploits Spybot has ever found. It looks like this folder is for all the bad things Spybot has ever found. Should I delete the whole folder?

What is the exact location of the Recovery folder you mentioned? If you can tell us that, we can tell you for sure if you should delete it or not.

:p Hello everyone! It's that time again....time to play What's In That HJT Log? Our lucky contestants today are:

The Marsupial Moderator
Dave

Let's see who get's to go first.....


Logfile of HijackThis v1.98.2
Scan saved at 2:28:02 AM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://free.grisoft.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) - http://www2.incredimail.com/contents...il_install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents...1/imloader.cab


As for the rest of the stuff:

syswin32.exe----gone
svcnhost.exe---gone
winssv.exe----gone
svcnhost.exe-----C:/WINDOWS/Prefetch
C:/WINDOWS/system32

winssv.exe--C:/RECYCLER/S-1-5-21-842925246-813497703-1343024091-1004
C:/RECYCLER/S-1-5-21-842925246-813497703-1343024091-500
C:/RECYCLER/S-1-5-21-1801674531-436374069-854245398-1003
Recycle Bin
]](I got this when trying to delete the winssv.exe: Error Deleting File or Folder Message: cannot delete file: Cannot read from the source file or disk.)

The other (svcnhost.exe) deleted easily. They went right into my trash bin.

Thanks for playing What's In That HJT Log? Winners will be posted tomorrow.....

Meredith
(mereannjen@yahoo.com)[/COLOR][/B]