I THINK I'm Clean

[Ghot]

ok ran: Norton AV Corp 9.0, Ewido-Online scan, Kaspersky-Online scan
Bitdefender-Online Scan, ATF(safe mode), MS Malware Removal Tool
and Spybot Search & Destroy....all updated.

here is my HJ log and the parsed log...AM I TRULY clean?


Logfile of HijackThis v1.99.1
Scan saved at 3:12:02 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HijackThis\analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122249941812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125517187093
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe







PARSED LOG:


Scan saved at 3:12:02 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
Smss.exe
What is it?
Session Manager SubSystem - smss.exe

What does it do?
smss.exe - This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by

the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and

setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens

"normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Additional Reading:
Smss.exe does not resolve forward references in environment

You will not be able to end this through task manager!

More info


Virus Precaution:

The smss.exe which is from Microsoft is located at c:windowsSystem32smss.exe . We've been able to find several viruses that run as

smss to trick you.

Adware.Advision - Symantec Corporation
Adware.DreamAd - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
W32.Dalbug.Worm - Symantec Corporation
W32.Resdoc - Symantec Corporation

C:\WINDOWS\system32\winlogon.exe
Winlogon.exe
What is it?
Windows Logon Process - Winlogon.exe

What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses

CTRL+ALT+DEL, at which point it shows the security dialog box.

Search MS for more info: Link

Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you

should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.

Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro

C:\WINDOWS\system32\services.exe
services.exe
services.exe is a part of Windows that manages the processes. Anytime a service starts or stops it is through services.exe. During

system startup and shutdown is when this process sees most of its action. You should never end this process unless it is running

outside of your windows system folder.

C:\WINDOWS\system32\lsass.exe
lsass.exe
What is it?
Local Security Authentication Server - lsass.exe

What does it do?
lsass.exe - It generates the process responsible for authenticating users for the Winlogon service. This process is performed by

using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access

token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

You will not be able to end this through task manager!

From MS


The lsass.exe which is from Microsoft is located at c:windowsSystem32lsass.exe . there's a few viruses that have been found to run

as lsass.exe to hide from you.

C:\WINDOWS\system32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is

located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a

list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe

session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is

started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active

processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can

contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesS ervice

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32

directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you

should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.

C:\WINDOWS\system32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is

located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a

list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe

session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is

started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active

processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can

contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesS ervice

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32

directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you

should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
vsmon.exe

What is it?
True Vector Internet Monitor - vsmon.exe

What does vsmon.exe do?
This process is associated with Zone Alarm's personal firewall. This is the process that runs in the background and sends you the

alert messages anytime an application either breaks one of the already created rules or it doesn't have a rule in place already so

you have to "train it".

It is highly suggested that you use a firewall application like this one.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of vsmon.exe is:

%windows%systemvsmon.exe

At this time There's quite a few viruses running around using this filename!
for vsmon.exe

Also .

C:\WINDOWS\Explorer.EXE
explorer.exe

What is it?
Windows Explorer - explorer.exe

What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:

This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of

Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the

system.

I have found that stopping this process is needed sometimes to stop some other processes.

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be

suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search.

All of the results are the various names of this single virus.

Deloder-A @ Sophos
MyDoom.B @ Symantec

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
ccsetmgr.exe
What Is It?
Norton Security - ccsetmgr.exe

What Does ccsetmgr.exe Do?
This is one of MANY processes that are used by Norton Security (AV + Net Security) If its under the appropriate directory you'll

have nothing to worry about. If you're experiencing slowdowns you'll want to upgrade your hard drive and/or your RAM. Norton is a

resource hog.

Virus Precautions:
The normal location of ccsetmgr.exe is: C:PROGRAM FILESCOMMON FILESSYMANTEC SHAREDccsetmgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
ccevtmgr.exe
What Is It?
Norton Security - ccEvtMgr.exe

What Does ccevtmgr.exe Do?
This is one of MANY processes that are used by Norton Security (AV + Net Security) If its under the appropriate directory you'll

have nothing to worry about. If you're experiencing slowdowns you'll want to upgrade your hard drive and/or your RAM. Norton is a

resource hog.
This particular process is the event log manager which monitors the virus scanning process and will trigger the alert process as

needed.

Virus Precautions:
The normal location of ccevtmgr.exe is: C:PROGRAM FILESCOMMON FILESSYMANTEC SHAREDccevtmgr.exe

C:\WINDOWS\system32\spoolsv.exe
Spoolsv.exe
What is it?
SPOOLer SerVice - spoolsv.exe

What does it do?
spoolsv.exe - The spooler service is responsible for managing spooled print/fax jobs

You will be able to end this through task manager!

More info


Virus Precaution:
The spoolsv.exe which is from Microsoft is located at c:windowsSystem32spoolsv.exe . We've been able to find several viruses that

run as spoolsv to trick you.

Backdoor.Ciadoor.B - Symantec Corporation
Hacktool.Privshell - Symantec Corporation
VBS.Masscal.Worm (vbs) - Symantec Corporation
Graybird-A @ Sophos

C:\Program Files\Symantec AntiVirus\DefWatch.exe
DefWatch.exe
DefWatch.exe is a part of Norton Antivirus. By Symantec Corporation and is the virus definition monitor that will make sure your

virus definitions do not get too horribly outdated. You should leave this process running so your definitions don't get out of

date.

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
DkService.exe
DkService.exe is Executive Software's diskeeper. It is the best hard drive disk defragmentation program I've found. In NT based

OS's this file will be run as a service and is used for a users sheduled disk defragmentation. It is good to have your drive

scheduled to defrag at least once a week at a time when you know you'll be in bed.

C:\WINDOWS\system32\nvsvc32.exe
nvsvc32.exe
What is it?
NVIDIA Driver Helper Service - nvsvc32.exe

What does it do?
nvsvc32.exe - For all of you that have video cards that utilize one of the Nvidia chipsets running under Windows NT4/2k/XP/2k3

they install a driver help service. We have emailed Nvidia asking them about this but haven't been able to get a response. I was

able to to end this task without any issues.

There have been a number of reports that say this service is the root of some nasty shutdown slowdowns! Even though I haven't

experienced this personally, Black Viper is a source that I trust and he has stated this service has caused extreme slowdowns

during shutdown.

There's been a number of rumors posted that state that this is some form of spyware. I have not found it to transmit any form of

data while I've been using it. I also don't believe Nvidia is stupid enough to package spyware and send it to their massive

installation base.

You'll want to visit nvidia.com for more information about them and their products. You may also want to download the latest

drivers from them.

Virus Precaution:
nvsvc32.exe is located at c:windowsSystem32 vsvc32.exe . We've been unable to find any threats that run as nvsvc32.exe to trick

you.

C:\WINDOWS\System32\SnoopFreeSvc.exe
SnoopFreeSvc.exe
We Don't know! Please post a comment with information about this file

C:\WINDOWS\SnoopFreeUI.exe
SnoopFreeUI.exe
We Don't know! Please post a comment with information about this file

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
zlclient.exe

What is it?
Zone Alarm - zlclient.exe

What does it do?
zlclient.exe is a part of Zone Labs Internet Security. You should not end this process for any reason. This is the firewall I use

behind my router as a second level of protection. The most important part of this is having to give permission to applications

before they access the internet in any way. routers and the windows firewall have a tendency to allow anything out and only

blocking inbound connections.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:Program Filesone

LabsoneAlarmzlclient.exe


C:\Program Files\Symantec AntiVirus\Rtvscan.exe
rtvscan.exe

What is it?
Real Time Virus scan (Symantec Security) - rtvscan.exe

What does it do?
Symantec Internet Security Suite is taking Norton AV to another level and scan the files as they enter your system instead of the

usual scan right after they hit your system. You should not end this process if you have it running.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:Program

FilesSymantec_Client_SecuritySymantec AntiVirusRtvscan.exe


Also .

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccApp.exe
What Is It?
Norton Security - ccApp.exe
?
What Does it Do?
ccapp.exe - This is one of MANY processes that are used by Norton Security (AV + Net Security) If its under the appropriate

directory you'll have nothing to worry about. If you're experiencing slowdowns you'll want to upgrade your hard drive and/or your

RAM. Norton is a resource hog.
This process is referred to as Common Client App which is also used by auto protect and email checking.

Virus Precautions:
The normal location of ccapp.exe is: C:Program FilesCommon FilesSymantec Sharedccapp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe
vptray.exe

What is it?
Norton AV Tray icon- vptray.exe

What does it do?
This executable belongs to Norton Antivirus and is nothing more than a try icon which gives you quicker access to various

settings. I hate cluttered task bars so I personally would end this task from my startup list.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:Program

FilesSymantec_Client_SecuritySymantec AntiVirusvptray.exe


C:\Program Files\HijackThis\analyze.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't

know here clean this line!

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
Unnamed BHO
ssv.dll - Related to Sun_Java_software http://java.com/en/download/index.jsp

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
NvCplDaemon
NvCplDaemon"

O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
SnoopFreeUI
"Anti-keylogging software made by SnoopFree Software"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
DiskeeperSystray
"DisKeeper defragmentation software - can be started manually"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccApp
"Part of Norton AntiVirus. Auto-protect and E-mail check will not function without this"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
vptray
"System Tray icon for Norton Anti-Virus Corporate Edition. Gives access to the options available and may not be required. Some

users may have problems - refer here"

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
Sun Java Console
Related to Sun Java

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0\bin\ssv.dll
Sun Java Console
Related to Sun Java

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/par...an_unicode.cab
Unnamed BHO
http://www.kaspersky.com

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
ewidoOnlineScan.cab
ewido_security_suite online Scan

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsu...?1122249941812
Unnamed BHO
http://v5.windowsupdate.microsoft.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof...?1125517187093
muweb_site.cab
Microsoft Windows Update more here

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
AppInit_DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
AppInit_DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
Symantec AntiVirus Definition Watcher
Related to Symantec AntiVirus Software.

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
Diskeeper
Executive Software's Diskeeper (Defragmenter)

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
GhostStartService
Related to Norton. GHOSTSTARTSERVICE is the background support task/service for Ghost for Windows.

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe
LightScribeService Direct Disc Labeling Service

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
NVIDIA Display Driver Service
NVidia

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
SAVRoam
Related to Norton/Symantec AntiVirus

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Symantec AntiVirus
Related to Symantec AntiVirus

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


This is my 1st post and hopefully my LAST post

TY in advance

[Ghot]

My comp has no probs with start up or shutdown and no weird behavior....but I am a little concerned about the two #20's Navlogon.dll and WGAlogon.dll

any help would be appreciated, TY

[jholland1964]

Hello Ghot,
Welcome to IANAG!
Your log is essentially clean. Can I ask in the future, if you feel you need to post a log that you NOT post a parsing of the log, just the log itself.
Those of us here who read logs do our own parsing, using various programs. Posting the parse will just confuse others not familiar with the procedure of reading the logs. Most of us here read and check them line by line.
Now the two lines you are concerned with;
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
are perfectly legitimate lines.

The first one refers to your Norton Anti-virus program and the second one refers to the Windows Genuine Advantage tool.

You have one line I would recommend fixing by running HJT again and placing a checkmark next to it, then click the FIX button and exit HJT;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

You are also running a program which I have never seen before which is SnoopFree Privacy Shield. Now this appears to be a legitimate program but the one we always recommend is SpywareBlaster which DOES

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.

This is an EXCELLENT program. It is FREE and best of all, it DOES NOT run in the background all the time. Keep it updated and that is it. And believe me IT DOES WORK.

[Ghot]

Sorry about the parse post...didnt know if needed or not
I deleted the 01 entry and at least THIS time it didnt come back...yet

Thanks for the rapid response, and in the future...the next time I 'test' some otherwise NOT free software and get bad results...this is the 1st place I'll come.

you can thank Maximum PC Magazines' "Softy Awards" for pointing me in your' direction...this is a great site, and that, comes from the No. 1 cynic....me

Keep up the great work guys...with companies slapping spyware or worse in almost every app.....it's good to know where to go, if/when problems arise!

Welcome to my personal ranks of "Sites in Shining Armor" ^^

[jholland1964]

Thanks for the kind words...sometimes we sit here and think nobody knows our name...Softy Award...wow!
Don't worry about the parsed post...honestly? I don't know how the heck you got it on here...I find them hard enough to read I don't believe I could copy/paste one at all!
Now, you have me a bit confused here with this;

I deleted the 01 entry and at least THIS time it didnt come back...yet

What O1 or 01 entry? I don't see one in either the straight log or the parsed log. What did this entry say?