need to clean up my computer

kb-resq · 05-23-2005, 02:44 AM

We're getting mostly pop-up that I can't get rid of, and its getting worse. Here is what I've done so far:
1) Ad-Aware Scan with updated definition files.
2) SpyBot Scan with updated definition files.
3) Updated Norton virus definition files.
4) Reboot to safe mode.
4A) Deleted contents of C:\temp and C:\windows\temp
4B) Tried to delete C:\Documents and Settings\ \Local Settings\Temp, but was denied access.
4C) Was also denied access to temporary internet files.
5) Emptied recycle bin.
6) Ran ad-aware and spybot again (still in safe mode), and cleaned everything detected.
7) Rebooted computer.
8) Did the on-line virus with Bit Defender and deleted a bunch of stuff.
9) Did the micro trends on-line scan and got the following results:

TROJ STERVIS.C non cleanable c:\documents and settings\Kyle & Kim\ local settings\temporary internet files\Con...

o TROJ AGENT.ABS cannot access c:\windows\system32\inawpq.exe
o TROJ AGENT.KR cannot access c:\windows\system32\RZFe.exe
o TROJ AGENT.UL cannot access c:\windows\system32\svhosts.exe
o TROJ BUFFY.F cannot access c:\windows\elwzdlthel.exe
o TROJ STERVIS.C non cleanable c:\windows\svcproc.exe
o TROJ AGENT.UL non cleanable c:\update.exe

I still cannot gain access to the above listed, and its very frustrating!!

Finally here is my hi-jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:07 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\RZFe.exe
C:\WINDOWS\system32\RZFe.exe
C:\lanman.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\Yxi34V2.exe
C:\WINDOWS\system32\ZebhbtN.exe
c:\windows\system32\xjupvb.exe
D:\Program Files\Java\bin\jusched.exe
C:\WINDOWS\system32\29d6t24p.exe
C:\program files\internet explorer\iexplore.exe
D:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "D:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKLM\..\Run: [RZFe.exe] c:\windows\system32\RZFe.exe
O4 - HKLM\..\Run: [5MJXBH55CL@NAZ] C:\WINDOWS\system32\HufklA.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\lanman.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Bl5np.exe] C:\documents and settings\kyle & kim\local settings\temp\Bl5np.exe
O4 - HKLM\..\Run: [Bl5np] C:\documents and settings\kyle & kim\local settings\temp\Bl5np.exe
O4 - HKLM\..\Run: [8XyB.exe] C:\windows\system32\8XyB.exe
O4 - HKLM\..\Run: [8XyB] C:\windows\system32\8XyB.exe
O4 - HKLM\..\Run: [29d6t24p] C:\WINDOWS\system32\29d6t24p.exe
O4 - HKLM\..\Run: [deyldj] c:\windows\system32\xjupvb.exe
O4 - HKLM\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: SysTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I'm patiently awaiting your expert analysis.
Thanks in Advance,
Kyle

Static_11 · 05-23-2005, 02:56 AM

First run anti-spyware, dont use IE if you are.... if you ARE using IE get one of these www.getfirefox.com www.opera.com differnent browsers that dont allow most of the crap that IE allows to get on your pc

anti spyware scan:
http://www.microsoft.com/downloads/d...displaylang=en

lol... then another MAJOR step... DONT USE NORTON!!! AHHH

Free virus scanner:
http://www.majorgeeks.com/download886.html

pick the location closest to you and then it should automatically start downloading...

get a firewall:
http://www.majorgeeks.com/download388.html

Now I would run all of the spyware/ad-ware/spybot/virus scanners again... go to start/run/ type in msconfig / startup/ and disable everything but your Anti virus's and firewall... then restart... AND THEN wait till tomorow till warez or someone lse reads your log as i have know idea wth they say

All of this links were provided by blitze105 in:
http://www.tech-forums.net/showthrea...threadid=53623

Osiris · 05-23-2005, 04:41 AM

Remove entries at your own risk

After you delete these entries, go to Start, run, type MSCONFIG and go to startup, click disable all, except your AV, FW, do not restart yet. Go to internet option, delete all cookies, temporary internet files. Then go to add/remove and remove ant programs that you dont recogzine, then go to c:/windows/prefetch and delete that folder. Run AdAware SE Personal and Spybot Search and Destroy 1.4 rc-2 and you can get them from www.majorgeeks.com Now run those programs before you reboot, then reboot and run them again, and then repost your new hijackthis log.

C:\windows\system32\RZFe.exe This is a unknown process.

C:\WINDOWS\system32\RZFe.exe
Unknown running process. (RZFe.exe) This is a unknown process.

C:\lanman.exe This is a unknown process.

C:\WINDOWS\system32\Yxi34V2.exe
Unknown running process. (Yxi34V2.exe) This is a unknown process.

C:\WINDOWS\system32\ZebhbtN.exe
Unknown running process. (ZebhbtN.exe) This is a unknown process.

c:\windows\system32\xjupvb.exe This is a unknown process.

C:\WINDOWS\system32\29d6t24p.exe This is a unknown process.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
Nasty This entry should be fixed by HijackThis!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
Nasty This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
Nasty This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
Nasty This entry should be fixed by HijackThis!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
Nasty This entry should be fixed by HijackThis!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
Nasty This entry should be fixed by HijackThis!

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= This entry should be fixed by HijackThis!

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll Must be fixed!

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) Must be fixed!
Unnecessary (deactivated) entry that can be fixed

O4 - HKLM\..\Run: [Windows Services Hosts] svhosts.exe Unknown application.

O4 - HKLM\..\Run: [RZFe.exe] c:\windows\system32\RZFe.exe
Possibly nasty
Hit rate: 7 % (result) It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.

O4 - HKLM\..\Run: [5MJXBH55CL@NAZ] C:\WINDOWS\system32\HufklA.exe
Unknown Unknown application.

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\lanman.exe Unknown Unknown application.

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe Unknown application.

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
Unknown application.
O4 - HKLM\..\Run: [Bl5np.exe] C:\documents and settings\kyle & kim\local settings\temp\Bl5np.exe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.

O4 - HKLM\..\Run: [Bl5np] C:\documents and settings\kyle & kim\local settings\temp\Bl5np.exe
Unknown Unknown application.

O4 - HKLM\..\Run: [8XyB.exe] C:\windows\system32\8XyB.exe
Possibly nasty It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.

O4 - HKLM\..\Run: [8XyB] C:\windows\system32\8XyB.exe
Unknown Unknown application.

O4 - HKLM\..\Run: [29d6t24p] C:\WINDOWS\system32\29d6t24p.exe
Unknown Unknown application.

O4 - HKLM\..\Run: [deyldj] c:\windows\system32\xjupvb.exe
Unknown application.

O4 - HKLM\..\RunServices: [Windows Services Hosts] svhosts.exe Unknown application.

O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe Unknown application.

O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe Unknown application.

O4 - Global Startup: SysTray.lnk = ? Unknown application.
The entry is unnecessary and can be fixed.

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
Unnecessarily Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry '' is unknown.
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry 'Uninstall BitDefender Online Scanner v8 ' is unknown.
Unnecessary (deactivated) entry that can be fixed.

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) If you did not add these pages to your trusted pages, they should be fixed.

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab This entry is possibly nasty. Should be fixed.

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (svcproc.exe)

Static_11 · 05-23-2005, 03:13 PM

his log was freaking red flagged like crazy eh?

Blitze105 · 05-23-2005, 04:31 PM

Yes it was. post back your trojans that you have not gotten rid of, i can fix alot of them manually.

Osiris · 05-23-2005, 06:35 PM

Post your log back when you have removed the entries

kb-resq · 05-24-2005, 12:47 AM

First of all, thanks for the prompt responses. I've followed your suggestions, and there are several "nasties" that won't go away: They are:
1) RZFe.exe
2) nail.exe
3) svhost.exe
4) svcproc.exe

also, am I supposed to leave those settings on start up (msconfig)?

Here is my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:36:45 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\RZFe.exe
C:\WINDOWS\system32\RZFe.exe
c:\windows\system32\fcvmblu.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZebhbtN.exe
C:\WINDOWS\system32\Rqt425.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [5MJXBH55CL@NAZ] C:\WINDOWS\system32\Exk331LG.exe
O4 - HKLM\..\Run: [RZFe.exe] C:\WINDOWS\system32\RZFe.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [glbesq] c:\windows\system32\fcvmblu.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Static_11 · 05-24-2005, 01:04 AM

I have the answers but ill let blitze do it cause he said he would

Blitze105 · 05-24-2005, 01:13 AM

I suggest using online scans now, there are some int he bottom link that static posted.

kb-resq · 05-24-2005, 01:50 AM

Okay, two more details to let you know:
1) I've been using Firefox, not Internet Explorer.
2) I've also been using the Microsoft Anti Spyware for awhile now.

I couldn't get the on-line scanners (bitdefender and trends micro) to work with Firefox, so I used IE for that.

I'll run the on-line scanner that static suggested and post the results...

Member Login