[mrputney]

Hi PC Worlders,I am a tech in the Spokane, WA area. I do work for a local CPA company when they need it. Yesterday he called me and said that his WinXP pro machine is booting up very slow. (He said sometimes it takes 15mins. to get up and running at the desktop)I went over to his office and sure enough it was slow in booting, slow in getting his startup group running. I know there are a couple of things that I noticed that seem to be contributing to the problem. First, he was in desperate need to get his WinXP pro updates. YIKES, he was way behind on those. And finally i noticed an item in his startup group that Google and Yahoo! did not recognize. SCARY!vslgxup.exe (Located in: HKLMSoftwareMicrosoftWindowsCurrentVersionRun)Of course this is a very notorious Registry key where huge amounts of virus' and spyware like to hang out.I asked him if he installed any new software lately that might have coincided with noticing the computer booting slowly. He said no. (as if I expected any other answer than what I got. Why is it , they never know.) :-)The startup group also said the executable file in question was located in the C:Windows directory. However , even with hidden files and folders option disabled, i was still not able to find that executable when i browsed to that location. YIKES! Not good.Any help from the excellent PC World community would be well appreciated. I am not really looking for a sure fired fix here, just some ideas from some of you on what this strange file might be associated with. Google and Yahoo! have no idea.MrPutneyP.S. All Spyware and AntiVirus programs had the latest updates and didn't recognize it either. (Ad-Aware and Norton)

[SpiritWind]

{size:18px}[/size]:D Hi : Certainly sounds like malware. Ad-Aware is good for most spyware detection; is it the "Plus" or "Professional" version ? Is it the latest version ? There are many antivirus programs better then Norton, most likely because the virus-making writers code their viruses to avoid Norton detection; your CPA would have better protection using NOD32 or Kaspersky for AV . Sounds like you should install the "HijackThis" program, best downloaded from : www.thespykiller.co.uk/files/HJTsetup.exe . Note: This is a complete installer that installs HijackThis to your computer at C:Program FilesHijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools. At the download prompt, choose "Save". After the download is complete, navigate to the C:Program FilesHijackThis folder and double-click it to complete the installation. Then assuming you do NOT know how to properly read the result of its scan, called a "log", post it on an antiSPYWARE FORUM . Since the CPA has Ad-Aware, I recommend the Ad-Aware oriented forums at : www.landzdown.com . For info on HOW to post a HijackThis log, see : www.bleepingcomputer.com/tutorials/tutorial94.html . Of course, skip "Steps 1 - 3 " .

[TheNameless]

As Spirit said, Hijackthis is an excellent choice, but if you want to try something a little less drastic than Hijackthis, you can simply get rid of the autostart entry possibly through Autostart viewer. Both hijackthis and ASV can get rid of the entry, but neither can get rid of the file itself (to my knowledge, since it's in the system folder).It may also be a rootkit, in which case, you might have to get a program such as rootkit revealer, blacklight, etc., which would explain why you can't see the binary it is talking about.If you can't find the entry in Hijackthis or ASV, it may just be simply a false positive (and believe me, A-A has plenty of them).

[mrputney]

Thanks to SpiritWind and theNameless. I'll check out the rootkit programs as I believe that is where the problem lies. Thanks again.