Man oh man I hope you guys can help me on this one because Norton has not been any help. I downloaded a mIRC script and just let it run. When I woke up this morning I had all these problems. Let me break it down for you so it will be easier to follow along; 1. The first thing I noticed is that an entry called ms_rev_updates.exe was in the Task Manager and I ended that process. 2. I then immediately ran Norton Antivirus but it would not scan, instead it would close and my Norton icon was not in the tray. 3. I tried to run LiveUpdate, it would not run. 4. I ran task manager and saw that ms_rev_updates.exe was running again so I ended it again. 5. I ran msconfig.exe and unchecked an entry that was loading a file called "GISet1xx.exe" The "xx" stands for characters I do not remember. 6. I then found that ms_rev_updates.exe was in c:\windows\system32\ folder along with another file called ms-rev_updates.exe 7. I renamed both files by adding on ".bak" to the end of the files. 8. After doing that I tried to run Internet Explorer from the QuickLaunch bar, it would not run saying it cannot find the path. Then, I could not run Norton from the Start Menu either. Nor System Restore. 9. I took off the ".bak" of the files in my system32 folder and then everything was running fine but so was ms_rev_updates 10. I restarted in Safe Mode 11. When in safe mode, I only renamed ms-rev_updates.exe to "ms-rev_updates.exe.bak" Keep in mind the file that appears in the task manager under Normal Mode is ms_rev_updates.exe 12. I restarted my computer in Normal Mode and everything was working and the Norton icon was back in the tray. 13. I was able to update my virus definition files and run a scan 14. The scan fixed a DLL and deleted "ms_rev_updates.exe" and ms-rev_updates.exe.bak" 15. I restarted the computer and now i'm back to nothing running at all from the Start menu, and no Norton icon in the tray. 16. I cannot even run regedit from the the Run Menu 17. The only way I can run programs is if I run them using command.com but if I try to run Norton from the command line it still does not work Also, when Norton did find the virus it said it was Backdoor. Trojan and Backdoor.sdbot I know this was long and tedious but I hope someone can help. If not, thanks for trying. -Matt

Go here and Click 'WinXP Fixes' and then 'File Association fixes'. Download and run the .exe file association fix. http://www.dougknox.com Then, Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply. HijackThis!

Logfile of HijackThis v1.97.2 Scan saved at 3:52:28 PM, on 10/8/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\Inf\Catalog\su\srunner.exe c:\Windows\Inf\Catalog\su\explore.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe D:\apps\Norton AntiVirus\navapsvc.exe D:\apps\Norton AntiVirus\AdvTools\NPROTECT.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\CURSORS\meta\oledac\backup\srunner.exe c:\windows\cursors\meta\oledac\backup\repairx\SPOOLSVC.exe d:\apps\RealVNC\WinVNC\WinVNC.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ntvdm.exe D:\apps\MICROS~1\Office10\OUTLOOK.exe D:\Apps\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\apps\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\apps\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "d:\apps\RealVNC\WinVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] D:\apps\NORTON~1\AdvTools\ADVCHK.exe O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.exe O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - Global Startup: Microsoft Office.lnk = D:\Apps\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: Save with Download Manager... - file://d:\apps\J River\Media Center\DMDownload.htm O9 - Extra button: ATI TV (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.7230555556 O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/celebs-nude/Browser_Plugin.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = beetit.com O17 - HKLM\Software\..\Telephony: DomainName = beetit.com O17 - HKLM\System\CCS\Services\Tcpip\..\{C75F3464-59D6-4447-AF7F-6966AFDE0949}: Domain = beetit.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = beetit.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = beetit.com

you know what Tom41 you helped me a lot. Thank you so very much because now everything is working perfectly like before. Thank you for taking the time to read my detailed problem. Thanks again for the reply.

Hi matt, You have some suspicious processes running: C:\WINDOWS\Inf\Catalog\su\srunner.exe c:\Windows\Inf\Catalog\su\explore.exe C:\WINDOWS\CURSORS\meta\oledac\backup\srunner.exe c:\windows\cursors\meta\oledac\backup\repairx\SPOOLSVC.exe Go here and run an online virus scan, Copy the report and paste it in a reply. RAV

oh damn, I'll get right on it and post a reply.

Scan started at 10/8/2003 10:02:41 PM Scanning memory... Scanning boot sectors... Scanning files... C:\Documents and Settings\matt\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Matt - ComcastMatt - Hotmail-00000004.pst->Attachment.555: "MyProfile.scr" - Win32/Yaha.L@mm -> Infected C:\Documents and Settings\matt\Local Settings\Temp\Temporary Internet Files\Content.IE5\A5ZG5W7Q\pup[1].htm->(SCRIPT0000) - JS/Noclose* -> Infected Scanned ============================ Objects: 6282 Directories: 731 Archives: 0 Size(Kb): -1924361 Infected files: 2 Found ============================ Viruses found: 2 Suspicious files: 0 Disinfected files: 0 Mail files: 658 Scanned ============================ Objects: 6284 Directories: 731 Archives: 0 Size(Kb): -1924358 Infected files: 2 Found ============================ Viruses found: 2 Suspicious files: 0 Disinfected files: 0 Mail files: 658 Well that's the report, you were right. This found viruses that norton did not. But it doesnt say which files.