download.trojan virus byvwv.dll (HJT log included)

Hello, I need some serious help.

My antivirus has detected a download.trojan virus
C:\WINDOWS.001\system32\byvwv.dll

The only problem is it can't be deleted, Spybot S&D does nothing and my antivirus can't touch it.

I would really appreciate some help

thanks

Here is the HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 8:13:37 PM, on 5/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.001\System32\smss.exe
C:\WINDOWS.001\system32\winlogon.exe
C:\WINDOWS.001\system32\services.exe
C:\WINDOWS.001\system32\lsass.exe
C:\WINDOWS.001\system32\svchost.exe
C:\WINDOWS.001\System32\svchost.exe
C:\WINDOWS.001\system32\LEXBCES.EXE
C:\WINDOWS.001\system32\spoolsv.exe
C:\WINDOWS.001\system32\LEXPPS.EXE
C:\WINDOWS.001\Explorer.EXE
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Palm\Hotsync.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS.001\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS.001\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gerald Lee Oakley\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS.001\system32\BhoCitUS.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS.001\system32\byvwv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS.001\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.001\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.001\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://152.2.80.46/activex/AxisCamControl.cab
O20 - Winlogon Notify: byvwv - C:\WINDOWS.001\SYSTEM32\byvwv.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS.001\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.001\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Hello, and welcome to the boards.

Open up HJJ and choose Scan Only and remove these items.
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS.001\system32\byvwv.dll
O20 - Winlogon Notify: byvwv - C:\WINDOWS.001\SYSTEM32\byvwv.dll

Then in HJT, click on the Config button. You should see a section called System Tools, click on 'Delete a file on reboot'. A File Open window should appear, then copy/paste "C:\WINDOWS.001\SYSTEM32\byvwv.dll" or browse to it. When you click on Open in this window you will be prompted to reboot.

Open Windows Explorer before you reboot, go to the folder C:\Windows\Prefetch and delete all files there.

Did you have some really bad problems to cause you to reinstall windows into the folder C:\Windows.001?
XP will run fine like this, as it doesn't care where it is installed, just curious is all.

 

Thanks for the welcome and the advice, but it doesn't seem to be working. I have tried it about 4 times over the last couple of days and the file just can't/won't be deleted.

Even when I delete on reboot that file is still there and running when the computer boots up.

Am I forgetting something or is there an alternative way I should try to remove it?

thanks again

 

Please download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here. Takes quite a long time for it to finish, so be patient.

Please post a fresh HijackThis log too.

 

MWAV Log:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS.001\System32\iuctl.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS.001\Downloaded Program Files\RdxIE.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS.001\SYSTEM\danim.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS.001\SYSTEM\ddrawex.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS.001\SYSTEM\quartz.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS.001\SYSTEM\wuv3is.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS.001\wupdmgr.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM32\wuv3is.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\windows.001\system\iosubsys\cdralvsd.vxd ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\iosubsys\CDR4VSD.VXD ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\DBMSSHRN.DLL ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_950.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\MSDART32.DLL ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\SYSTEM\ole db\SQLSOLDB.HLP ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\SQLSODBC.HLP ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CLICONF.HLP ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM32\MSRPJT40.DLL ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_936.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_949.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_932.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_874.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_21866.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_28591.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_20866.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1258.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1257.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1256.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1255.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1254.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1253.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1252.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1251.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\CP_1250.NLS ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM32\EXSEC32.DLL ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\iosubsys\UDFREADR.VXD ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\SYMEVNT.386 ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM32\URLCACHE.DLL ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\LOGBOOK.CNT ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\WINFAX.DRV ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\SYSTEM\WINFAXHQ.DRV ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\System32\iuctl.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\System32\l3codecx.acm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\System32\drivers\Cdudf.sys ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\System32\drivers\UdfReadr.sys ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\System32\drivers\cdr4_2K.sys ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\System32\NeroCheck.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS.001\System32\pxwma.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00020D05-0000-0000-C000-000000000046}" refers to invalid object "outex.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A0A-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A18-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A19-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0DAD2FDD-5FD7-11D3-8F50-00C04F7971E2}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\msdvbnp.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0DED49D5-A8B7-4d5d-97A1-12B0C195874D}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\bdaplgin.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{121778C8-F1C0-11d2-8FEF-00A0C9224CF4}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\psisdecd.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{121778C9-F1C0-11d2-8FEF-00A0C9224CF4}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\psisdecd.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{29FF67FF-8050-480f-9F30-CC41635F2F9D}" refers to invalid object "ADMWPROX.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}" refers to invalid object "C:\PROGRA~1\ONLINE~1\MSN50\OCX\MSNSETUP.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3F4DC8E2-4050-11d3-8F4B-00C04F7971E2}" refers to invalid object "ipsink.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{69DCD3A4-E058-11D3-B33D-00AADD627840}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\psisrndr.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{70B51430-B6CA-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{724bb6a4-e526-450f-affa-ab9b45129111}" refers to invalid object "C:\WINDOWS.001\System32\wmv9dmod.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8298d101-f992-43b7-8eca-5052d885b995}" refers to invalid object "ADMWPROX.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EDF976D-166F-11d2-A813-0080C7373510}" refers to invalid object "C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SMLNSCP.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9E69612-B80D-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E3444D16-5AC4-4386-88DF-13FD230E1DDA}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\msdvbnp.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f159cf30-0db4-11d1-b272-00aa00b8de95}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\MSRPJT40.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f612954d-3b0b-4c56-9563-227b7be624b4}" refers to invalid object "ADMWPROX.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F7E6A831-DEF1-4B25-859C-DA2AD9E9596D}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\psisdecd.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F808DF6F-6049-11D1-BA20-006097D2898E}" refers to invalid object " "C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\LAPRXY.DLL" ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA4B375A-45B4-4D45-8440-263957B11623}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\msdvbnp.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\psisrndr.ax ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD0A5AF3-B41D-11d2-9C95-00C04F7971E0}" refers to invalid object "C:\WINDOWS.001\SYSTEM32\bdaplgin.ax ". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C} ". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C} ". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlRoxio.CddbFullName.1" refers to invalid object "{1c6e0e46-4e5f-492d-b946-44291b931361} ". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlRoxio.FullName" refers to invalid object "{1c6e0e46-4e5f-492d-b946-44291b931361} ". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801} ". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801} ". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be} ". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be} ". Action Taken: No Action Taken.
Entry "HKCR\TSHOOT.TSHOOTCtrl.1" refers to invalid object "{4B106874-DD36-11D0-8B44-00A024DD9EFF} ". Action Taken: No Action Taken.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2} ". Action Taken: No Action Taken.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2} ". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2} ". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2} ". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5} ". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5} ". Action Taken: No Action Taken.
File C:\WINDOWS.001\PTSNOOP.EXE tagged as not-a-virus:Tool.Win16.PTSnoop. No Action Taken.

 

Thanks again!!

New HJT:
Running processes:
C:\WINDOWS.001\System32\smss.exe
C:\WINDOWS.001\system32\winlogon.exe
C:\WINDOWS.001\system32\services.exe
C:\WINDOWS.001\system32\lsass.exe
C:\WINDOWS.001\system32\svchost.exe
C:\WINDOWS.001\System32\svchost.exe
C:\WINDOWS.001\system32\LEXBCES.EXE
C:\WINDOWS.001\system32\spoolsv.exe
C:\WINDOWS.001\system32\LEXPPS.EXE
C:\WINDOWS.001\Explorer.EXE
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Palm\Hotsync.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS.001\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS.001\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gerald Lee Oakley\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS.001\system32\BhoCitUS.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS.001\system32\byvwv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS.001\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.001\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.001\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://152.2.80.46/activex/AxisCamControl.cab
O20 - Winlogon Notify: byvwv - C:\WINDOWS.001\SYSTEM32\byvwv.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS.001\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.001\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Once again thanks, I have been trying to get this fixed for weeks and I appreciate any help you can give.

 

Please download Process Explorer and extract to it's own folder.

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Extract the file to a folder.

Open APM. Open Process Explorer and click Find>Find Dll, then type in byvwv.dll and click Search. The lower pane will show all processes in which the dll is loaded. Now pull up the APM window and click a process shown in the search, then locate the dll in the lower pane, right click and select Unload DLL. Click OK on the prompts that follow. Repeat for each process in the PE search results. When done, repeat the search with PE to verify that it has been unloaded from all processes.

Open the PV folder and double click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS.001\system32\byvwv.dll

Check the boxes to Replace on reboot and Use Dummy, click the red X to the right. Click Yes, then NO to the reboot now prompt.

Close all windows and applications.

Scan again with HijackThis and fix the following entries.

O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS.001\system32\byvwv.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O20 - Winlogon Notify: byvwv - C:\WINDOWS.001\SYSTEM32\byvwv.dll

Close and reboot.

Open C:\WINDOWS.001\system32 and delete byvwv.dll

Scan again and post a new HJT log.

 

There seems to be a problem, the 2 processes the dll is being used on are
winlogon.exe and explorer.exe

When I try to unload it from winlogon my entire system shuts down and reboots immediately. Also when I try to do a killbox for the file it tells me that it has been interrupted by an external process.

Any suggestions on how to remove it from winlogon and not have my system logoff and reboot?

 

Do you have a genuine XP cd? NOT a recovery cd! If not, can you borrow one?

 

Yes I do have an XP disc, full version of the software.

 

Great! Will you please zip and attach a copy of that dll to an email to me here?
Not sure if I'll be back on again today, but will work up something to try asap. This stubborn file, although differently named in each case, is rapidly becoming a problem across the net. I have something in mind but want to see if I can gain more info through checking out that file before we try. Hang in there!

 

Thanks,

As soon as I get back to my home computer I will zip a copy of it to you.

Thanks again for all the help with this.

 

I apologize, I ended up getting to busy at work and didn't have time to zip it over to you. Will try again tonight.

 

The zip file was empty. Probably the dll protecting itself and not allowing it to be copied. Lets give this a whirl.

First you need to create a dummy file. Open the C:\WINDOWS.001\system32 directory. Right click and select new>text. Name it byvwv.old and click OK to the prompts.
Open the cd tray, slip in the XP disk and reboot. Note** This must be a genuine XP CD, not a recovery cd like you get with many OEM machines!
The machine will need to have boot from cd first enabled in the BIOS. Most are already.
Upon boot up, watch the screen for a 'Press any key to boot from cd' and press any key
Setup will transfer files and stop at an options screen. Choose R for recovery console.
You will be promted for the Administrator password. If none was set, press enter.
You will be offered which installation to start, eg;
1. C:\WINDOWS.001
Press 1 and enter.
You will arrive at a C:\WINDOWS.001 prompt.
Type cd C:\WINDOWS.001\system32 and hit enter. You should now be at a C:\WINDOWS.001\system32 prompt. Type the following commands and hit enter after each line.

attrib -r byvwv.dll
attrib -h byvwv.dll
attrib -s byvwv.dll
del byvwv.dll
rename byvwv.old byvwv.dll
exit

The machine will restart. Either take the cd out right away or do not touch any keys until the Welcome screen so that it skips the boot from cd option.

Open HijackThis and place a check next to the following entries, close all other windows and click fix.

O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS.001\system32\byvwv.dll
O20 - Winlogon Notify: byvwv - C:\WINDOWS.001\SYSTEM32\byvwv.dll

Reboot and delete the dummy byvwv.dll file.

Scan again with HijackThis and post a new log.

**Note: There is a space after each of the above commands and switches:
cd
attrib
del
-r
-h
-s
rename

and between the filenames;
byvwv.old
byvwv.dll

 

It looks like you fixed the problem, thank you so much for the help, I can't tell you how much I appreciate it.

the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:00 PM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.001\System32\smss.exe
C:\WINDOWS.001\system32\winlogon.exe
C:\WINDOWS.001\system32\services.exe
C:\WINDOWS.001\system32\lsass.exe
C:\WINDOWS.001\system32\svchost.exe
C:\WINDOWS.001\System32\svchost.exe
C:\WINDOWS.001\Explorer.EXE
C:\WINDOWS.001\system32\LEXBCES.EXE
C:\WINDOWS.001\system32\LEXPPS.EXE
C:\WINDOWS.001\system32\spoolsv.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS.001\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS.001\system32\wuauclt.exe
C:\Palm\Hotsync.exe
C:\WINDOWS.001\system32\wuauclt.exe
C:\Documents and Settings\Gerald Lee Oakley\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS.001\system32\BhoCitUS.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS.001\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.001\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.001\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://152.2.80.46/activex/AxisCamControl.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS.001\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.001\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe