[RickMath]

Thanks, but I cannot determine how to delete hxdef100.ini or hxdef100.exe.

When I run unhackme it says that there are no Trojans found.

I searched the registry and the hard drive for these and cannot find them. So I am not sure how to go about deleting them, so they have not been deleted.

Do you need another HJT log now or is there something I can use to delete these. I remember last year when I had a backdoor trojan, whoever helped sent me a usrl to a site for dleteing these things when they could not be found. I'll wait for your advice though.

Rick

[Advertisements]

See if you have the file C:\WINDOWS\system32\sc.exe

Copy the code below into notepad and save it as cleanupHD.bat in that same folder.
Set Filetype to "All files"

REM Hacker Defender Removal Script from Brian Black 

sc.exe \\%1 stop McShield

sc.exe \\%1 stop Fax
sc.exe \\%1 stop HackerDefender100
sc.exe \\%1 stop rpcxshell
sc.exe \\%1 stop DNTUS26
sc.exe \\%1 stop rmtbackup

sc.exe \\%1 delete Fax
sc.exe \\%1 delete HackerDefender100
sc.exe \\%1 delete rpcxshell
sc.exe \\%1 delete rsaservice
sc.exe \\%1 delete DNTUS26
sc.exe \\%1 delete rmtbackup


IF EXIST \\%1\C$\WINNT\*.* (
      Set WINPATH=WINNT
  ) ELSE (
      Set WINPATH=WINDOWS
  )

del /f /q \\%1\C$\%WINPATH%\FAXSV.EXE
del /f /q \\%1\C$\%WINPATH%\HXDEF100.EXE
del /f /q \\%1\C$\%WINPATH%\\HXDEF100.INI
del /f /q \\%1\C$\%WINPATH%\HXDEFDRV.SYS
del /f /q \\%1\C$\%WINPATH%\vb6dll.ocx
del /f /q \\%1\C$\%WINPATH%\rasmins.dll
del /f /q \\%1\C$\%WINPATH%\dpvcs.dll
del /f /q \\%1\C$\%WINPATH%\syslog.exe
del /f /q \\%1\C$\%WINPATH%\msinldt.dll
del /f /q \\%1\C$\%WINPATH%\DNTUS26.EXE
del /f /q \\%1\C$\%WINPATH%\kills.exe
del /f /q \\%1\C$\%WINPATH%\port.exe
del /f /q \\%1\C$\%WINPATH%\rmtbckp.exe

del /f /q \\%1\C$\%WINPATH%\System32\FAXSV.EXE
del /f /q \\%1\C$\%WINPATH%\System32\HXDEF100.EXE
del /f /q \\%1\C$\%WINPATH%\System32\HXDEF100.INI
del /f /q \\%1\C$\%WINPATH%\System32\HXDEFDRV.SYS
del /f /q \\%1\C$\%WINPATH%\System32\vb6dll.ocx
del /f /q \\%1\C$\%WINPATH%\System32\rasmins.dll
del /f /q \\%1\C$\%WINPATH%\System32\dpvcs.dll
del /f /q \\%1\C$\%WINPATH%\System32\syslog.exe
del /f /q \\%1\C$\%WINPATH%\System32\msinldt.dll
del /f /q \\%1\C$\%WINPATH%\System32\DNTUS26.EXE
del /f /q \\%1\C$\%WINPATH%\System32\kills.exe
del /f /q \\%1\C$\%WINPATH%\System32\port.exe
del /f /q \\%1\C$\%WINPATH%\System32\rmtbckp.exe

del /f /q \\%1\C$\%WINPATH%\System\FAXSV.EXE
del /f /q \\%1\C$\%WINPATH%\System\HXDEF100.EXE
del /f /q \\%1\C$\%WINPATH%\System\HXDEF100.INI
del /f /q \\%1\C$\%WINPATH%\System\HXDEFDRV.SYS
del /f /q \\%1\C$\%WINPATH%\System\vb6dll.ocx
del /f /q \\%1\C$\%WINPATH%\System\rasmins.dll
del /f /q \\%1\C$\%WINPATH%\System\dpvcs.dll
del /f /q \\%1\C$\%WINPATH%\System\syslog.exe
del /f /q \\%1\C$\%WINPATH%\System\msinldt.dll
del /f /q \\%1\C$\%WINPATH%\System\DNTUS26.EXE
del /f /q \\%1\C$\%WINPATH%\System\kills.exe
del /f /q \\%1\C$\%WINPATH%\System\port.exe
del /f /q \\%1\C$\%WINPATH%\System\rmtbckp.exe

sc.exe \\%1 start McShield

REM ===================================================================

Reboot into safe mode and doubleclick cleanupHD.bat

After it is done boot back to normal and post a new HijackThis log.

Regards,

[Metallica]

See if you have the file C:\WINDOWS\system32\sc.exe

Copy the code below into notepad and save it as cleanupHD.bat in that same folder.
Set Filetype to "All files"

REM Hacker Defender Removal Script from Brian Black 

sc.exe \\%1 stop McShield

sc.exe \\%1 stop Fax
sc.exe \\%1 stop HackerDefender100
sc.exe \\%1 stop rpcxshell
sc.exe \\%1 stop DNTUS26
sc.exe \\%1 stop rmtbackup

sc.exe \\%1 delete Fax
sc.exe \\%1 delete HackerDefender100
sc.exe \\%1 delete rpcxshell
sc.exe \\%1 delete rsaservice
sc.exe \\%1 delete DNTUS26
sc.exe \\%1 delete rmtbackup


IF EXIST \\%1\C$\WINNT\*.* (
      Set WINPATH=WINNT
  ) ELSE (
      Set WINPATH=WINDOWS
  )

del /f /q \\%1\C$\%WINPATH%\FAXSV.EXE
del /f /q \\%1\C$\%WINPATH%\HXDEF100.EXE
del /f /q \\%1\C$\%WINPATH%\\HXDEF100.INI
del /f /q \\%1\C$\%WINPATH%\HXDEFDRV.SYS
del /f /q \\%1\C$\%WINPATH%\vb6dll.ocx
del /f /q \\%1\C$\%WINPATH%\rasmins.dll
del /f /q \\%1\C$\%WINPATH%\dpvcs.dll
del /f /q \\%1\C$\%WINPATH%\syslog.exe
del /f /q \\%1\C$\%WINPATH%\msinldt.dll
del /f /q \\%1\C$\%WINPATH%\DNTUS26.EXE
del /f /q \\%1\C$\%WINPATH%\kills.exe
del /f /q \\%1\C$\%WINPATH%\port.exe
del /f /q \\%1\C$\%WINPATH%\rmtbckp.exe

del /f /q \\%1\C$\%WINPATH%\System32\FAXSV.EXE
del /f /q \\%1\C$\%WINPATH%\System32\HXDEF100.EXE
del /f /q \\%1\C$\%WINPATH%\System32\HXDEF100.INI
del /f /q \\%1\C$\%WINPATH%\System32\HXDEFDRV.SYS
del /f /q \\%1\C$\%WINPATH%\System32\vb6dll.ocx
del /f /q \\%1\C$\%WINPATH%\System32\rasmins.dll
del /f /q \\%1\C$\%WINPATH%\System32\dpvcs.dll
del /f /q \\%1\C$\%WINPATH%\System32\syslog.exe
del /f /q \\%1\C$\%WINPATH%\System32\msinldt.dll
del /f /q \\%1\C$\%WINPATH%\System32\DNTUS26.EXE
del /f /q \\%1\C$\%WINPATH%\System32\kills.exe
del /f /q \\%1\C$\%WINPATH%\System32\port.exe
del /f /q \\%1\C$\%WINPATH%\System32\rmtbckp.exe

del /f /q \\%1\C$\%WINPATH%\System\FAXSV.EXE
del /f /q \\%1\C$\%WINPATH%\System\HXDEF100.EXE
del /f /q \\%1\C$\%WINPATH%\System\HXDEF100.INI
del /f /q \\%1\C$\%WINPATH%\System\HXDEFDRV.SYS
del /f /q \\%1\C$\%WINPATH%\System\vb6dll.ocx
del /f /q \\%1\C$\%WINPATH%\System\rasmins.dll
del /f /q \\%1\C$\%WINPATH%\System\dpvcs.dll
del /f /q \\%1\C$\%WINPATH%\System\syslog.exe
del /f /q \\%1\C$\%WINPATH%\System\msinldt.dll
del /f /q \\%1\C$\%WINPATH%\System\DNTUS26.EXE
del /f /q \\%1\C$\%WINPATH%\System\kills.exe
del /f /q \\%1\C$\%WINPATH%\System\port.exe
del /f /q \\%1\C$\%WINPATH%\System\rmtbckp.exe

sc.exe \\%1 start McShield

REM ===================================================================

Reboot into safe mode and doubleclick cleanupHD.bat

After it is done boot back to normal and post a new HijackThis log.

Regards,

[RickMath]

Well I tried to run it and had to go to the same old windows does not recognize screen and browse to the file cleanupHD.bat

Here is the result. It loooks like it did not run. Any advice on how to make it run?

Also, below it is another HJT log

C:\WINDOWS\system32>REM Hacker Defender Removal Script from Brian Black

C:\WINDOWS\system32>sc.exe \\"C:\WINDOWS\system32\cleanupHD.bat" stop McShield
*** Unrecognized Command ***
DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.
USAGE:
sc <server> [command] [service name] <option1> <option2>...

The option <server> has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistant).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.

The following commands don't require a service name:
sc <server> <command> <option>
boot------------(ok | bad) Indicates whether the last boot should
be saved as the last-known-good boot configuration
Lock------------Locks the Service Database
QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
sc start MyService

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:


Logfile of HijackThis v1.99.1
Scan saved at 9:01:36 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Fixing Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B1} - http://www001.upp.so.....49Z/find.html (file missing)
O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C04F7956B2} - http://www001.upp.so.../antivirus.html (file missing)
O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C04F7956B3} - http://www001.upp.so...4...IZ/ggo.html (file missing)
O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C04F7956B4} - http://www001.upp.so.....Z/warning.htm (file missing)
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B5} - http://www001.upp.so.../topsearch.html (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Microsoft® JavaScript® Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://coles2.kennesaw.edu/iNotes.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Metallica]

I think I know what went wrong. The script is meant to be used from a server on a workstation.
I'll have to change it
I hope I get this right.

Don't worry if a few of the SC command don't work. The services may have been stopped by UnHackMe.

REM based on Hacker Defender Removal Script from Brian Black 

sc.exe stop Fax
sc.exe stop HackerDefender100
sc.exe stop rpcxshell
sc.exe stop DNTUS26
sc.exe stop rmtbackup

sc.exe delete Fax
sc.exe delete HackerDefender100
sc.exe delete rpcxshell
sc.exe delete rsaservice
sc.exe delete DNTUS26
sc.exe delete rmtbackup

del /f /q C:\WINDOWS\FAXSV.EXE
del /f /q C:\WINDOWS\HXDEF100.EXE
del /f /q C:\WINDOWS\HXDEF100.INI
del /f /q C:\WINDOWS\HXDEFDRV.SYS
del /f /q C:\WINDOWS\vb6dll.ocx
del /f /q C:\WINDOWS\rasmins.dll
del /f /q C:\WINDOWS\dpvcs.dll
del /f /q C:\WINDOWS\syslog.exe
del /f /q C:\WINDOWS\msinldt.dll
del /f /q C:\WINDOWS\DNTUS26.EXE
del /f /q C:\WINDOWS\kills.exe
del /f /q C:\WINDOWS\port.exe
del /f /q C:\WINDOWS\rmtbckp.exe

del /f /q C:\WINDOWS\System32\FAXSV.EXE
del /f /q C:\WINDOWS\System32\HXDEF100.EXE
del /f /q C:\WINDOWS\System32\HXDEF100.INI
del /f /q C:\WINDOWS\System32\HXDEFDRV.SYS
del /f /q C:\WINDOWS\System32\vb6dll.ocx
del /f /q C:\WINDOWS\System32\rasmins.dll
del /f /q C:\WINDOWS\System32\dpvcs.dll
del /f /q C:\WINDOWS\System32\syslog.exe
del /f /q C:\WINDOWS\System32\msinldt.dll
del /f /q C:\WINDOWS\System32\DNTUS26.EXE
del /f /q C:\WINDOWS\System32\kills.exe
del /f /q C:\WINDOWS\System32\port.exe
del /f /q C:\WINDOWS\System32\rmtbckp.exe

del /f /q C:\WINDOWS\System\FAXSV.EXE
del /f /q C:\WINDOWS\System\HXDEF100.EXE
del /f /q C:\WINDOWS\System\HXDEF100.INI
del /f /q C:\WINDOWS\System\HXDEFDRV.SYS
del /f /q C:\WINDOWS\System\vb6dll.ocx
del /f /q C:\WINDOWS\System\rasmins.dll
del /f /q C:\WINDOWS\System\dpvcs.dll
del /f /q C:\WINDOWS\System\syslog.exe
del /f /q C:\WINDOWS\System\msinldt.dll
del /f /q C:\WINDOWS\System\DNTUS26.EXE
del /f /q C:\WINDOWS\System\kills.exe
del /f /q C:\WINDOWS\System\port.exe
del /f /q C:\WINDOWS\System\rmtbckp.exe

REM ===================================================================

Let me know.

[RickMath]

Well it ran this time but it does not appear that anything was found to stop or delete. I have included the results of the cleanupHD screen and another HJT log below.

Please stick with me I really don't want to start from ground zero with a new OS and installation.

Rick

+++++++++++++++++++++++++++++++++++++++++++

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rick>cd\windows\system32

C:\WINDOWS\system32>cleanupHD.bat

C:\WINDOWS\system32>REM based on Hacker Defender Removal Script from Brian Black


C:\WINDOWS\system32>sc.exe stop Fax
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe stop HackerDefender100
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe stop rpcxshell
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe stop DNTUS26
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe stop rmtbackup
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe delete Fax
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe delete HackerDefender100
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe delete rpcxshell
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe delete rsaservice
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe delete DNTUS26
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>sc.exe delete rmtbackup
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>del /f /q C:\WINDOWS\FAXSV.EXE
Could Not Find C:\WINDOWS\FAXSV.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\HXDEF100.EXE
Could Not Find C:\WINDOWS\HXDEF100.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\HXDEF100.INI
Could Not Find C:\WINDOWS\HXDEF100.INI

C:\WINDOWS\system32>del /f /q C:\WINDOWS\HXDEFDRV.SYS
Could Not Find C:\WINDOWS\HXDEFDRV.SYS

C:\WINDOWS\system32>del /f /q C:\WINDOWS\vb6dll.ocx
Could Not Find C:\WINDOWS\vb6dll.ocx

C:\WINDOWS\system32>del /f /q C:\WINDOWS\rasmins.dll
Could Not Find C:\WINDOWS\rasmins.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\dpvcs.dll
Could Not Find C:\WINDOWS\dpvcs.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\syslog.exe
Could Not Find C:\WINDOWS\syslog.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\msinldt.dll
Could Not Find C:\WINDOWS\msinldt.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\DNTUS26.EXE
Could Not Find C:\WINDOWS\DNTUS26.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\kills.exe
Could Not Find C:\WINDOWS\kills.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\port.exe
Could Not Find C:\WINDOWS\port.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\rmtbckp.exe
Could Not Find C:\WINDOWS\rmtbckp.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\FAXSV.EXE
Could Not Find C:\WINDOWS\System32\FAXSV.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\HXDEF100.EXE
Could Not Find C:\WINDOWS\System32\HXDEF100.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\HXDEF100.INI
Could Not Find C:\WINDOWS\System32\HXDEF100.INI

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\HXDEFDRV.SYS
Could Not Find C:\WINDOWS\System32\HXDEFDRV.SYS

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\vb6dll.ocx
Could Not Find C:\WINDOWS\System32\vb6dll.ocx

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\rasmins.dll
Could Not Find C:\WINDOWS\System32\rasmins.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\dpvcs.dll
Could Not Find C:\WINDOWS\System32\dpvcs.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\syslog.exe
Could Not Find C:\WINDOWS\System32\syslog.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\msinldt.dll
Could Not Find C:\WINDOWS\System32\msinldt.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\DNTUS26.EXE
Could Not Find C:\WINDOWS\System32\DNTUS26.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\kills.exe
Could Not Find C:\WINDOWS\System32\kills.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\port.exe
Could Not Find C:\WINDOWS\System32\port.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System32\rmtbckp.exe
Could Not Find C:\WINDOWS\System32\rmtbckp.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\FAXSV.EXE
Could Not Find C:\WINDOWS\System\FAXSV.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\HXDEF100.EXE
Could Not Find C:\WINDOWS\System\HXDEF100.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\HXDEF100.INI
Could Not Find C:\WINDOWS\System\HXDEF100.INI

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\HXDEFDRV.SYS
Could Not Find C:\WINDOWS\System\HXDEFDRV.SYS

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\vb6dll.ocx
Could Not Find C:\WINDOWS\System\vb6dll.ocx

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\rasmins.dll
Could Not Find C:\WINDOWS\System\rasmins.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\dpvcs.dll
Could Not Find C:\WINDOWS\System\dpvcs.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\syslog.exe
Could Not Find C:\WINDOWS\System\syslog.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\msinldt.dll
Could Not Find C:\WINDOWS\System\msinldt.dll

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\DNTUS26.EXE
Could Not Find C:\WINDOWS\System\DNTUS26.EXE

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\kills.exe
Could Not Find C:\WINDOWS\System\kills.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\port.exe
Could Not Find C:\WINDOWS\System\port.exe

C:\WINDOWS\system32>del /f /q C:\WINDOWS\System\rmtbckp.exe
Could Not Find C:\WINDOWS\System\rmtbckp.exe

C:\WINDOWS\system32>

+++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 11:46:20 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Fixing Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B1} - http://www001.upp.so.....49Z/find.html (file missing)
O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C04F7956B2} - http://www001.upp.so.../antivirus.html (file missing)
O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C04F7956B3} - http://www001.upp.so...4...IZ/ggo.html (file missing)
O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C04F7956B4} - http://www001.upp.so.....Z/warning.htm (file missing)
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B5} - http://www001.upp.so.../topsearch.html (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Microsoft® JavaScript® Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://coles2.kennesaw.edu/iNotes.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Metallica]

I want a second opinion on that rootkit.

Please download and run RootkitRevealer from:
http://www.sysintern...itrevealer.html

Post the log it makes.

Regards,

[RickMath]

Here's the rookit log

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\3BXZZLGK\search[1].::
Description: Hidden from Windows API.
Date: 6/30/2003 10:43 PM
Size: 21.14 KB
C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\C58RGBOV\search[1].::
Description: Hidden from Windows API.
Date: 6/28/2003 8:57 AM
Size: 18.72 KB

Whatever this tells you , I have no idea. Thanks again!

Rick

[Metallica]

Not much, but reboot into safe mode and use the DiskCleanup Tool to empty all your Temp folders.

The most important in this case is the offline content of IE.

Regards,

[RickMath]

I ran disk cleanup and also was able to delete some folders in my temporary internet files folder and temp folder. It seems like the folders from the last rootkitreveal run are still there plus another one. The log is below as well as a new HJT log.

Whatever is doing this is adding a lnk extension to any thing. For example a file that is filename.exe is always renamed filename.exe.lnk

Here are the logs. Hopefully we are not running out of options. I have a reserve HD and my recovery CD for the preinstlled OS. Keeping my fingers crossed that this is not the next alternative.

Thanks for your help

The only way I could run hijackthis.exe was to open a cmd.exe window using task manager and execute the exe

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\3BXZZLGK\search[1].::
Description: Hidden from Windows API.
Date: 6/30/2003 10:43 PM
Size: 21.14 KB
C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\C58RGBOV\search[1].::
Description: Hidden from Windows API.
Date: 6/28/2003 8:57 AM
Size: 18.72 KB
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb:
Description: Visible in Windows API, but not in MFT or directory index.
Date: 7/14/2005 2:16 PM
Size: 64.00 KB


Logfile of HijackThis v1.99.1
Scan saved at 4:14:03 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\FixingFiles\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B1} - http://www001.upp.so.....49Z/find.html (file missing)
O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C04F7956B2} - http://www001.upp.so.../antivirus.html (file missing)
O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C04F7956B3} - http://www001.upp.so...4...IZ/ggo.html (file missing)
O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C04F7956B4} - http://www001.upp.so.....Z/warning.htm (file missing)
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B5} - http://www001.upp.so.../topsearch.html (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Microsoft® JavaScript® Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {62C369E6-4AC1-4B37-B7C9-C6844F60704E} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://coles2.kennesaw.edu/iNotes.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SZVTI - Unknown owner - C:\DOCUME~1\Rick\LOCALS~1\Temp\SZVTI.exe (file missing)

[Metallica]

Can you please upload this file:
C:\WINDOWS\system32\comdlg32.ocx
At TheSpykiller

Click Start > Run type services.msc > OK
In the list of services find:
SZVTI
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: SZVTI

Reboot and let me know when you have uploaded the file.

Regards,