tcs.exe running at startup

[tdwil]

HI,
TECH support asked me to post my HJT log here. I am trying to stop TCS.exe from running at startup. When I remove it through regedit some other process puts it back. Here it is and thanks for looking.
Tdwil

Logfile of HijackThis v1.97.7
Scan saved at 10:56:47 AM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\EPOAgent\naimag32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\EPOAgent\naimas32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\TDW\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Bin\Tools\SPAM-T~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://www.imagestation.com/common/c...intActiveX.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

[tetonbob]

You are using an outdated version of Hijack This. Please delete your current version and download HijackThis. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Please post a new log with the updated version.

[tdwil]

Logfile of HijackThis v1.99.1
Scan saved at 7:12:51 PM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\EPOAgent\naimas32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\EPOAgent\naimag32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\TDW\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Bin\Tools\SPAM-T~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://www.imagestation.com/common/c...intActiveX.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\EPOAgent\naimas32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

[tetonbob]

Not much showing there....where is this file located? C, C:\Windows, C:\Windows\System32 ??

Let's have you run this relatively swift diagnostic tool:

1. Download combofix.exe to your desktop.
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[tdwil]

I see the file in the Task Manager when my system is booting up. I never found it in a folder only when I searched Regedit. In Reg I deleted tcs.exe, tcs.ini & holes.lst If you don't see anything here I will uninstall Trend Micro Internet security 2007 and see if the process stops. Thanks for looking.

TDW - 06-12-05 22:03:00.28 Service Pack 2
ComboFix 06-12-01W-BetaE - Running from: "C:\Documents and Settings\TDW\Desktop\Utl"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Downloaded Program Files\rave


((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-05 19:08 <DIR> d-------- C:\Program Files\HijackThis
2006-12-02 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2006-11-22 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-11-22 09:48 <DIR> d-------- C:\WINDOWS\WBEM
2006-11-22 09:48 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-11-22 09:46 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-11-22 09:44 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-22 09:42 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-08 19:40 <DIR> d-------- C:\Documents and Settings\TDW\Application Data\Ahead
2006-11-07 21:03 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 03:26 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 21:13 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-02 14:03 -------- d-------- C:\Program Files\Trend Micro
2006-11-22 09:59 -------- d-------- C:\Program Files\Google
2006-11-22 09:56 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-21 12:26 -------- d-------- C:\Program Files\Greetings Workshop
2006-10-21 12:15 -------- d-------- C:\Program Files\Calendar Creater
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 16:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NaimAgent_UI"="C:\\EPOAgent\\naimag32.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Photo Loader supervisory.lnk"
"backup"="C:\\WINDOWS\\pss\\Photo Loader supervisory.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CASIO\\PHOTOL~1\\Plauto.exe "
"item"="Photo Loader supervisory"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\WINDOWS\\System32\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CapFax"
"hkey"="HKLM"
"command"="C:\\Program Files\\Classic PhoneTools\\CapFax.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"hkey"="HKCU"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvid]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ossproxy"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\ossproxy.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"hkey"="HKCU"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xzztdizy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZingSpooler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZingSpooler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Zing\\ZingSpooler.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job

Completion time: 06-12-05 22:17:03.63

[tetonbob]

I'm curious as to where exactly in the registry you removed these from:

Quote:

In Reg I deleted tcs.exe, tcs.ini & holes.lst

These are files associated with a trojan, and should not necessarily be referenced in the registry other than searches you may have performed.

Have you run a system search for these files to see if they are on the system? Start>Search>All Files and Folders

tcs.exe can also be part of trend's Damage CleanUp Engine, but if those other files were present, I'd have my doubts.

Let's have a deeper look at your startups.

Download StartupList and extract the contents.

Run StartupList.exe, this may take a few minutes. When it's ready, go to File>Save as, and save the report to a location you can find. Post the results here. You'll have to attach the report, as it may be quite large.

[tdwil]

Yes I did run system search on the files that I found in the Reg and they were under Search Assistant in Reg. I am leaning toward the trend's Damage CleanUp Engine that you wrote about. I don't have a problem uninstalling Trend Micro, it has been a system drain since I did the upgrade. I have been looking at Kaspersky Internet Security 6.0 to try. I attached the file you asked for.

tdw

[tetonbob]

Hi tdwil -

Let's have you run one online scan to help us be more certain nothing is lurking, but I do think this tcs.exe is related to Trend.

Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

[tdwil]

Why does it say skipped on all the findings and most are locked.
If the files that it found are infected then I would have thought the Trend scan 2007 would have cleaned them.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 07, 2006 7:52:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/12/2006
Kaspersky Anti-Virus database records: 249012
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 104443
Number of viruses found: 13
Number of infected objects: 48 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:33:39

Infected Object Name / Virus Name / Last Action
C:\Bin\Apps\FutureDial\futuredial serial numbers.exe/data0002 Infected: not-a-virus:AdWare.Win32.HotSearchBar.d skipped
C:\Bin\Apps\FutureDial\futuredial serial numbers.exe NSIS: infected - 1 skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/05 Dec 2005 23:02 to Kendra Williams Juno:for me/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/05 Dec 2005 23:02 to Kendra Williams Juno:for me/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/05 Dec 2005 23:02 to Kendra Williams Juno:for me/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/05 Dec 2005 23:02 to Kendra Williams Juno:for me/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Bin\Backups\Outlook\Outlook.pst/Personal Folders/Personal Folders/Work-like/Shop/Ebay/22 Jul 2005 10:20 from eBay Inc:EBAY: UPDATE YOUR ACCOUNT RECORD.rtf Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Bin\Backups\Outlook\Outlook.pst Mail MS Mail: infected - 9 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\080e6967bdef5f2288f67be78eb9e12f_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\141d99277e9729eb91fbef78a4616f1b_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\14b9dbc77f85e97cf8e72ffe247fe23a_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c3e0e30b33d7a189358782d57f073a5_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\225b3467d8ed9ab4b8135f3daa6362d1_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\25a7f33f9bbd79d5e6da506b31b8a02d_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\297770dff02a059e8b8ef5251ce7265d_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\34b5e5879cfccc78d4f1a0548784ff93_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\385a03850167c97adaaabba5a09cc0c5_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3edd85e417018bee0960162b2391bc5e_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4322c38c21107d44252b367e5a7b8bc5_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\46be9073f3794c607d97c135538e1afd_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\536cd67b13ba6d1e31055e06a26d7323_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\611ad9c4b5dd5f5f3bc18df83746b8c7_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\629041714d3310d3d34313816d60788d_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\650ff4950791fb64db56ac5b9b9a70cd_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6873d854a4362c25b0d534ead0918d52_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b4247f8f047436a26ddb0e9c6c6b611_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ee9337f7c0e07cdf58b9884f5b4d119_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76304b9a40cc5d59b1b8380126b814f0_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7747bdc91978d9a03eb26f3392447daf_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\803d6eb372e11dccf928e1ebb0af2497_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85b8f35e725a22734dcd0ef4dc249d30_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9ecf31067d8414b0967dbb2206036d45_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a6576086fba36633c8588a6e17b2a2c8_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa2841b0a959d7cd9e62844d8cdc4382_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b39ce0969de5002741cf17c43efa914f_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b5adf426a684368a771ea7bae29a4fa1_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bcb8d3796c1cea7b117edeb91dbeae37_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bce1fc81333c74092d13888477f34e4f_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf40be77a9a9ec340de36ced344bf296_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c65a72b208dc9e1f97479c9cf1f31cc9_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ddabe564e6d0a27b0607ec7d75d2741f_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8251cb664323c79679d52e20fac5fcf_8ee016bc-38b7-4453-826e-d9b9b1482cbf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\K&J\Desktop\lisa.exe Infected: not-a-virus:Dialer.Win32.gen skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TDW\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\TDW\Desktop\Utl\Backups\backup-20040120-115323-335.dll Infected: Trojan-Downloader.Win32.Agent.b skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Oct 2006 15:43 to Erica Blashill:Laptop/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Personal Folders/Work-like/Shop/Ebay/22 Jul 2005 10:20 from eBay Inc:EBAY: UPDATE YOUR ACCOUNT RECORD.rtf Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 5 skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\TDW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\TDW\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TDW\Local Settings\History\History.IE5\MSHist012006120720061208\index.dat Object is locked skipped
C:\Documents and Settings\TDW\Local Settings\Temp\Perflib_Perfdata_164.dat Object is locked skipped
C:\Documents and Settings\TDW\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TDW\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\TDW\NTUSER.DAT.LOG Object is locked skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0049.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0049.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0049.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0052.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0052.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0052.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0053.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0054.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0054.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0054.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0054.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0054.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0054.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0054.BIN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0055.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.h skipped
C:\Downloads\screensaver\snowycottagefree.exe/WISE0056.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.i skipped
C:\Downloads\screensaver\snowycottagefree.exe WiseSFX: infected - 16 skipped
C:\Downloads\screensaver\snowycottagefree.exe WiseSFX Dropper: infected - 16 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5252E3C7-1C57-4117-815A-C2B792B5C7A1}\RP641\change.log Object is locked skipped
C:\WINDOWS\bar.exe/data0001 Infected: not-a-virus:AdWare.Win32.IeSearchBar skipped
C:\WINDOWS\bar.exe Inno: infected - 1 skipped
C:\WINDOWS\cnbabeie.exe/data0008 Infected: not-a-virus:AdWare.Win32.CommonName.b skipped
C:\WINDOWS\cnbabeie.exe/data0009 Infected: not-a-virus:AdWare.Win32.CommonName.d skipped
C:\WINDOWS\cnbabeie.exe/data0010 Infected: not-a-virus:AdWare.Win32.CommonName.d skipped
C:\WINDOWS\cnbabeie.exe NSIS: infected - 3 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_12c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Outlook\Personal Folder06.pst/Personal Folders/Personal Folders/Work-like/Shop/Ebay/22 Jul 2005 10:20 from eBay Inc:EBAY: UPDATE YOUR ACCOUNT RECORD.rtf Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
D:\Outlook\Personal Folder06.pst Mail MS Mail: infected - 1 skipped
D:\Outlook\Work-like06.pst/Personal Folders/Personal Folders/Work-like/Shop/Ebay/22 Jul 2005 10:20 from eBay Inc:EBAY: UPDATE YOUR ACCOUNT RECORD.rtf Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
D:\Outlook\Work-like06.pst Mail MS Mail: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

[tetonbob]

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\Bin\Apps\FutureDial\futuredial serial numbers.exe
C:\Documents and Settings\K&J\Desktop\lisa.exe
C:\Documents and Settings\TDW\Desktop\Utl\Backups\backup-20040120-115323-335.dll
C:\WINDOWS\bar.exe
C:\WINDOWS\cnbabeie.exe
C:\Downloads\screensaver\snowycottagefree.exe Note:Screensavers are frequent sources of adware.

---------------------------------------------------------------------------------------------

It also appears as though you have some suspect old mails in your personal folder.

D:\Outlook\Personal Folder06.pst/Personal Folders/Personal Folders/Work-like/Shop/Ebay/22 Jul 2005 10:20 from eBay Inc:EBAY: UPDATE YOUR ACCOUNT RECORD.rtf

Other than that, your logs appear clean.

Well done. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are a few very good free Antivirus products which are available:
  • AOL Active Virus Shield (powered by Kaspersky Antivirus)
  • Avast!
  • AVG
  • Avira PersonalEdition Classic
  Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial

If you do not have a firewall, here are a couple of free ones available for personal use:

• ZoneAlarm
  
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[tdwil]

I deleted the files that you told me to and also the mail messages are deleted.
I have the WinXP firewall on do I need another firewall program?
You recamended some free virus scans would they work as well as one that I buy?
Thanks a lot for all your help on cleaning up my PC and for the extra info on what to do to keep it clean.

T

[tetonbob]

Quote:

Originally Posted by tdwil

I deleted the files that you told me to and also the mail messages are deleted.
I have the WinXP firewall on do I need another firewall program?

XP's firewall is very poor at monitoring outbound traffic. ZoneAlarm is the most frequently recommended, but the others work well, too.


You recamended some free virus scans would they work as well as one that I buy?

Not for real time protection. They are good for ancillary scans.

You need to have one onboard. I use AOL's Active Virus Shield (free!!, powered by Kaspersky) recently, and am very impressed so far.


Thanks a lot for all your help on cleaning up my PC and for the extra info on what to do to keep it clean.

T

My pleasure. Any other questions, ask away. Have a look at this link, also in my Signature:

PC Safety and Security--What Do I Need?

Otherwise, if I don't hear from you within a couple of days, we'll archive this thread.