Dropper.Agent.dgo and other viruses

[Shaba]

Hi

Yes, now it looks like to be gone

Delete these folders:

C:\Documents and Settings\LocalService\Application Data\AVG7
C:\Documents and Settings\Anastasia N\Application Data\AVG7
C:\Documents and Settings\All Users\Application Data\avg7
C:\Documents and Settings\All Users\Application Data\Grisoft

Empty Recycle Bin.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

[SLRHCristy]

Hi,

Glad to be rid of those folers

As for Kaspersky, the "accept" button on the link you provided is not working.

Also, I cannot get IE to let me go to any website besides myspace or yahoo. When I try to go to another site via IE, I got a message that IE was having a problem with add-on flash8.ocx. That error went away after a few times. When I tried again to go to another site, it kept saying Windows cannot find "null". When I tried to download kaspersky from the kaspersky site, I copy/pasted the link from firefox to IE, and it would just pop over to firefox and open it.

Firefox is working fine, but I cannot figure out what's up with IE.
Urgh.

Help!

[SLRHCristy]

Also,

Here's a new HJT log just in case you need that also. Thanks so much for all your help!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:17 AM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5299 bytes

[Shaba]

Hi

Then we do this instead:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav:

• Unzip it to its predetermined directory (C:\Kaspersky)
• Locate kavupd.exe in the new folder and double-click to Update.
• If your firewall gives any messages about this program accessing to internet, allow it.
• If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
• When you see Updates Downloaded Successfully, hit Enter to continue.
• Restart onto Safe Mode and locate the Kaspersky folder.
• Locate mwavscan.com and double-click on it to launch the MWAV Scanner.

Now lets do the settings:

• Leave the Default Settings checked.
• Add a check to Drives
• This will light up All Drives
• Add a check to Scan all Files
• Click Scan Clean to begin.

This scan might take around 3+ hours to finish when set to scan everything.

• Please be sure it has finished before proceeding.
• Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
• Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
• Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).

Reboot into normal Windows and post the results here along with a fresh HijackThis log.

[SLRHCristy]

Shaba,

I knew you'd have an answer!

Here is the new MWav scan result:

File C:\Program Files\Norton AntiVirus\Quarantine\122C23D7.class infected by "Trojan.Java.ClassLoader.Dummy.a" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\12304DD4.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\59E31CF4.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7177607C.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\Program Files\Grisoft\AVG7\avgw.exe.vir infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjk.exe.vir infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\WINDOWS\system32\LDBC0.tmp.vir infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0083872.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0083873.exe infected by "Trojan-Downloader.Win32.Small.cdy" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084885.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084886.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084894.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084902.exe infected by "Trojan-Downloader.Win32.Agent.gwe" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084913.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084920.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085914.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085929.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085932.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085952.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086133.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086136.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086159.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086162.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086167.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP735\A0086208.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP736\A0086307.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086320.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086323.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086324.exe tagged as not-a-virus:AdWare.Win32.PurityScan.gp. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086326.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086338.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086340.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086341.exe tagged as not-a-virus:AdWare.Win32.PurityScan.gp. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086343.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086358.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086362.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086367.exe tagged as not-a-virus:AdWare.Win32.PurityScan.gp. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086368.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086378.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086380.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086381.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086385.exe infected by "Trojan-Downloader.Win32.Agent.gwe" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086393.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086408.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086425.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086427.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP739\A0086439.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP739\A0086441.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP739\A0086443.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP741\A0086489.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086605.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086666.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086667.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086669.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP744\A0086679.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP745\A0086746.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP746\A0086846.rbf infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP746\A0086903.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP749\A0087162.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP749\A0087169.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.

[SLRHCristy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:47 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5210 bytes



Thanks!!!

[Shaba]

Hi

Empty these folders:

C:\Program Files\Norton AntiVirus\Quarantine

C:\QooBox\Quarantine

Empty Recycle Bin.

I can re-direct you to some windows forum for that IE issue if you like to.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

[SLRHCristy]

Hi,

I'm not entirely sure how to empty those folders, vs. deleting them...do I just delete everything inside the folders?

As for any other issues, my computer seems to be working as it should, and I don't see anymore strange windows or commands popping up. Great news! Thanks so much for all of your help and patience!!

As for IE, I actually never use it-I only use Firefox-but if there is a virus infecting IE or something, please do point me in the right direction so I can make sure the whole system is clean.

Also, when the virus infected my computer, it seemed to have infected my Adaware and Norton. I'd like to just un-install those when we get to that point, and follow your recommendations for protecting my system.

I wait to hear from you.

Thanks!

[Shaba]

Hi

Actually there seems to be one bad entry left, my bad.

Let's find out if there is more:

Delete your copy of combofix.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

[SLRHCristy]

Hi,

Here is my new combofix log:

ComboFix 08-02.05.3 - Anastasia 2008-02-10 10:38:56.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 12:34 . 2008-02-09 12:34 0 --a------ C:\23990098.$$$
2008-02-09 10:35 . 2008-02-09 10:44 <DIR> d-------- C:\Downloads
2008-02-09 10:32 . 2008-02-09 10:33 <DIR> d-------- C:\Kaspersky
2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:00 . 2008-02-09 10:49 2,211,360 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-02-09 10:49 77,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-02-09 10:49 31,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-02-09 10:49 9,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:50 . 2008-02-08 06:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 17:42 . 2008-02-08 06:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 02:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 01:29 --------- d-----w C:\Program Files\SymNetDrv
2008-02-05 01:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-05 01:29 --------- d-----w C:\Program Files\iTunes
2008-02-05 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 17:32:59 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-08 14:15:06 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-09 21:53:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-10 05:45:48 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-10 07:00:01 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-10 08:20:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 10:41:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-10 10:43:28
ComboFix-quarantined-files.txt 2008-02-10 17:42:34
ComboFix2.txt 2008-02-08 05:54:49
.
2008-01-30 10:01:48 --- E O F ---


And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:08 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5289 bytes


I'll wait to hear from you regarding emptying those other folders.

Thanks!