vamcleod

Thanks guys. I think I have got this critter caught. After running HJT,I reviewed the log and located any files that I did not recognize from past experience. I googled these files and found two that were spywareno. Wupdmgr.exe and osaupd.exe original filename balloon.exe(I had previously deleted that entry from the registry). I then booted to safe mode and deleted those two files. Deleted the desktop icon and boom, I am smoking again!! Thanks for all the help. You guys were great. Thanks Corrine for the first shove. Peace up!!

Thanks, here is Hijack Logfile of HijackThis v1.99.1 Scan saved at 8:14:52 PM, on 4/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\WINDOWS\SM1BG.EXE C:\toshiba\ivp\ism\pinger.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\wupdmgr.exe C:\WINDOWS\osaupd.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\DOWNLOADS_vomac\HijACk THiS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [{78-8F-FC-C1-ZN}] 0 O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140652834906 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Thanks guys.

#:24 [spbbcsvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\ ProcessID : 272 ThreadCreationTime : 4-26-2006 11:31:59 PM BasePriority : Normal FileVersion : 1,0,1,47 ProductVersion : 1,0,1,47 ProductName : SPBBC CompanyName : Symantec Corporation FileDescription : SPBBC Service InternalName : SPBBCSvc LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved. OriginalFilename : SPBBCSvc.exe #:25 [starwindservice.exe] FilePath : C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\ ProcessID : 328 ThreadCreationTime : 4-26-2006 11:31:59 PM BasePriority : Normal FileVersion : 2.6.1 Build 0x20050401 ProductVersion : 2.6.1 Build 0x20050401 ProductName : StarWind CompanyName : Rocket Division Software FileDescription : StarWind iSCSI Target (Alcohol Edition) InternalName : StarWind LegalCopyright : Copyright © Rocket Division Software 2003-2005. All rights reserved. OriginalFilename : StarWind #:26 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 340 ThreadCreationTime : 4-26-2006 11:31:59 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:27 [swupdtmr.exe] FilePath : c:\TOSHIBA\Ivp\Swupdate\ ProcessID : 440 ThreadCreationTime : 4-26-2006 11:31:59 PM BasePriority : Normal #:28 [symlcsvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\ ProcessID : 508 ThreadCreationTime : 4-26-2006 11:32:03 PM BasePriority : Normal FileVersion : 1.8.54.841 ProductVersion : 1.8.54.841 ProductName : Symantec Core Component CompanyName : Symantec Corporation FileDescription : Symantec Core Component InternalName : symlcsvc LegalCopyright : Copyright © 2003 OriginalFilename : symlcsvc.exe #:29 [wdfmgr.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 572 ThreadCreationTime : 4-26-2006 11:32:05 PM BasePriority : Normal FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act) ProductVersion : 5.2.3790.1230 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows User Mode Driver Manager InternalName : WdfMgr LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : WdfMgr.exe #:30 [mspmspsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 676 ThreadCreationTime : 4-26-2006 11:32:05 PM BasePriority : Normal FileVersion : 7.00.00.1954 ProductVersion : 7.00.00.1954 ProductName : Microsoft ® DRM CompanyName : Microsoft Corporation FileDescription : WMDM PMSP Service InternalName : MSPMSPSV.EXE LegalCopyright : Copyright © Microsoft Corp. 1981-2000 OriginalFilename : MSPMSPSV.EXE #:31 [ccevtmgr.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 988 ThreadCreationTime : 4-26-2006 11:32:06 PM BasePriority : Normal FileVersion : 103.0.7.2 ProductVersion : 103.0.7.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Event Manager Service InternalName : ccEvtMgr LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved. OriginalFilename : ccEvtMgr.exe #:32 [tptray.exe] FilePath : C:\Program Files\TOSHIBA\TouchPad\ ProcessID : 1792 ThreadCreationTime : 4-26-2006 11:32:20 PM BasePriority : Normal FileVersion : 1, 1, 0, 2 ProductVersion : 1, 1, 0, 2 ProductName : TPTray Application CompanyName : COMPAL ELECTRONIC INC. FileDescription : TPTray Application InternalName : TPTray LegalCopyright : Copyright 2002-2004 Compal Electronic Inc. OriginalFilename : TPTray.EXE Comments : Mei Hsu #:33 [sm1bg.exe] FilePath : C:\WINDOWS\ ProcessID : 2056 ThreadCreationTime : 4-26-2006 11:32:22 PM BasePriority : Normal FileVersion : 6.01.1000.0 ProductVersion : 6.01.1000.0 ProductName : Cypress USB Mass Storage Adapter CompanyName : Cypress Semiconductor FileDescription : Cypress USB Mass Storage Driver Background Application InternalName : SM1BG.EXE LegalCopyright : Copyright © 1998-2003 Cypress Semiconductor OriginalFilename : SM1BG.EXE #:34 [pinger.exe] FilePath : C:\toshiba\ivp\ism\ ProcessID : 2064 ThreadCreationTime : 4-26-2006 11:32:22 PM BasePriority : Normal FileVersion : 3.3 ProductVersion : 3.3 ProductName : Software Upgrades CompanyName : TOSHIBA Corporation FileDescription : TOSHIBA Pinger InternalName : PINGER LegalCopyright : © 1997-2002 TOSHIBA Corporation OriginalFilename : PINGER.EXE Comments : With TSysSMon support. #:35 [padexe.exe] FilePath : C:\Program Files\TOSHIBA\Touch and Launch\ ProcessID : 2124 ThreadCreationTime : 4-26-2006 11:32:23 PM BasePriority : Normal FileVersion : 1, 2, 4, 0 ProductVersion : 1, 2, 4, 0 ProductName : PadTouch CompanyName : TOSHIBA FileDescription : PadTouch Main InternalName : PadExe LegalCopyright : Copyright © 2003-2004 TOSHIBA Corporation OriginalFilename : PadExe.exe #:36 [ndstray.exe] FilePath : C:\Program Files\TOSHIBA\ConfigFree\ ProcessID : 2136 ThreadCreationTime : 4-26-2006 11:32:23 PM BasePriority : Normal FileVersion : 4, 50, 0, 105 ProductVersion : 4, 5, 0, 0 ProductName : ConfigFree Tray CompanyName : TOSHIBA CORPORATION FileDescription : ConfigFree Tray InternalName : ndstray LegalCopyright : Copyright 2002-2003 © TOSHIBA CORPORATION. All rights reserved. OriginalFilename : NDSTray.exe #:37 [tfswctrl.exe] FilePath : C:\WINDOWS\system32\dla\ ProcessID : 2152 ThreadCreationTime : 4-26-2006 11:32:24 PM BasePriority : Normal FileVersion : 1.04.08a CompanyName : Sonic Solutions FileDescription : Drive Letter Access Component LegalCopyright : Copyright © 2004 Sonic Solutions #:38 [cepmtray.exe] FilePath : C:\Program Files\TOSHIBA\Power Management\ ProcessID : 2172 ThreadCreationTime : 4-26-2006 11:32:25 PM BasePriority : Normal FileVersion : 1, 1, 0, 11 ProductVersion : 1, 1, 0, 11 ProductName : CeTray Application CompanyName : COMPAL ELECTRONIC INC. FileDescription : CeTray MFC Application InternalName : CeTray LegalCopyright : Copyright 2002-2004 Compal Electronic Inc. OriginalFilename : CeTray.EXE Comments : James Kang #:39 [ceekey.exe] FilePath : C:\Program Files\TOSHIBA\E-KEY\ ProcessID : 2204 ThreadCreationTime : 4-26-2006 11:32:25 PM BasePriority : Normal FileVersion : 2, 1, 0, 7 ProductVersion : 2, 1, 0, 7 ProductName : EKey Application CompanyName : COMPAL ELECTRONIC INC. FileDescription : TOSHIBA HotKey Utility InternalName : EKey LegalCopyright : Copyright 2003-2004 Compal Electronic Inc. OriginalFilename : CeEKey.EXE #:40 [ccapp.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 2240 ThreadCreationTime : 4-26-2006 11:32:26 PM BasePriority : Normal FileVersion : 103.0.7.2 ProductVersion : 103.0.7.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec User Session InternalName : ccApp LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved. OriginalFilename : ccApp.exe #:41 [ad-watch.exe] FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\ ProcessID : 2308 ThreadCreationTime : 4-26-2006 11:32:27 PM BasePriority : Normal FileVersion : 3.1.2.17 ProductVersion : 3.2 ProductName : Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Watch System Protector InternalName : Ad-Watch.exe LegalCopyright : 1999-2004 Team Lavasoft OriginalFilename : Ad-Watch.exe #:42 [atiptaxx.exe] FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\ ProcessID : 2360 ThreadCreationTime : 4-26-2006 11:32:28 PM BasePriority : Normal FileVersion : 6.14.10.5103 ProductVersion : 6.14.10.5103 ProductName : ATI Desktop Component CompanyName : ATI Technologies, Inc. FileDescription : ATI Desktop Control Panel InternalName : Atiptaxx.exe LegalCopyright : Copyright © 1998-2004 ATI Technologies Inc. OriginalFilename : Atiptaxx.exe #:43 [apoint.exe] FilePath : C:\Program Files\Apoint2K\ ProcessID : 2444 ThreadCreationTime : 4-26-2006 11:32:29 PM BasePriority : Normal FileVersion : 6.0.2.180 ProductVersion : 6.0.2.180 ProductName : Alps Pointing-device Driver CompanyName : Alps Electric Co., Ltd. FileDescription : Alps Pointing-device Driver InternalName : Alps Pointing-device Driver LegalCopyright : Copyright © 1999-2003 Alps Electric Co., Ltd. OriginalFilename : Apoint.exe #:44 [agrsmmsg.exe] FilePath : C:\WINDOWS\ ProcessID : 2516 ThreadCreationTime : 4-26-2006 11:32:30 PM BasePriority : Normal FileVersion : 2.1.38 2.1.38 02/20/2004 15:00:27 ProductVersion : 2.1.38 2.1.38 02/20/2004 15:00:27 ProductName : Agere SoftModem Messaging Applet CompanyName : Agere Systems FileDescription : SoftModem Messaging Applet InternalName : smdmstat.exe LegalCopyright : Copyright © Agere Systems 1998-2000 OriginalFilename : smdmstat.exe #:45 [mtdacq.exe] FilePath : C:\Program Files\Creative\Shared Files\Media Sniffer\ ProcessID : 2640 ThreadCreationTime : 4-26-2006 11:32:32 PM BasePriority : Normal FileVersion : 1.2.3.0 ProductVersion : 1.0.0.0 ProductName : Metadata monitor CompanyName : Creative Technology Ltd FileDescription : Metadata monitor InternalName : MtdAcq.exe LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved. OriginalFilename : MtdAcq.exe #:46 [ctdetect.exe] FilePath : C:\Program Files\Creative\MediaSource\Detector\ ProcessID : 2668 ThreadCreationTime : 4-26-2006 11:32:33 PM BasePriority : Normal FileVersion : 3.0.2.0 ProductVersion : 3.0.0.0 ProductName : Creative MediaSource Detector CompanyName : Creative Technology Ltd FileDescription : Creative MediaSource Detector InternalName : CTDetect LegalCopyright : Copyright © Creative Technology Ltd., 2003-2004. All rights reserved. OriginalFilename : CTDetect.EXE #:47 [wscntfy.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 2744 ThreadCreationTime : 4-26-2006 11:32:34 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Security Center Notification App InternalName : wscntfy.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : wscntfy.exe #:48 [ramasst.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 2796 ThreadCreationTime : 4-26-2006 11:32:36 PM BasePriority : Normal FileVersion : 1, 0, 9, 0 ProductVersion : 1, 0, 9, 0 CompanyName : Matsushita Electric Industrial Co., Ltd. FileDescription : CD Burning of Windows XP disabling tool for DVD MULTI Drive LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2003 OriginalFilename : RAMASST.EXE #:49 [wupdmgr.exe] FilePath : C:\WINDOWS\ ProcessID : 2888 ThreadCreationTime : 4-26-2006 11:32:38 PM BasePriority : Normal FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : Balloon Application FileDescription : Balloon MFC Application InternalName : Balloon LegalCopyright : Copyright © 2006 OriginalFilename : Balloon.EXE

I followed these instruction twice, Spywareno was not removed. Attached is the info requested Ad-Aware SE Build 1.06r1 Logfile Created on:Wednesday, April 26, 2006 8:15:53 PM Using definitions file:SE1R105 26.04.2006 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» SpywareNo(TAC index:10):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Definition File: ========================= Definitions File Loaded: Reference Number : SE1R105 26.04.2006 Internal build : 125 File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref File size : 623812 Bytes Total size : 2049042 Bytes Signature data size : 2011689 Bytes Reference data size : 36841 Bytes Signatures total : 56569 CSI Fingerprints total : 2406 CSI data size : 78138 Bytes Target categories : 15 Target families : 880 Memory + processor status: ========================== Number of processors : 2 Processor architecture : Intel Pentium IV Memory available:64 % Total physical memory:916460 kb Available physical memory:584112 kb Total page file size:2222872 kb Available on page file:1956312 kb Total virtual memory:2097024 kb Available virtual memory:2042156 kb OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Ad-Aware SE Settings =========================== Set : Search for low-risk threats Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan within archives Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Automatically check all objects in results lists Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Suppress warning if objects cannot be removed Set : Suppress progress bar during list operations Set : Disable manual quarantine if auto-quarantine is selected Set : Block pop-ups aggressively Set : Load Ad-Watch minimized Set : Automatically select problematic objects in results lists Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Snap windows to desktop borders Set : Limit drive selection to fixed drives Set : Use gridlines in results lists Set : Suppress WebUpdate confirmation dialogs Set : Backup current definitions file before updating Set : Play sound at scan completion if scan locates critical objects 4-26-2006 8:15:53 PM - Scan started. (Full System Scan) Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 620 ThreadCreationTime : 4-26-2006 11:31:47 PM BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 672 ThreadCreationTime : 4-26-2006 11:31:53 PM BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 696 ThreadCreationTime : 4-26-2006 11:31:54 PM BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 744 ThreadCreationTime : 4-26-2006 11:31:55 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 756 ThreadCreationTime : 4-26-2006 11:31:55 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [ati2evxx.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 936 ThreadCreationTime : 4-26-2006 11:31:55 PM BasePriority : Normal #:7 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 952 ThreadCreationTime : 4-26-2006 11:31:55 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1004 ThreadCreationTime : 4-26-2006 11:31:56 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1044 ThreadCreationTime : 4-26-2006 11:31:56 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [acs.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1144 ThreadCreationTime : 4-26-2006 11:31:56 PM BasePriority : Normal #:11 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1180 ThreadCreationTime : 4-26-2006 11:31:56 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:12 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1224 ThreadCreationTime : 4-26-2006 11:31:56 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:13 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1528 ThreadCreationTime : 4-26-2006 11:31:57 PM BasePriority : Normal FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) ProductVersion : 5.1.2600.2696 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:14 [aluschedulersvc.exe] FilePath : C:\Program Files\Symantec\LiveUpdate\ ProcessID : 1676 ThreadCreationTime : 4-26-2006 11:31:57 PM BasePriority : Normal FileVersion : 3.0.0.160 ProductVersion : 3.0.0.160 ProductName : LiveUpdate CompanyName : Symantec Corporation FileDescription : Automatic LiveUpdate Scheduler Service InternalName : Automatic LiveUpdate Scheduler Service LegalCopyright : Copyright © 1996-2005 Symantec Corporation OriginalFilename : ALUSchedulerSvc.exe #:15 [ccproxy.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 1844 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 103.0.7.2 ProductVersion : 103.0.7.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Network Proxy Service InternalName : ccProxy LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved. OriginalFilename : ccProxy.exe #:16 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1856 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 6.00.2900.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE #:17 [ccsetmgr.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 1872 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 103.0.7.2 ProductVersion : 103.0.7.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Settings Manager Service InternalName : ccSetMgr LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved. OriginalFilename : ccSetMgr.exe #:18 [ceepwrsvc.exe] FilePath : C:\Program Files\Toshiba\Power Management\ ProcessID : 1884 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 1, 1, 0, 0 ProductVersion : 1, 1, 0, 0 ProductName : CeEPwrSvc Module CompanyName : COMPAL ELECTRONIC INC. FileDescription : CeEPwrSvc Module InternalName : CeEPwrSvc LegalCopyright : Copyright 2002-2004 Compal Electronic Inc. OriginalFilename : CeEPwrSvc.EXE Comments : James Kang #:19 [cfsvcs.exe] FilePath : C:\Program Files\TOSHIBA\ConfigFree\ ProcessID : 1896 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 4, 60, 0, 2 ProductVersion : 4, 60, 0, 0 ProductName : ConfigFree CompanyName : TOSHIBA CORPORATION FileDescription : Service of ConfigFree. InternalName : CFSvcs.exe LegalCopyright : Copyright © 2003 TOSHIBA CORPORATION. All rights reserved. LegalTrademarks : ConfigFree OriginalFilename : CFSvcs.exe Comments : Service of ConfigFree. #:20 [ctsvccda.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1920 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 1.0.1.0 ProductVersion : 1.0.0.0 ProductName : Creative Service for CDROM Access CompanyName : Creative Technology Ltd FileDescription : Creative Service for CDROM Access InternalName : CTsvcCDAEXE LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved. OriginalFilename : CTsvcCDA.EXE #:21 [dvdramsv.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1960 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 2, 0, 7, 0 ProductVersion : 2, 0, 7, 0 CompanyName : Matsushita Electric Industrial Co., Ltd. FileDescription : Service of RAMAsst for Windows XP LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2003 OriginalFilename : DVDRAMSV.EXE #:22 [issvc.exe] FilePath : C:\Program Files\Norton Internet Security\ ProcessID : 2000 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 8.0.5.14 ProductVersion : 8.0 ProductName : Norton Internet Security CompanyName : Symantec Corporation FileDescription : IS Service InternalName : ISSVC.exe LegalCopyright : Copyright © 2004 Symantec Corporation OriginalFilename : ISSVC.exe #:23 [sndsrvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 212 ThreadCreationTime : 4-26-2006 11:31:58 PM BasePriority : Normal FileVersion : 5.5.1.6 ProductVersion : 5.5 ProductName : Symantec Security Drivers CompanyName : Symantec Corporation FileDescription : Network Driver Service InternalName : SndSrvc LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation OriginalFilename : SndSrvc.exe

I am unable to remove SPYWARENO from my PC. I have scanned in safe mode, scan in normal mode still the problem still exist. The Scan located it but will not delete it. I did a "find" search in the registry and deleted all files found for Zeno, ballon.apllication,spywareno and still it keeps coming back. This is my third day with this problem. I am using SE plus build 1.06r1 with definition file SE1R104 21.04.2006. Which I understand should be the current version. I also found out that this spy has been around since 2005. Should not this version be able to repair it? I turned off sys restore, ran scan still no help. The scan locates but will not delete. Re scan, locates will not delete. At one time I had 14 files of spywareno in quarantine. I deleted all of them. Same problem exists. Operating system: Win XP, SP2. Pentium 4 w/3.06 GigHz. 1 gig shared memory. Help please!! Thanks. Partial Log follows. Entire log too large to post: Ad-Aware SE Build 1.06r1 Logfile Created on:Saturday, April 22, 2006 12:51:11 PM Using definitions file:SE1R104 21.04.2006 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» SpywareNo(TAC index:10):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»