HSA in Win2K
I seem to have some variation of the HSA thing going on. The primary symptom is that my home page is getting hijacked (to about:this). I've also found, however, that tmpf##.exe files are getting created in my sys32 directory, trying to connect to the net to post outbound data. eplrr3.dll also seems to be involved somehow, and I've seen sp.htm in my temp directory a few times.
I've followed all the instructions several times, and seem to have it mostly blocked between HJT and Spybot tag-teaming it. But AboutBuster never finds anything, and I can't locate the service that keeps bringing everything back to life.
Here's the list of active services from the VB script provided on the instructions:
These are the Current Active Services:
Computer Browser: Browser
C:\WINNT\System32\services.exe
DHCP Client: Dhcp
C:\WINNT\System32\services.exe
Logical Disk Manager: dmserver
C:\WINNT\System32\services.exe
Event Log: Eventlog
C:\WINNT\system32\services.exe
Server: lanmanserver
C:\WINNT\System32\services.exe
Workstation: lanmanworkstation
C:\WINNT\System32\services.exe
TCP/IP NetBIOS Helper Service: LmHosts
C:\WINNT\System32\services.exe
Plug and Play: PlugPlay
C:\WINNT\system32\services.exe
Protected Storage: ProtectedStorage
C:\WINNT\system32\services.exe
Distributed Link Tracking Client: TrkWks
C:\WINNT\system32\services.exe
Windows Management Instrumentation Driver Extensions: Wmi
C:\WINNT\system32\Services.exe
Cisco Systems, Inc. VPN Service: CVPND
"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
DefWatch: DefWatch
C:\Program Files\NavNT\defwatch.exe
COM+ Event System: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINNT\System32\svchost.exe -k netsvcs
Removable Storage: NtmsSvc
C:\WINNT\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINNT\system32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Norton AntiVirus Client: Norton AntiVirus Server
C:\Program Files\NavNT\rtvscan.exe
Rio MSC Manager: RioMSC
C:\WINNT\System32\RioMSC.exe
Remote Procedure Call (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss
Security Accounts Manager: SamSs
C:\WINNT\system32\lsass.exe
Task Scheduler: Schedule
C:\WINNT\system32\MSTask.exe
Print Spooler: Spooler
C:\WINNT\system32\spoolsv.exe
TrueVector Internet Monitor: vsmon
C:\WINNT\system32\ZoneLabs\vsmon.exe -service
Windows Management Instrumentation: WinMgmt
C:\WINNT\System32\WBEM\WinMgmt.exe
WMDM PMSP Service: WMDM PMSP Service
C:\WINNT\System32\mspmspsv.exe
If you'd like to see the HJT log, I can provide that, too. I can make that look clean, but the problem keeps coming back.
Thanks for any help!
I've followed all the instructions several times, and seem to have it mostly blocked between HJT and Spybot tag-teaming it. But AboutBuster never finds anything, and I can't locate the service that keeps bringing everything back to life.
Here's the list of active services from the VB script provided on the instructions:
These are the Current Active Services:
Computer Browser: Browser
C:\WINNT\System32\services.exe
DHCP Client: Dhcp
C:\WINNT\System32\services.exe
Logical Disk Manager: dmserver
C:\WINNT\System32\services.exe
Event Log: Eventlog
C:\WINNT\system32\services.exe
Server: lanmanserver
C:\WINNT\System32\services.exe
Workstation: lanmanworkstation
C:\WINNT\System32\services.exe
TCP/IP NetBIOS Helper Service: LmHosts
C:\WINNT\System32\services.exe
Plug and Play: PlugPlay
C:\WINNT\system32\services.exe
Protected Storage: ProtectedStorage
C:\WINNT\system32\services.exe
Distributed Link Tracking Client: TrkWks
C:\WINNT\system32\services.exe
Windows Management Instrumentation Driver Extensions: Wmi
C:\WINNT\system32\Services.exe
Cisco Systems, Inc. VPN Service: CVPND
"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
DefWatch: DefWatch
C:\Program Files\NavNT\defwatch.exe
COM+ Event System: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINNT\System32\svchost.exe -k netsvcs
Removable Storage: NtmsSvc
C:\WINNT\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINNT\system32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs
Norton AntiVirus Client: Norton AntiVirus Server
C:\Program Files\NavNT\rtvscan.exe
Rio MSC Manager: RioMSC
C:\WINNT\System32\RioMSC.exe
Remote Procedure Call (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss
Security Accounts Manager: SamSs
C:\WINNT\system32\lsass.exe
Task Scheduler: Schedule
C:\WINNT\system32\MSTask.exe
Print Spooler: Spooler
C:\WINNT\system32\spoolsv.exe
TrueVector Internet Monitor: vsmon
C:\WINNT\system32\ZoneLabs\vsmon.exe -service
Windows Management Instrumentation: WinMgmt
C:\WINNT\System32\WBEM\WinMgmt.exe
WMDM PMSP Service: WMDM PMSP Service
C:\WINNT\System32\mspmspsv.exe
If you'd like to see the HJT log, I can provide that, too. I can make that look clean, but the problem keeps coming back.
Thanks for any help!
0
This discussion has been closed.
Comments
Logfile of HijackThis v1.99.0
Scan saved at 5:59:39 PM, on 12/19/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Virus Debugs\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iasystems.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {FBD656B4-6621-4855-B85D-8F5BF25D39A2} - C:\WINNT\System32\ipc.dll
O18 - Filter: text/plain - {FBD656B4-6621-4855-B85D-8F5BF25D39A2} - C:\WINNT\System32\ipc.dll
O21 - SSODL: eplrr - {85BD7C99-4AA9-4B4B-A75C-170E20D145C7} - C:\WINNT\System32\eplrr3.dll
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\System32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
Then I fix the few items I know look wrong, and I'm left with this:
Logfile of HijackThis v1.99.0
Scan saved at 6:01:00 PM, on 12/19/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Virus Debugs\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iasystems.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\System32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
See anything else fishy? Thanks!
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Fix those entries then reboot and post a new log.
Logfile of HijackThis v1.99.0
Scan saved at 10:02:59 PM, on 12/20/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Virus Debugs\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iasystems.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\System32\RioMSC.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
The worst changes are now getting blocked by TeaTimer, but these somehow creep in (the middle 2 DLL entries are always random names):
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
O18 - Filter: text/html - {43C9051F-F5E2-414A-9D8A-5A8142C6E23F} - C:\WINNT\System32\gdjdoa.dll
O18 - Filter: text/plain - {43C9051F-F5E2-414A-9D8A-5A8142C6E23F} - C:\WINNT\System32\gdjdoa.dll
O21 - SSODL: eplrr - {2520888C-89BA-497F-8C9A-5EB69CAC5648} - C:\WINNT\System32\eplrr3.dll
Logfile of HijackThis v1.99.0
Scan saved at 7:16:44 PM, on 12/21/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Virus Debugs\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iasystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iasystems.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\System32\RioMSC.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
I remind you that I never found a suspicious looking service that I stopped, which is part of the instructions. Is that maybe how this is coming back?
Thanks!
Many thanks!