Here is my log before I got rid of mswinccp.exe from the registry with HijackThis (I closed the running process the second I noticed it)
Logfile of HijackThis v1.97.7
Scan saved at 6:08:36 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Microsoft CCP Update] mswinccp.exe
O4 - HKLM\..\RunServices: [Microsoft CCP Update] mswinccp.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macr...ash/swflash.cab
and here it is after I deleted mswinccp.exe
Logfile of HijackThis v1.97.7
Scan saved at 6:09:31 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macr...ash/swflash.cab
Notes:
*Notepad is open because I'm writing what you are now reading in it
*And I'm almost %100 positive that sm56hlpr.exe is legit and used by my modem
*Wuapdate16 appears the same way as mswinccp in HijackThis when it is on the computer
*I closed a copy of SVCHOST.exe labled LOCAL SERVICE (local somthing at least) earlier this session, it does not seem to have an effect on getting or not getting the troublesome programs
*I usually have Quintessential Player running when I'm on the internet, this is a free music player and may have something to do with it. I doubt this though, but I want to give you all as much information to work with. I also use an old version of dead AIM that I downloaded off of www.oldversion.com if that could be causing a problem.
I'm now guessing that I am getting these because I have not updated Windows XP, and the programs are being installed remotely through some type of security hole, or some exploit in the old version of AIM I use. Any help in how to update (I'm new to XP) or pointing out what really is the problem would be greatly appreciated.
Thanks for helping.