simflex
asked on
browser hijack
I have got a bunch of spyware and popups on my pc.
I have run ewido, spybot, spysubstract, and ms antispyware software.
I keep getting message that all is gone except one that is called downloader.zlob.re and then my browser got hijacked. All I see is about:blank.
I recently ran hijackthis and this is what I have:
Logfile of HijackThis v1.99.1
Scan saved at 10:36:34 PM, on 6/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.ex
C:\WINDOWS\System32\atmclk
C:\WINDOWS\System32\dcomcf
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\System32\2c4521
C:\WINDOWS\System32\ctfmon
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\interMute\SpySubtrac
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\slserv
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\hjt\HijackThis.exe
R0 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [2c45219d.exe] C:\WINDOWS\System32\2c4521
O4 - HKCU\..\Run: [2c45219d.exe] C:\Documents and Settings\sam.IRS-GLCAHAXGX
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.ex
O4 - Global Startup: .protected
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {352797A0-EFD0-4FA6-B229-1
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {F919FBD3-A96B-4679-AF26-F
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.ex
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINDOWS\_sqlexec.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Does anyone know how to read this?
I need as much info as you can be kind enough to provide.
Thanks
I have run ewido, spybot, spysubstract, and ms antispyware software.
I keep getting message that all is gone except one that is called downloader.zlob.re and then my browser got hijacked. All I see is about:blank.
I recently ran hijackthis and this is what I have:
Logfile of HijackThis v1.99.1
Scan saved at 10:36:34 PM, on 6/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.ex
C:\WINDOWS\System32\atmclk
C:\WINDOWS\System32\dcomcf
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\System32\2c4521
C:\WINDOWS\System32\ctfmon
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\interMute\SpySubtrac
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\slserv
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\hjt\HijackThis.exe
R0 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [2c45219d.exe] C:\WINDOWS\System32\2c4521
O4 - HKCU\..\Run: [2c45219d.exe] C:\Documents and Settings\sam.IRS-GLCAHAXGX
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.ex
O4 - Global Startup: .protected
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {352797A0-EFD0-4FA6-B229-1
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {F919FBD3-A96B-4679-AF26-F
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.ex
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINDOWS\_sqlexec.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Does anyone know how to read this?
I need as much info as you can be kind enough to provide.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The HJT log is looking pretty good. Probably SmithFraudFix did the trick. You can see the analyzed version at:
http://www.hijackthis.de/logfiles/6e1463065c7d3b64fc5ac86eee8cf9f0.html
There are only two things of note:
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINDOWS\_sqlexec.exe (file missing)
Did you run the Services control panel (Start -> Control panel -> Admin Tools -> Services) and stop and disable them?
If not, do so now.
After you've stopped and disabled them you can delete these two Services altogether. See:
http://theeldergeek.com/add_a_service_in_windows_xp.htm
for how to.
Run a final HJT. Instead of posting it here you can post to http://www.hijackthis.de/ and click on the "Analyze" button to make sure nothing bad is left.
http://www.hijackthis.de/logfiles/6e1463065c7d3b64fc5ac86eee8cf9f0.html
There are only two things of note:
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINDOWS\_sqlexec.exe (file missing)
Did you run the Services control panel (Start -> Control panel -> Admin Tools -> Services) and stop and disable them?
If not, do so now.
After you've stopped and disabled them you can delete these two Services altogether. See:
http://theeldergeek.com/add_a_service_in_windows_xp.htm
for how to.
Run a final HJT. Instead of posting it here you can post to http://www.hijackthis.de/ and click on the "Analyze" button to make sure nothing bad is left.
ASKER
r-k, thank you very much.
Yes, I did disable it as I was instructed. Infact I saw those 2 things you talked about but I wanted to post the file as is first.
I will delete the other 2 and repost.
Yes, I did disable it as I was instructed. Infact I saw those 2 things you talked about but I wanted to post the file as is first.
I will delete the other 2 and repost.
ASKER
BTW: that SmithFraudFix thing is really good!!
>>I was working on the initial couple of responses and it seemed like the more I followed the instructions and ran hijackthis, the more I saw same files you asked me to delete.<<
Hijackthis can't remove any entries that are part of an infection like Smitfraud infection, Vundo, Look2me etc, they just come back that's why another tool is always needed in those cases.
You can delete those 2 services via hijackthis too:
Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, copy and paste or type each of the following into the Open field and hit OK
INETSVC
sqlsrvdaemon
Those services are not part of smitfraud but a remnant of rdriv, make sure that those files that says "file missing" are really missing(HJT bugs)
Let us know if you're still having problems.
Hijackthis can't remove any entries that are part of an infection like Smitfraud infection, Vundo, Look2me etc, they just come back that's why another tool is always needed in those cases.
You can delete those 2 services via hijackthis too:
Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, copy and paste or type each of the following into the Open field and hit OK
INETSVC
sqlsrvdaemon
Those services are not part of smitfraud but a remnant of rdriv, make sure that those files that says "file missing" are really missing(HJT bugs)
Let us know if you're still having problems.
With all the help provided, I think these points should be raised :)
Browsing EE,
# Nerd
Browsing EE,
# Nerd
ASKER
I really don't need to be told that. They have done a great job and I should be grateful enough to raise the points on my own. Look at my threads; I have always done that.
ASKER
I thank you guys so very much. I believe the devils on the pc have been driven away!!
ASKER
I must say that I am deeply overjoyed by the overwhelming response. Thanks to all of you.
I have done all you asked but before I post current files, let me apologize for my late response.
I was working on the initial couple of responses and it seemed like the more I followed the instructions and ran hijackthis, the more I saw same files you asked me to delete.
I went to bed and on to work till now when I saw rpggamergirl's response.
After running SmithFraudFix, I noticed that the about.blank thing is gone but it appears that there are still some stuff left on HJT file.
Here are the 2 files:
SmithFraudFix log file followed by HJT log file
SmitFraudFix v2.56
Scan done at 20:11:37.21, Fri 06/09/2006
Run from C:\Documents and Settings\sam.IRS-GLCAHAXGX
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWA
"{CA14EE13-ED15-C4A2-17FF-
[HKEY_LOCAL_MACHINE\SOFTWA
"{cbb430e6-5b1b-474a-9d7e-
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\.protected Deleted
C:\WINDOWS\uninstDsk.exe Deleted
C:\WINDOWS\warnhp.html Deleted
C:\WINDOWS\system32\dcomcf
C:\WINDOWS\system32\oleext
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\regper
C:\WINDOWS\system32\simpol
C:\WINDOWS\system32\stdole
C:\WINDOWS\system32\ts.ico
C:\DOCUME~1\ALLUSE~1\DESKT
C:\DOCUME~1\ALLUSE~1\START
C:\Program Files\Security Toolbar\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 8:26:27 PM, on 6/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\alg.ex
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.ex
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\slserv
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\System32\ctfmon
C:\Program Files\a-squared\a2guard.ex
C:\Program Files\interMute\SpySubtrac
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\hjt\HijackThis.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.ex
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.ex
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINDOWS\_sqlexec.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe