Lots of spyware, etc keep reappearing

**magfan** · 2006-12-14, 03:20

IE kept lockuping up and the entire computer was running very slow. I ran Spybot a few days ago and it found 13 things that it "fixed". That totally fixed my computer. But every few hours they all start to appear again and I have to keep running Spybot. Here is my HJT record:

Logfile of HijackThis v1.99.1
Scan saved at 8:19:24 PM, on 12/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\dsrss.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ieredir.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ib4.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib14.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MSWin-1520309620.bat
O4 - Startup: MSWin-1520309620.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1161923198144
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinner.com/games/v41...y/tilecity.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

**shelf life** · 2006-12-14, 03:48

hi magfan,

first we will use hjt then go get a download.

before you use hjt, please make sure the real time component of windows defender isnt active, like this:
1. Launch Windows Defender
2. Click Tools > General Settings
3. Under Realtime Protection Options uncheck "Turn on real real-time protection (recommended)".
4. Click the Save button
5. Close Windows Defender
----------------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O2 - BHO: ib4.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib14.dll

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - Startup: MSWin-1520309620.bat
O4 - Startup: MSWin-1520309620.exe
-------------------------------------------
first stop:
http://www.ewido.net/en/download/
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware 7.5 and update the definition files.
3. Run AVG Anti-Spyware
4. From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
5. After the update finishes (the status bar at the bottom will display "Update successful")
6. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
7. Under "Reports
8. Select "Automatically generate report after every scan"
9. Un-Select "Only if threats were found"

run a full system scan, please post back the avg antispyware log, you can edit out the cookies if there is alot of them and rescan and post a hjt log.

shelf life

**magfan** · 2006-12-14, 16:56

Hope I did this right! Not much of a computer person.
Here's the HJT and the AVG Anti-Spyware log

Logfile of HijackThis v1.99.1
Scan saved at 10:44:00 AM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1161923198144
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinner.com/games/v41...y/tilecity.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP509\A0072935.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP509\A0072939.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP511\A0073131.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078046.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078047.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078048.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078062.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078102.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0078139.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0078140.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0078141.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0078157.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079151.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079154.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079169.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079185.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079186.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079187.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP516\A0080219.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP517\A0080241.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP518\A0080249.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP518\A0080250.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP518\A0080251.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP519\A0080286.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080291.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080292.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080293.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080307.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080331.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP521\A0081333.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP521\A0081340.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\WINDOWS\dsrss.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\WINDOWS\ieredir.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\WINDOWS\preredir.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\hijackthis\backups\backup-20061213-001500-937-MSWin-1520309620.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP500\A0069549.exe -> Logger.BZub.fm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP500\A0069550.exe -> Logger.BZub.fm : Cleaned with backup (quarantined).
HKU\S-1-5-21-971929597-1256799619-874574627-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69} -> Logger.Sters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP509\A0072938.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP509\A0072949.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP510\A0073100.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP510\A0073110.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP510\A0073121.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP511\A0073130.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP512\A0078041.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078060.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078101.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078114.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078132.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0078154.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079150.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079164.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079180.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP516\A0080215.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP517\A0080239.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP519\A0080283.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080305.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080330.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP521\A0081330.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\hijackthis\backups\backup-20061213-001459-518.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078099.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078112.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP513\A0078129.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0078136.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0078156.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079153.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079161.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP515\A0079183.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP516\A0080218.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP517\A0080240.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP518\A0080245.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP519\A0080284.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080287.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080306.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP520\A0080329.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP521\A0080332.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0BEA88A-6491-4653-8138-16C48361FE45}\RP521\A0081328.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\WINDOWS\hosts.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\etc\1.hosts -> Trojan.Qhost.hl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\etc\2.hosts -> Trojan.Qhost.hl : Cleaned with backup (quarantined).

**shelf life** · 2006-12-15, 02:49

hi magfan,

you did fine. thanks for the info. lets do this: first to show all files:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

next using explorer, right click on start>explore. when explorer opens in the left find the C:\windows folder, double click it. all the files/folders in that dir. will show in the right hand pane. see if you can locate this one: winlogon.exe.

the winlogone.exe in the c:/windows/system32 dir. is ok. we are looking for the one in c:/windows. note the difference

if you can locate it do this: (if you cant locate it we will do something else)
go to this website, click the browse button and locate the file on your computer again, then click the send button. the file will be checked out by a dozen or so different virus scanners.
if any flag it has a virus/malware/downloader/trojan etc locate it once more on your computer and delete it. (if it gives you problems when deleting it, we will try something else)
the website:
http://www.virustotal.com/en/indexf.html

**magfan** · 2006-12-16, 04:48

I located this file in the Windows folder and sent it to the website you told me. It didn't find a virus in that file. Thanks for your help. What should I do now? Anything?

**shelf life** · 2006-12-16, 22:50

hi magfan,

good thanks, please rescan and post a new hjt log.
also update and do scan with your antivirus.

shelf life

**magfan** · 2006-12-16, 23:21

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:20:26 PM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1161923198144
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinner.com/games/v41...y/tilecity.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

**shelf life** · 2006-12-16, 23:46

hi magfan,

thanks for the info.
virustotal didnt find anything in the winlogon.exe from the C:\WINDOWS directory?
hows your computer running now, any better?

shelf life

**tashi** · 2006-12-27, 18:14

Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thread: Lots of spyware, etc keep reappearing

Thread Tools

Display

Lots of spyware, etc keep reappearing

Posting Permissions