NAV 2004 detected 4 viruses, but could not fix two of them: 'Spyware.Perfect' and 'Keylogger.Cone.Trojan'. Can anyone interpret the report from Hijack This v1.97.7 and suggest proper action? Logfile of HijackThis v1.97.7 Scan saved at 02:07:13, on 30.01.2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\SSDPSRV.exe C:\PROGRAMFILER\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.exe C:\PROGRAMFILER\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.exe C:\PROGRAMFILER\FELLESFILER\SYMANTEC SHARED\SYMTRAY.exe C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe C:\PROGRAMFILER\FELLESFILER\SYMANTEC SHARED\CCEVTMGR.exe C:\PROGRAMFILER\FELLESFILER\SYMANTEC SHARED\CCSETMGR.exe C:\PROGRAMFILER\FELLESFILER\SYMANTEC SHARED\CCPROXY.exe C:\WINDOWS\SYSTEM\DEVLDR16.exe C:\PROGRAMFILER\FELLESFILER\SYMANTEC SHARED\SNDSRVC.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\WBEM\WINMGMT.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\HIDSERV.exe C:\WINDOWS\LOADQM.exe C:\PROGRAMFILER\ZONE LABS\ZONEALARM\ZLCLIENT.exe C:\PROGRAMFILER\FELLESFILER\SYMANTEC SHARED\CCAPP.exe C:\PROGRAMFILER\FELLESFILER\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\SRVEXC.exe C:\WINDOWS\SYSTEM\EXPLORER.exe C:\WINDOWS\SYSTEM\LEXBCES.exe C:\PROGRAMFILER\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.exe C:\WINDOWS\SYSTEM\RPCSS.exe C:\Programfiler\Norton SystemWorks\Norton CleanSweep\Monwow.exe C:\WINDOWS\SYSTEM\LEXPPS.exe C:\WINDOWS\WUAUCLT.exe C:\WINDOWS\SKRIVEBORD\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.c2i.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [NPROTECT] C:\Programfiler\Norton SystemWorks\Norton Utilities\NPROTECT.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec Core LC] C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [srvexc.exe] C:\WINDOWS\SYSTEM\srvexc.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Programfiler\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Programfiler\Norton SystemWorks\Norton CleanSweep\CSINJECT.exe O4 - HKLM\..\RunServices: [NPROTECT] C:\Programfiler\Norton SystemWorks\Norton Utilities\NPROTECT.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Programfiler\Fellesfiler\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.exe -service O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programfiler\Fellesfiler\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\FELLES~1\SYMANT~1\CCPROXY.exe O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\FELLES~1\SYMANT~1\SNDSRVC.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKCU\..\Run: [EXPLORER.EXE] C:\WINDOWS\SYSTEM\EXPLORER.exe /k 1 O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Programfiler\Norton SystemWorks\Norton CleanSweep\csinsm32.exe O9 - Extra button: Kangaroo (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .mts: C:\Programfiler\MetaCreations\MetaStream\npmetastream.dll O14 - IERESET.INF: START_PAGE_URL=http://www.c2i.net/ O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37648.3841435185 O16 - DPF: Yahoo! Chat - http://cs8.chat.sc5.yahoo.com/c381/chat.cab O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunner/stormrunner1-1-0.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab Many thanks in advance, vargen

Your log contains some unusual (to me)looking items; hopefully someone else will recognize them as good or bad. I found this info on spyware.perfect http://securityresponse.symantec.com/avcenter/venc/data/spyware.perfect.html And this on Keylogger.Cone.Trojan http://securityresponse.symantec.com/avcenter/venc/data/keylogger.cone.trojan.html You might want to run AdAware and Spybot Search & Destroy as both will detect and remove some keyloggers and trojans. Also there are some good trojan removers to try in case it's a while before someone else can figure out our log.

Run HijackThis again and check the following items. Next, close all browser Windows, and have HT 'fix checked'. You Must restart your computer when you're done. O4 - HKLM\..\Run: [srvexc.exe] C:\WINDOWS\SYSTEM\srvexc.exe O4 - HKCU\..\Run: [EXPLORER.EXE] C:\WINDOWS\SYSTEM\EXPLORER.exe /k 1 After restarting delete the following files: C:\WINDOWS\SYSTEM\srvexc.exe C:\WINDOWS\SYSTEM\EXPLORER.exe

Thanks both suzi and Tom41 for taking time responding to my request. It seems that the viruses have been removed. The only trace is in the back up file/master log in Clean Sweep. Should I clear the Master Log? After running Hijack This, it became possible to delete srvexc.exe and explorer.exe. Great relief, believe me! I've spent many hours in front of the screen - downloading Ad-aware, Spybot, Trojan remover etc.etc, consulting friends, tried NAV's homepage removal instructions - all without success. Until now. Hijack This must be an extraordinary program. Thanks again.