legacycentral bbs

so on my computer is what seems to be a pretty serious spyware infection.
I have webroot spysweeper and symantec antivirus. neither can fully get rid of this damn infection.
I run spysweeper, it gets rid of a bunch of adware cookies and a trojan horse called trojan-downloader-wstart, but within 15min or so, its back again.
symptoms:
-annoying pop ups that are not real windows(clicking X does nothing but bring up a windo for http://www.protectmypc.com, or some dont have an X at all), you can click anywhere on the pop up and it opens the protectmypc page
-task manager processes is frozen, cannot scroll or click on any processes
-internet properties is frozen, cannot delete temporary internet files
-in spysweeper, cannot enable host file shield, edit host file,or common ad sites shield, gives the message: "host file too large"
-rebooting in safe mode freezes the computer
so anybody have any tips on how to deal with this problem and make sure it does not come back? I really do not want to wipe my hard drive right now.
TIA for any input

Can't reboot in Safe Mode, huh? Interesting.

Download HijackThis:

http://www.merijn.org/downloads.html

Run a scan and save a logfile, and then post the logfile here.

Head into msconfig (start-> run -> type msconfig and hit enter) and click over to the last tab. Write here, or take screenshots of what you see in the list. From there, we can start knocking things out.

HijackThis finds the same stuff as MSConfig... and more. And you don't have to take screenshots.

thefultonhow wrote:HijackThis finds the same stuff as MSConfig... and more. And you don't have to take screenshots.

I submit to the power of hijackthis. Ignore that post.

Sounds kinda like a Vundo infection. Let's see that HijackThis log and I'll be able to tell you if it is or not.

Download and run Spybot - Search and Destroy. Close as many applications as you have control over, get the definition updates, immunize, scan, and remove the spyware. May take a few tries.

http://www.safer-networking.org

Spybot's startup tool will also color-code processes set to start with your computer according to risk, so you can just uncheck all the reds and probably all the yellows...

I've never tried HijackThis but I've also never needed another spyware protection app since I found Spybot.

Hope this helps.

206er wrote:-annoying pop ups that are not real windows(clicking X does nothing but bring up a windo for http://www.protectmypc.com, or some dont have an X at all), you can click anywhere on the pop up and it opens the protectmypc page

Whenever a suspicious window pops up don't click on it or even click on it's X.
Just hit Ctrl/alt/delete and use the applications tab on task manager to close the window.

He said taskmanager freezes.

what is your operating system?

you can try to go to the control panel and remove anything that isn't normal, ie. toolbars, browser extensions, screen savers, any free desktop download that occasionally accesses the internet...

free5ty1e wrote:Download and run Spybot - Search and Destroy. Close as many applications as you have control over, get the definition updates, immunize, scan, and remove the spyware. May take a few tries.

http://www.safer-networking.org

Spybot's startup tool will also color-code processes set to start with your computer according to risk, so you can just uncheck all the reds and probably all the yellows...

I've never tried HijackThis but I've also never needed another spyware protection app since I found Spybot.

Hope this helps.

Then you aren't cleaning your PC very well, trust me on this I've worked in the industry long enough to know that not one application cleans them all.

Spybot included. Infact, I would say Spybot is about as good at removing all spyware as Mcafee is good at removing all viruses (both are marginal)

google 'sysinternals' for 'autoruns' and 'process explorer'

process explorer will allow you to.. explore all the running processes on your system. sometimes you've got rogue stuff running that you can't shut down, well you can 'freeze' it or kill individual threads, forcing it to die.

I executed 'services.exe' on my system the other day by mistake (trying to bring the services applet up) and it started consuming 100% processor time.

You can't kill it because it's marked as a critical system process (even though this was a duplicate and killing it would have been OK) and it gives you an error message every time you did.

loaded process explorer, found the duplicate, hit properties, went to the threads, killed off all three threads - process died. voila.

autoruns explores the registry for everything from LSA's to the Run folder in the registry and allows you to disable or remove items. You have to be careful what you touch, and you can shorten the list by turning on 'Hide Microsoft Entries' under properties or status or something like that.

Remove some stuff, hit refresh, if it shows back up you need to boot to safe mode to do it.

If you get a repairs.dll or repairs12345.dll or anything like that under the 'Appinit' tab then dig out your repair cd because you need to boot to the recovery console.

This is a popular spyware item that most anti-spyware applications simply can't remove. Appinit dll's are loaded so deep into the kernel that there's nothing to kill, and this dll prevents you from removing some spyware stuff. I can't recall the name of this crap right offhand, but oh well.

Anyway, write down the location, boot to the recovery console, change to the directory (it's like dos) and delete the file.

Generally you should have nothing under 'Appinit' - some specialized applications may install stuff there, but nothing legit I've seen is put there.

Moving along, sysinternals also makes another good tool called rootkit explorer. These are files and folders that are deliberately hidden using driver hooks when the OS boots up - take a look at this tool, run it, and examine the results.

Almost everyone will have some entries, and some of it is normal (like if you use DaemonTools) I havn't seen many spyware applications that use rootkits to hide stuff, but some are out there.

Hope this helps.

For rootkits there's also F-Secure Blacklight:

http://www.f-secure.com/blacklight/

I haven't personally used it, but it comes highly recommended by someone whose computer skills I respect. And yes, I use Process Explorer in conjunction with HijackThis -- makes it easier to see what's legit and what's not.

I've been out of the malware-removal loop for the past year, so I don't really know the latest malware and the techniques it uses to hook into Windows. I stopped freelancing when Nail/Aurora was still big. I'll be starting up again soon, though, so I'll be getitng back into the swing of things.

well I ran highjackthis, ad-aware SE, and owido as per some instructions I found, and it seemed to do the trick after I deleted a couple files from the highjackths log that were listed on the procedure. but there are some pretty suspicious looking ones on there that werent listed. what is the best way I can post the log on here so I can get some opinions on them? basically it is a ton of files that are the same name but adding a letter of it each file down tll the whole file name is listed. there's 3 different ones its pretty wierd.
but I am not having problems anymore. that I know of.

Just copy and paste the log from the TXT file that HijackThis creates when you choose "Save Log".

Okay. I have the same problem and ran hijackthis. Can I get a little help please??? Pretty please???????



Logfile of HijackThis v1.99.1
Scan saved at 8:01:34 PM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Richard\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LiveUpdate] C:\Program Files\Byteswarm\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/defaul ... der_v6.cab
O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - C:\WINDOWS\system32\vpxnk.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

I should add that it is a 2 month-old Dell with origional OS(winxp home sp2), it came with a trial version of McAffee virus scan (which is still working, but not finding anything), and I tried to manually delete questionable files by running a search for files created today. My homepage is set to some queaf assed anti-spyware site, when I go to properties to change my homepage, it says "about:blank". No matter what I change my homepage to, it always resets to the gay assed spy page. I'm getting an annoying "security alert" in the lower righthand corner of my screen. And once and a while, I get a random internet popup, usually for anti-spyware services.

Step 1: Uninstall McAfee.
Step 2: Head over to freeav.com and install their software.
Step 3: Head to microsoft.com and install windows defender.
Step 4: Head over to Mozilla.org and install firefox and use that.

for antivirus, i like avast. its free. You definately got some junk up in it. Well if it's a new dell just toss in the system restore disk, wipe it clean and restart, with a different antivirus, ad-aware and spybot, and a good firewall.

Everything in that hijack report looks alright. However there's a TON of extra shit running, which I would get rid of.

Get rid of all that mcafee crap.

Here's symantec antivirus corp edition 10.0. Live update does not expire in a year like the consumer version, and this version has spyware searching capability.

It's about 24mb.
http://www.main.experiencetherave.com:8 ... 10corp.zip

Reading thru my post again I should probably clarify. I had an issue where it would switch up different settings in my IE settings like homepage and bookmarks. It was burried deep down and I ran a number of different programs trying to clean it up. Still had problems even tho my hijack report looked fine. Stuff was burried real deep, as it looks like yours is also. So you have some junk hidden in some unlikely locations. Thats why I said to just flush everything and start over. It will most likely be the easiest way.

I had a buddy help me with what I had going on. He said HijackThis was a good start and then he used a program called Smitfraudfix. He said it might not get rid of all of it, but so far so good. I haven't noticed anything out of the ordinary.

back from the dead...
got my home computer back online after 6 months or so of being offline. having the same old problems again, IIRC I fixed them around the time of this post.
using IE7 now, and having some real annoying spyware stuff that sends a bunch of emails that I'm not sending. Ewido, Webroot, and Symantec are useless to this. highjackthis, I have no freakin clue what I am looking at.

here's my hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:59 PM, on 2/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Jeremy Soltow\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.webct.colostate.edu
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://www.linksysfix.com/netcheck/24/i ... downls.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.com/download.compani ... _1_6_0.cab
O20 - Winlogon Notify: acmfc - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Okay, you have a couple of suspect entries but nothing that looks like it's running on startup. Download RootkitRevealer:

http://www.softpedia.com/get/Antivirus/ ... aler.shtml

Run it, and then walk away from your computer until it is done. It's important that you do not use your computer at all while it is running, as that will mess up the results.

Post the log here.

Use a combination of Spybot S&D and Ad Aware SE.

Run both until you dont get anymore things comming up.

I use these with AVG and never have many problems that cant be fixed with this combo and a reformat.

smh0101 wrote:Use a combination of Spybot S&D and Ad Aware SE.

Run both until you dont get anymore things comming up.

I use these with AVG and never have many problems that cant be fixed with this combo and a reformat.

"And a reformat" is the crucial phrase there. If you don't want to reformat, Ad-Aware and Spybot and AVG don't necessarily cut it. I have seen quite a few computers where Ad-Aware and Spybot left more spyware -- HijackThis revealed it.