Something is disabling my antivirus software (Panda Titanium). I have installed Norton AV and it disables that too! I've read elsewhere on your excellent pages of similar problems but any advice there has not worked for me. I feel vunerable! I have four SVCHOST.exe processes running one in user LOCAL SERVICE, one in user NETWORK SERVICE and two in user SYSTEM. I enclose :- OPEN PORT LIST System 4 10.0.0.7 138 LISTEN UDP System 4 10.0.0.7 137 LISTEN UDP System 4 0.0.0.0 445 LISTEN UDP System 4 10.0.0.7 139 LISTEN TCP System 4 0.0.0.0 1026 LISTEN TCP System 4 0.0.0.0 445 LISTEN TCP pavProxy.exe 140 127.0.0.1 18003 LISTEN UDP C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe pavProxy.exe 140 127.0.0.1 18002 LISTEN UDP C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe pavProxy.exe 140 127.0.0.1 18001 LISTEN UDP C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe pavProxy.exe 140 127.0.0.1 31597 LISTEN TCP C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe pavProxy.exe 140 127.0.0.1 31596 LISTEN TCP C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe pavProxy.exe 140 127.0.0.1 31595 LISTEN TCP C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe lsass.exe 616 0.0.0.0 500 LISTEN UDP C:\WINDOWS\system32\lsass.exe svchost.exe 792 0.0.0.0 135 LISTEN TCP C:\WINDOWS\system32\svchost.exe P2P Networking.exe 840 0.0.0.0 3531 LISTEN UDP C:\WINDOWS\System32\P2P Networking\P2P Networking.exe P2P Networking.exe 840 0.0.0.0 3531 LISTEN TCP C:\WINDOWS\System32\P2P Networking\P2P Networking.exe svchost.exe 856 127.0.0.1 123 LISTEN UDP C:\WINDOWS\System32\svchost.exe svchost.exe 856 127.0.0.1 3003 LISTEN TCP C:\WINDOWS\System32\svchost.exe svchost.exe 856 127.0.0.1 3002 LISTEN TCP C:\WINDOWS\System32\svchost.exe svchost.exe 856 0.0.0.0 1025 LISTEN TCP C:\WINDOWS\System32\svchost.exe MsnMsgr.Exe 920 127.0.0.1 3012 LISTEN UDP C:\Program Files\MSN Messenger\MsnMsgr.exe MsnMsgr.Exe 920 10.0.0.7 21611 LISTEN UDP C:\Program Files\MSN Messenger\MsnMsgr.exe MsnMsgr.Exe 920 10.0.0.7 9 LISTEN UDP C:\Program Files\MSN Messenger\MsnMsgr.exe MsnMsgr.Exe 920 0.0.0.0 3023 LISTEN UDP C:\Program Files\MSN Messenger\MsnMsgr.exe MsnMsgr.Exe 920 10.0.0.7 3029 212.162.1.99 80 CLOSE_WAIT TCP C:\Program Files\MSN Messenger\MsnMsgr.exe MsnMsgr.Exe 920 10.0.0.7 3025 207.68.178.238 80 CLOSE_WAIT TCP C:\Program Files\MSN Messenger\MsnMsgr.exe MsnMsgr.Exe 920 10.0.0.7 3011 207.46.106.60 1863 ESTABLISHED TCP C:\Program Files\MSN Messenger\MsnMsgr.exe MsnMsgr.Exe 920 0.0.0.0 3020 LISTEN TCP C:\Program Files\MSN Messenger\MsnMsgr.exe svchost.exe 972 0.0.0.0 3088 LISTEN UDP C:\WINDOWS\System32\svchost.exe svchost.exe 972 0.0.0.0 3068 LISTEN UDP C:\WINDOWS\System32\svchost.exe svchost.exe 972 0.0.0.0 3007 LISTEN UDP C:\WINDOWS\System32\svchost.exe svchost.exe 984 127.0.0.1 1900 LISTEN UDP C:\WINDOWS\System32\svchost.exe svchost.exe 984 0.0.0.0 5000 LISTEN TCP C:\WINDOWS\System32\svchost.exe alg.exe 1368 127.0.0.1 3001 LISTEN TCP C:\WINDOWS\System32\alg.exe iexplore.exe 3000 127.0.0.1 3060 LISTEN UDP C:\Program Files\Internet Explorer\iexplore.exe Logfile of HijackThis v1.97.7 Scan saved at 11:44:25, on 02/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\apvxdwin.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe C:\WINDOWS\System32\P2P <nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=6244495&di=120704&ts=20031202031537" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,120704);" onmouseout="kwL(event);" onmousemove="kwM(120704);">Networking</nobr>\P2P Networking.exe C:\Program Files\<nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=6244495&di=126802&ts=20031202031537" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,126802);" onmouseout="kwL(event);" onmousemove="kwM(126802);">Firewall</nobr>\ZoneAlarm\zlclient.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Trust\250S Series\LwbWheel.exe C:\Program Files\WinZip\WZQKPICK.exe C:\WINDOWS\Explorer.exe C:\Program Files\Downloaded utilities\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe /run O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Firewall\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] c:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Pop-Up Control Center.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\Pop-Up Control Center.url O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Panda Antivirus Titanium.lnk = C:\Program Files\Panda Software\Panda Antivirus Titanium\Avlite.exe O4 - Global Startup: Trust Ami Mouse 250S Series 1.2.lnk = C:\Program Files\Trust\250S Series\LwbWheel.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.zonnet.nl O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://<nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=6244495&di=102757&ts=20031202031537" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,102757);" onmouseout="kwL(event);" onmousemove="kwM(102757);">security</nobr>.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4306/mcfscan.cab

Whoah, alot of info.... The best place to start is to make sure Norton is completely updated and reboot into safe mode and run a full virus scan. The svchost.exe is normal and should be there. Hope this helps

this may help I ran a search on "virus disables antivirus". It appears as though there are several virus and worms that are capable of doing this. If the previous information doesn't help, I suggest you run the same search. LL

Close all browser windows, then in HijackThis check off the boxes next to the following and then click the Fix button.... Could you have HijackThis fix these: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank That being said there is a reasonable amount of 'uneeded' cpu usage happening; but thats not what you asked for, right. I'd fix these 'uneeded' as well: O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe and because there appears to be a boot conflict and for general memory hogging: O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe /run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime If you don't know these service provider guys, fix them as well: O14 - IERESET.INF: START_PAGE_URL=http://www.zonnet.nl only real hijackers: O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://<nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=6244495&di=102757&ts=20031202031537" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,102757);" onmouseout="kwL(event);" onmousemove="kwM(102757);">security</nobr>.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab Then reboot; Find and delete the following..... C:\WINDOWS\System32\P2P <nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=6244495&di=120704&ts=20031202031537" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,120704);" onmouseout="kwL(event);" onmousemove="kwM(120704);">Networking</nobr>\P2P Networking.exe C:\Program Files\<nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=6244495&di=126802&ts=20031202031537" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,126802);" onmouseout="kwL(event);" onmousemove="kwM There should be an entry under Add/Remove Prgrams for the following, if so please use it to uninstall: if not have Hjt fix it. O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART Close all browser windows and Rescan with Hjt and repost your log here. All port activity looks normal to me. Then ya gotta work out ya AV situation. ciao - - - - - - >>>>> O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART Above is the hidden p2p within Kazaa. - [many thanks to *Abnormal* :D] >>>>

Partial success!!! Many thanks Bwill - I'm running Norton AV Professional with Live update and the virus list as of 28/11/2003 - full scan performed although no virus' found. I'm also running Panda Titanium (68674 virus signatures) and have been advised that running two AV programs can cause its own problems - what do you say? Much appreciated LL - I had also done this prior to posting my query and spent many a fruitless hour tinkering without success. It was this search that led me to believe I had a virus related problem. I'll condense my experiences into an advise report if/when I get to the bottom of this so others can benefit. Heartfelt appreciation Iceblue - I have done as you suggested. I now have a fully enabled NAV AND Panda Titanium running. One curious observation. My firewall (ZoneAlarm) blocked an outgoing access request at startup leading me to believe that something is still in my system. HJ follows. Logfile of HijackThis v1.97.7 Scan saved at 10:14:58, on 03/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\apvxdwin.exe C:\WINDOWS\Explorer.exe C:\Program Files\Firewall\ZoneAlarm\zlclient.exe C:\Program Files\Trust Mouse\250S Series\lwbwheel.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\Explorer.exe C:\Program Files\Downloaded utilities\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Firewall\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] c:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust Mouse\250S Series\lwbwheel.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - Startup: Pop-Up Control Center.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\Pop-Up Control Center.url O4 - Global Startup: Panda Antivirus Titanium.lnk = C:\Program Files\Panda Software\Panda Antivirus Titanium\Avlite.exe O4 - Global Startup: Trust Ami Mouse 250S Series 1.2.lnk = C:\Program Files\Trust\250S Series\LwbWheel.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4306/mcfscan.cab

Excellent! High level success from where I'm standing; Ok, AV stuff to sort and internal comms to look at; firstly, one last ones to remove, Backweb Adware O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe fix, reboot; delete C:\WINDOWS\System32\CTsvcCDA.exe and review. Should be all ok after that. No more bugs phone home. I have to agree with Tom on this one: nvsvc32.exe (C:\WINDOWS\System32\nvsvc32.exe ) Unless you have an nVidia video card and unless removing this has any bad effects, go ahead and delete this separately. Please save the final clean log in a safe place, and keep for future reference; when new intruders appear or settings change unexpectedly – and this will inevitably happen. Don’t react and delete items when they appear – repost and review. Ok..internal comms...happen all the time... what i found very enlightening was to disable any and all unnecessary windows services, and THEN, re-install the firewall; allowing ONLY those services that required definite access. With a clean sheet above, it will be easier to trust the system, which has a high level of internal comms anyway. Windows\system32\svchost.exe has a multitude of processes going on, and is a vital windows file. There can be multiple instances of system32\svchost.exe running at the same time. Each svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where system32\svchost.exe is started. (Just don’t ever use this name in plural form – see below) >>> So the trick is to disable all unneeded services through Run> services.msc There are 80 something services on my box; most of which were enabled by default; a third of which are unneeded. Disable what you don’t need for your box, reduce to manual what does not need to be automatic and you will find far less services running on your box, and a reduced level of internal comms, particularly for standalone PCs. e.g. start with security related services http://www.labmice.net/articles/winxpsecuritychecklist.htm and then tweak away at all services; http://www.blackviper.com/WinXP/servicecfg.htm >>scroll down to the XP Home and Professional Services Configurations table Hopefully this will reduce your service processes running, and in your firewall processes (though not always)…. Outgoing requests will happen, and not always when you expect them. Click No if in doubt; if a service is needed to run an app; it simply won’t work without it. Click Yes, if you need that service to run. Click Yes, Always, if you’re dead sure. AV : most people would agree that running two AV programs * at the same time * is courting problems/trouble/disaster. One or the other will be sufficient to run in the background. Disable one to run the other one when you want to. Others may have a different opinion here, depends how nortons behaves itself over time. Nortons and Messenger have a long history for me. Maybe don’t uninstall one or other unless it is really needed. They can be a buggar to uninstall, partic nortons. Give it some time...let us know how it goes.. HTH Ice >>> Note: Trojan fake = Windows\svchosts Trojan fake = Windows\System\svchost32.exe Worm fake = Windows\ ..\ scvhost.exe ( that’s scv …) Real or fake? = Windows\ ..\ SCVHOSTS.exe Windows Print Spooler ? even Pacs are unsure of this one at this stage… scvhost32.exe = anybody’s guess >>> makes it bloody hard to read logs sometimes…………