Big-time PC Issues

[Mr_JAk3]

Hi again

Looks much better.

Yes, fix the following entries with HijackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm

Then we'll run a one more scan just in case.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post along with a HijackThis log

 

[Miopip]

Ugh. I'm gettting an error: 'some components are damaged or not present. Please reinstall the application' when trying to run Kaspersky. Any suggestions?

 

[Mr_JAk3]

Hmm, please try Panda instead:

• Please go HERE to run PandaActiveScan...
  
• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

How is the computer running?

 

[Miopip]

Thanks, I'll try the Panda and let you know.

The computer seems to be running more efficiently, particularly the Net. I was getting a ton of popups; they're reduced practically to nil and it's really just popups from Orbitz.

All these programs I've downloaded, which should I keep? Obviously the firewall (I chose ZoneAlarm). And probably HJT; I'd used that one in the past and it did well. But what about all the others?

:bigthumb:

 

[Mr_JAk3]

Hi

Firewall and Antivirus are very important. Most of the tools we used are just serch tools that can be removed when we're done.

Just noticed that you have a few McAfee leftovers, you could run this cleanup tool --> Link

Post the Panda results when ready :bigthumb:

 

[Miopip]

This is strange. When trying to download Panda I get the following error. I've even tried rebooting. I have enough disk space for this so I'm not sure what's happening. Could it be that the ActiveX is not being allowed to download?

An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...

 

[Mr_JAk3]

Hi

Ok, the problem is propably in the Internet Explorer settings, they wont allow ActiveX components. But it is good to have tight IE settings.

You could update your Norton and run a full system scan instead of Panda.

:bigthumb:

 

[Miopip]

Ok, will run the full system scan. Should I post results? Also noticed rtvcscan.exe is back.

 

[Mr_JAk3]

Ok please post the results if possible and also a fresh HijackThis log. :bigthumb:

 

[Miopip]

Will do. I'm having some trouble...I tried running a full scan but was told I didn't have enough disk space. That confused me. I have 2 hard drives. C:/ is a 6 GB drive that is essentially full. D:/ is a 40 GB drive with 9 GB remaining. I'm scratching my head. I ran a full scan about a week before we started troubleshooting and I had no trouble running the scan.

 

[Mr_JAk3]

Hi

Hmm...

We may use this scanner too:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav:

• Unzip it to its predetermined directory (C:\Kaspersky)
• Locate kavupd.exe in the new folder and double-click to Update.
• If your firewall gives any messages about this program accessing to internet, allow it.
• If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
• When you see Updates Downloaded Successfully, hit Enter to continue.
• Restart onto Safe Mode and locate the Kaspersky folder.
• Locate mwavscan.com and double-click on it to launch the MWAV Scanner.

Now lets do the settings:

• Leave the Default Settings checked.
• Add a check to Drives
• This will light up All Drives
• Add a check to Scan all Files
• Click Scan Clean to begin.

This scan might take around 3+ hours to finish when set to scan everything.

• Please be sure it has finished before proceeding.
• Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
• Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
• Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).

Reboot into normal Windows and post the results here along with a fresh HijackThis log.

 

[Miopip]

I'll post results of scan in the next 24 hours. Sorry for delay.

I ran a Hijack This log and noticed rtvcscan.exe is back. Why/how are they coming back?

 

[Mr_JAk3]

Why/how are they coming back?

They seem to like your computer

Well sometimes if something bad is left to the computer, they download more baddies. Your entries may be some leftovers too, I'll be able to tell more when I see the latest logs...

:bigthumb:

 

[Miopip]

If you hear a sound all the way over there it's my angered scream. I'm sorry but even having difficulty downloading your suggested MWav. Here's the issue- my pc has 2 hard drives, C:/ is tiny and so I keep running into issues of having enough space, D:/ has 9 GB remaining. I tried downloading MWav to D:/ but it wouldn't take. So my next step I think is to see what can be removed from C:/, unless you have any other suggestions.

 

[Mr_JAk3]

Hmm...

Could you post a fresh HijackThis log :bigthumb:

 

[Miopip]

Sure, here's the log:

These guys are back:
O4 - HKLM\..\Run: [Microsoft] rtvcscan.exe
O4 - HKLM\..\RunServices: [Microsoft] rtvcscan.exe
O4 - HKCU\..\Run: [Microsoft] rtvcscan.exe

And this one looks new:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)

Logfile of HijackThis v1.99.1
Scan saved at 11:29:40 PM, on 3/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\qttask.exe
D:\Program Files\iTunes 7\iTunesHelper.exe
C:\WINNT\system32\rtvcscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes 7\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft] rtvcscan.exe
O4 - HKLM\..\RunServices: [Microsoft] rtvcscan.exe
O4 - HKCU\..\Run: [Microsoft] rtvcscan.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

 

[Mr_JAk3]

Hmm I wonder how it came back. You have a firewall so this is bit odd...

Please remove the previous versions of SDFix.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

:bigthumb:

 

[Miopip]

SDFix: Version 1.73

Run by administrator - Sat 03/17/2007 - 10:50:44.41

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\Documents and Settings\Administrator\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\rtvcscan.exe - Deleted



ADS Check:

C:\WINNT\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\jianquin.lu.old\prf102.tmp
C:\Documents and Settings\jianquin.lu.old\prf20.tmp
C:\Documents and Settings\jianquin.lu.old\prf30.tmp
C:\Documents and Settings\jianquin.lu.old\prf7A.tmp
C:\Documents and Settings\jianquin.lu.old\prf9F.tmp
C:\Documents and Settings\jianquin.lu.old\prfAD.tmp
C:\Documents and Settings\jianquin.lu.old\prfCD.tmp
C:\WINNT\Temp\OLD283.tmp
C:\WINNT\Temp\OLD284.tmp
C:\WINNT\Temp\OLD2F1.tmp
C:\WINNT\Temp\OLD2F2.tmp
C:\WINNT\Temp\OLD51.tmp
C:\WINNT\Temp\OLD52.tmp
C:\WINNT\Temp\OLD7F.tmp
C:\WINNT\Temp\OLD80.tmp
C:\WINNT\Temp\OLD92.tmp
C:\WINNT\Temp\OLD93.tmp
C:\WINNT\Temp\OLD99.tmp
C:\WINNT\Temp\OLD9A.tmp
C:\WINNT\Temp\OLDD.tmp
C:\WINNT\Temp\OLDE.tmp

Finished

Logfile of HijackThis v1.99.1
Scan saved at 11:26:59 AM, on 3/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\qttask.exe
D:\Program Files\iTunes 7\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes 7\iTunesHelper.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

What is: O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)?

 

[Mr_JAk3]

Ok Hjt log looks good now.

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)

Seems to be a leftover. You've had Ati videocard/software installed?

=======

Please run a new scan with GMER and post the log to here. Also you could update Norton and run a complete system scan.

:bigthumb:

 

[Miopip]

GMER is running now....results to follow.

As it runs I'm gettting ant-virus popups, including:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gmer.exe (PID 1656)
Time: Sunday, March 18, 2007 8:29:27 AM