Dear specialist(s),

I am having some (minor) problems with 3 files on my system. These files are:
- C:\WINDOWS\system32\mswinup.exe
- C:\WINDOWS\system32\winsvcup.exe
- C:\WINDOWS\system32\winupsvc.exe

My problem is the following:
sometimes they try to connect to the Internet, but luckily my firewall (ZoneAlarm Pro v6.5.722.000) keeps me
apprised, so I can and do deny access!
I don't know where they come from, or what they are there for!

I make it my business to TRY to know/understand my system a bit, so I pretty well know (or suspect) where
certain files come from (or belong to) when they try to connect to the Internet.

My question therefore is:
I would like to know, if I can 'just' delete them or do I have to follow every step in the thread:
PC Help Forum.com - Computer Tech Support > Security & Safety > Spyware / AdWare > [Fixed] Hijackthis! Logs >
[Fixed] mswinup.exe, winsvcup.exe, winupsvc.exe?

I am asking you this, because the files DO NOT appear in any search with:
- Lavasoft || Ad-Aware SE Plus v1.06r1 (def.file: SE1R123 14.09.2006);
- Patrick M. Kolla / SaferNetworking Ltd. || Spybot - Search & Destroy v1.4 (last update: 15.09.2006);
- JavaCool Software || SpywareBlaster v3.5.1 (database loaded: 14.09.2006);
- ZoneAlarm Pro || Anti-Spyware (last update: 17.09.2006);
- Norton System Works 2004 || Norton AntiVirus (def.: 16.09.2006);
- Trend Micro || CWShredder v2.19
- Merijn.org || HijackThis (v1.99.1) log-file.

I MUST say, that I am NOT so eager to install Ewido, because of the service it 'creates'!

Further more, I've read the post "Please Follow These Instructions Before Posting Your HijackThis Log, AKA 'Prework'"
in the section "HiJackThis! Logs", but I still don't know how to post the HijackThis-log.

I also read the part about KillBox, but I don't think that I need it, because none of the files are loaded into memory
as the HijackThis-log suggests! Or rather... NOT suggests!

Well I am somewhat confused in what I should, could or must do.
Can someone please help me in understanding this problem?

Thanx in advance!

With kind regards,

Of course genie3251, my mistake!

And here it is:

Logfile of HijackThis v1.99.1
Scan saved at 20:43:30, on 17-9-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Tweb\ZAP\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Twin\RAM Def XT\ramdef.exe
C:\Tweb\_SPYWA~1\Ad-Aware\Ad-Watch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H 2.EXE
C:\Program Files\InstantTimeZone\InstantTimeZone.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Twin\H-menu\H_menu.exe
C:\Tweb\+ Mailware +\PopTray\PopTray.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Twin\Turbo Navigator\tn.exe
c:\program files\internet explorer\iexplore.exe
C:\Tweb\+ Spyware +\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/WINDOWS/Homepage/Irmax%20...iew/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Irmax
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Tweb\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Tweb\_SPYWA~1\SSD\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: De Telefoongids - {790C1F44-C559-434B-BE18-13C042555D8E} - C:\Tweb\De Telefoongids Zoekbalk\PhoneShell.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\Tweb\FreshDownload\fdiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Tweb\ZAP\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H 2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Tweb\+ Spyware +\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [RAMDef] C:\Twin\RAM Def XT\ramdef.exe -tray
O4 - HKCU\..\Run: [TClockEx] C:\Twin\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [AWMON] "C:\Tweb\_SPYWA~1\Ad-Aware\Ad-Watch.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H 2.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - Startup: H-Menu 5.0.lnk = C:\Twin\H-menu\H_menu.exe
O4 - Startup: PopTray.lnk = C:\Tweb\+ Mailware +\PopTray\PopTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InstantTimeZone.lnk = C:\Program Files\InstantTimeZone\InstantTimeZone.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {C6F04A4B-F0AD-4A0E-9338-D5F59C4348EC} - C:\Tweb\FreshDownload\fd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Telefoongids - {FCA46C9D-25D2-4bbb-810A-EA8B0A1741B4} - C:\Tweb\De Telefoongids Zoekbalk\PhoneShell.dll
O9 - Extra 'Tools' menuitem: De Telefoongids - {FCA46C9D-25D2-4bbb-810A-EA8B0A1741B4} - C:\Tweb\De Telefoongids Zoekbalk\PhoneShell.dll
O15 - Trusted Zone: PC Help Forum.com - Computer Tech Support
O15 - Trusted Zone: Rabobank - Opleidingennet
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Again... thank you in advance!

I cant see these files in your log...have you removed them ???.


Download SDFix http://downloads.andymanchesta.com/R...ools/SDFix.zip and save it to your desktop.

Please then reboot your computer in Safe Modeby doing the following :

• Restart your computer
  
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.batto start the script.
• Type Yto begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file
  Report.txtback onto the forum with a new HijackThis log
  

Please download, update and run the A2 (A squared) anti-trojan. Let it fix whatever it wants to.
Anti-virus
Also, run this pc through the...
Panda Online virus scanner
or
Trend Micro Housecall Online virus scanner
Let it delete whatever it finds. If it cannot delete it, then post the log and we will delete it manually.

Thank you for your swift reply, Pancake!

But like I said in my initial post, the 3 files did NOT appear in the searches/logs of:
- Lavasoft || Ad-Aware SE Plus v1.06r1 (def.file: SE1R123 14.09.2006);
- Patrick M. Kolla / SaferNetworking Ltd. || Spybot - Search & Destroy v1.4 (last update: 15.09.2006);
- JavaCool Software || SpywareBlaster v3.5.1 (database loaded: 14.09.2006);
- ZoneAlarm Pro || Anti-Spyware (last update: 17.09.2006);
- Norton System Works 2004 || Norton AntiVirus (def.: 16.09.2006);
- Trend Micro || CWShredder v2.19
- Merijn.org || HijackThis (v1.99.1) log-file.

So to answer your question: NO I did NOT remove them from the HijackThis-log, nor for that matter
did I remove them from ANY log or search-result!
That is why I asked if I could 'just' remove the files from my system??!!

BTW... I downloaded SDfix.zip and A-squared Free.

I ran A-suared Free and this is the log:
------------------------------------------------------------------------------------------
a-squared Free - Version 2.0

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 18-9-2006 13:45:43

Key: HKEY_CURRENT_USER\software\kazaa detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\in --> b0 detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\in --> b0seconds detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\in --> b1 detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\lastes timate --> b detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\lastes timate --> time detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\out --> b0 detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\out --> b0seconds detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\out --> b1 detected: Trace.Registry.KaZaA
Key: HKEY_LOCAL_MACHINE\software\kazaa\connectioninfo detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\connectioninfo --> kazaanet detected: Trace.Registry.KaZaA
Key: HKEY_LOCAL_MACHINE\software\kazaa\localcontent detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa\localcontent --> downloaddir detected: Trace.Registry.KaZaA
Key: HKEY_LOCAL_MACHINE\software\kazaa detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\software\kazaa --> listenport detected: Trace.Registry.KaZaA
C:\WINDOWS\system32\entry.dll detected: Trojan.Win32.Agent.qg
C:\WINDOWS\system32\winsvcup.exe detected: IRC-Worm.Win32.Drefir.d
C:\WINDOWS\system32\winupsvc.exe detected: IRC-Worm.Win32.Drefir.c

Scanned

Files: 19156
Traces: 72852
Cookies: 7
Processes: 39

Found

Files: 3
Traces: 15
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 18-9-2006 13:58:13
Scan time: 0:12:30

------------------------------------------------------------------------------------------

I haven't used SDfix, because I don't know what it does and I am 'afraid' to use it!

Kind regards,

You say you wont use Ewido and wont use SDfix then there is liitle point in me trying to help you clean your system...

Dear Pancake,

It maybe a small detail, but I never said I won't use Ewido and SDfix.

What I said was, that I am NOT so eager and 'afraid' to use these apps without knowing
what they are and what they do.
I am not in the habbit of following someones advise "just like that", without knowing
what the consequences are for my system.

What I am saying is, that I'm hoping that someone can/will explain to me what these apps are for,
what they do and how they work.
May be there's a helpfile or how-to-file or something.....

Please understand, I'm NOT unwilling but... perhaps... too cautious?!

Kind regards,