LandzDown Forum

Hi Friends,
I'm not having any symptoms of a problem, but admitedly haven't run a HT scan in several months.  I notice 3 new items (016 DPF) which I can't identify.  I don't really think I have a problem (and I'll post my log below), but hope you can educate me how to id these things, so I can do it myself, in the future.

Throughout a typical HT log, and for that matter, I've seen numerous filenames throughout my system, which consist of a sequence of 8 seemingly random numbers and uppercase letters followed by a dash, then sequence of 4, then another 4, then another 4, then 12, with a dash in between each set.  And they're always enclosed with the mathematical kind of parentheses { }.  Most of them have some regular words alongside, by which I can identify the file.  But these 3 (016 DPF) items have no words.  And there are countless files in my system which also have no words.  How do I identify them, if it should become necessary?  Other than running a search, locating it's folder, and making an educated guess, I don't know how to id them.

Here's my log, and I'll make the 3 unknown items blue.  (015 Trusted Zone items omitted to save space -- I put them all there myself, on purpose.)

Logfile of HijackThis v1.99.1
Scan saved at 9:19:02 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\Green Eclipse\StickyPad\StickyPad.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijack This\HT v1.99.1\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SupportforChronicPain/welcome.msnw
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\Green Eclipse\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Browser Start Page] http://groups.msn.com/SupportforChronicPain/welcome.msnw
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Shortcut to glidesvc.exe.lnk = C:\Program Files\GlidePoint\glidesvc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
015 - Trusted Zone: approx 62 entries
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102567996858
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -  
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgemc.exe
O23 - Service: GlidePoint Touchpad Client (GlidePoint) - Cirque Corporation - C:\Program Files\GlidePoint\glidesvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

PS - Also, I did choose the Browser Start Page, it's not a hijack.

As always, thanks for your patience and help  :D

Well, a couple of things.

The combination of letters, numbers and slashes you are referring to concerns the 'CLSID', the main purpose of which is to identify something.  CLSID stands for Class ID.  It is a 128 bit number that represents a unique ID for a software application or application component. It is used by Windows to identify software components without having to know their "name".

Microsoft provides a utility called GUIDGEN.EXE that generates these numbers. They are generated by using the current time, network adapter address (if present) and other items in your computer so that no two numbers will ever be the same.

The O16 items represent Downloaded Program Files.  They can be 'fixed' by HJT without concern ... if a program needs the Active-X item and you have removed it, it will prompt you to re-download the item.

A good source of information/lookup for O16 CLSIDs is here:  http://www.castlecops.com/atx-725.html


In your case, the three blue items refer to Symantic scanners, and would look something like this:

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll

Whoa!
I stopped using Norton/Symantec months ago, and thought I had finally gotten out all the little bits and pieces, which were left behind after uninstalling.  I looked up some old scans, and even the scan immediately after uninstalling Norton, and installing my new AV and firewall, did not show these items.  What could have caused them to show up again, after so long?  I wonder why uninstalling did not remove them in the first place?  Wow, well I will 'Fix' them right now!

Thanks for all the great info winchester  :thanks:

norton is known to leave lots of goodies on your system after you "remove it"
but then again most programs leave some but they sure seem to leave more than others ;-D


a good reg cleaner can help of finding them
i've gotten the habbit of running a reg cleaner after i have removed software and usually find one or two items
and i know of several that the first time ever they run a good reg cleaner it will find a few hundred

Hi, Brynn.  See MVP Brian Bascon's pages:

http://basconotw.mvps.org/SymRem.htm (NIS/NSW/NAV 2006 and earlier-specific page)
http://basconotw.mvps.org/SymRem2.htm (NIS/NSW/NAV 2007-specific page)
http://basconotw.mvps.org/ (home)

Also see commonly used Symantec tools:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005103109480139

If this line is correct
015 - Trusted Zone: approx 62 entries

Then I would review my internet browser Trusted Zone entries to see if all the sites listed are one where I want them to have access to my machine with little or no security restrictions

Oh, sorry normmork, I haven't been online in a few days, so just now seeing your msg.

As I said, I personally approved and entered all those sites into my Trusted Zone.  And I do go through, from time to time, and remove those I may have only needed for a short while.  The reason there are so many, is that I keep my Internet Zone "locked down", ie everything is set to either Disable or Prompt.  This is born of paranoia, so that I can surf the net without worry.  (Please note that I have heard of Firefox and other browsers, as they have been recommended to me countless times.  I do plan to download and use one or more of them, eventually.  But obviously, not yet.)  However, it also means that most websites will not "work".  Thusly, they end up in my Trusted Zone.  However, I have also personally configured my Trusted Zone too.  So mine does not allow everything that the default settings allow.  The only potentially dangerous setting which is set to Enable, is Active Scripting.  Everything else with any potential to cause trouble is set to prompt.  So I have to make a whole lot of conscious choices when surfing.  The reason I don't have Scripting set to prompt, is that the vast majority of websites use javascript, which would mean constantly having to clear a dialog box for every page at these sites I want to visit.  Therefore, I very carefully choose which sites to put in (or not to put in) my Trusted Zone.

In addition to the above, I follow safe surfing practices -- I don't go to sites with suspicious-sounding URLs, or URLs which don't at least partially describe the sites they are said to go to.  For example, if the link is supposed to go to the American Cncer Society, I would expect the URL to include 'cancer', or 'acs', or something like that.  If it doesn't, I think it's some sort of scam and I don't click on the link.  I avoid porn sites, not that I would ever want to visit them anyway.  I avoid using website services which require logging or signing in, when there is no forum, except when it's a well-known site, or I've investigated the URL, like Equifax, for example.

Anyway, I appreciate your concern and your comments.  Thanks :D

Hi Friends,
Well, it seems these 3 files do not want to stay deleted.  I've "Fixed" them 3 or 4 times, using HT.  And the scans immediately following each fix, do not show them.  But a couple of weeks later, they're back again.

I read the links Corrine posted, and found a couple of things lurking in my registry.  But deleting them, following those instructions, has not ridded me of these 3 files showing up in my HT scans.  Everything else recommended in the articles, I had already done.

So I'm wondering if I can employ Safe Mode, somehow, to permanently get rid of them?  I remember trying to get my system cleaned of some nasties, a few years ago, that certain removals had to be done in safe mode, for reasons I trust, but don't understand (lol).  And not understanding, I'm hesitant to experiment on my own.

Can someone either confirm that I should simply 1 - restart in Safe Mode, 2 - run HT, 3 - "Fix" the items, and then 4 -  restart back into Normal Mode; or else tell me the proper steps for using Safe Mode in this situation?

Thanks for your help  :D

Hi again,
It seems like my last message in this thread, which I posted over a month after the thread was apparently considered resolved, has been overlooked.  Maybe I should have started a new thread, after so long?  But obviously I thought it better to renew this thread.

Anyway, I would really appreciate a moment of someone's time, to guide me through what I sincerely hope will be the step which solves this problem for good.

I HAVE READ all the information found at the links provided in this thread.  Unfortunately, none of the procedures for uninstalling Norton products have affected these 3 files, which keep reincarnating themselves, despite being "fixed" with HT.

QuoteCan someone either confirm that I should simply 1 - restart in Safe Mode, 2 - run HT, 3 - "Fix" the items, and then 4 -  restart back into Normal Mode; or else tell me the proper steps for using Safe Mode in this situation?

And as always, thank you so much for your help and support!
All best.

Sure, you can try removing them in safe mode, but I'm not sure you will be successful.  Let us know.

Guess it's time for Plan C....
The same 3 files are back again.  Just like when I Fixed them in Normal Mode, when I fixed them in Safe Mode, they were gone for a while, but then some time later I find they are back again.  And while I no longer need them, really they are not causing any harm.  It just annoys me that I can't get rid of them!!

Does anyone know any special tricks....like this :Win73:, for example?!!

But seriously, I'm not averse to using the registry.  I know most (if not all) professionals' advice is to never touch the registry.  But I do not feel uncomfortable with it.  I find it's strict structure, organization and order....well, actually rather beautiful....in any case, aside from all the warnings about editing it, the registry does not intimidate me at all.  And wouldn't that be the most direct way to get rid of these 3 files -- delete them from the registry directly??

But I would be open to any suggestions :D

Hi, Brynn. You're braver than I am.  I don't like going near the registry. 

How about a fresh HJT log, just so we can all be certain that we are on the same page.

Sorry for the delay in responding.  Here's a fresh log, with Trusted Zone entries omitted, because there are so many.  The 3 stubborn Norton files are in blue text.  Somewhere or another, maybe earlier in this thread, someone mentioned that visiting the Symantec website might cause these files to appear.  But since I last tried to remove them, I have definitely not visited Symantec.

Thanks so much for you help with this :D

Logfile of HijackThis v1.99.1
Scan saved at 8:05:04 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ltmsg.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\utilman.exe
C:\Program
Files\GIMP\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe
C:\Program
Files\GIMP\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe
C:\Program Files\GIMP\GIMP-2.0\lib\gimp\2.0\plug-ins\help.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HT
v1.99.1\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page
= http://groups.msn.com/SupportforChronicPain/welcome.msnw
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
= http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page
= http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Browser Page]
http://groups.msn.com/SupportforChronicPain/welcome.msnw
O4 - HKLM\..\Run: [WinPatrol] C:\Program
Files\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore
Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -
Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: CallWave.lnk = C:\Program
Files\CallWave\IAM.exe
O4 - Global Startup: Shortcut to glidesvc.exe.lnk = C:\Program
Files\GlidePoint\glidesvc.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi
Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo
Upload Tool) -
http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/
x86/client/wuweb_site.cab?1102567996858
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File
Upload Control) -
http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O17 -
HKLM\System\CCS\Services\Tcpip\..\{87C79C23-3A82-4550-8611-418A
1B4321BA}: NameServer = 207.69.188.185 207.69.188.186
O20 - Winlogon Notify: igfxcui -
C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon -
C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,
s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,
s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\AVG\avgemc.exe
O23 - Service: GlidePoint Touchpad Client (GlidePoint) - Cirque
Corporation - C:\Program Files\GlidePoint\glidesvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) -
Sunbelt Software - C:\Program Files\Sunbelt Software\Personal
Firewall\kpf4ss.exe

Although I've said it before, I will repeat it anyway ;) -- when it comes to the Trusted Zone, I personally don't want anything there.  Any site can become infected.  See, for example, what happened to the Microsoft IEAK website:  http://msmvps.com/blogs/spywaresucks/archive/2007/04/29/882849.aspx

Do you have a folder where you store files you have downloaded from the internet?  If so, check there to make sure all Norton downloaded files/folders have been removed.  Check also that the folder in Program Files has been removed. Although I wouldn't expect the downloaded program files to return, have you used System Restore? 

Otherwise, I would suggest that you start here http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606?OpenDocument&seg=hm
and scroll down to the bottom; there you will find links to remove newer versions of the antivirus program.

Also see commonly used Symantec tools:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005103109480139

Here's another page that may be of interest:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2001011116210048?OpenDocument&seg=hm

Finally, see MVP Brian Bascon's pages:
http://basconotw.mvps.org/SymRem.htm (NIS/NSW/NAV 2006 and earlier-specific page)
http://basconotw.mvps.org/SymRem2.htm (NIS/NSW/NAV 2007-specific page)
http://basconotw.mvps.org/ (home)

Ah well  :(
Thanks for trying, anyway, Corrine.

You had posted the links to Brian Bascom's site in an earlier message in this thread.  I did peruse them all, at that time, and tried those recommendations I had not already tried, but these files persisted.

I perused Symantec Support as well, and even used Symantec's own removal tools.  I ran them 2 or 3 times but they did not remove these files (although they did remove their contents).

System Restore is not an option, as I would have to go back to....well, actually a trial version of Norton AV came pre-installed on my machine.  System Restore would wipe out everything I've ever done on this computer!

Maybe I should also mention that I've used CCleaner, for other issues, which theoretically should have removed them.  But it didn't.  Are there any DPF's which CCleaner doesn't reach?

Regarding the Trusted Zone, I personally configured my Web Content/Security Zones, following Eric Howes instructions, as I think I also mentioned in an earlier message in this thread.  In fact, I was hesitant, at first, to bother with it, but was urged by security professionals to use these Zones for improved security. (possibly at aumha.org, can't remember for sure, it's been quite a while ago)  I can't remember if "locking down" IE was mentioned by Eric Howe, or another security professional, but I did get the idea from a professional.

So in my Restricted Zone, all settings are disabled.  The settings in my Internet Zone look a lot like the default Restricted Zone.  The only settings not Disable or Prompt are:
  --  Automatic prompting for Active X Controls.
  --  Automatic prompting for file downloads.
  --  Submit non-encrypted form data.

Ditto for my Trusted Zone, except the following:
  --  File download.
  --  Enable .NET Framework setup.  (to be honest, this is new in IE7, and I have not looked up the proper level for this setting yet)
  --  Allow META REFRESH.
  --  Allow drag and drop, copy and paste.
  --  Active Scripting.
These are set to Enable, as well as the same 3 in the Internet Zone.

And there's no way around these -- I think every website on the internet must use javascript.  But without allowing Active Scripting, certain links don't work, and sometimes certain content is entirely missing.  Sometimes entire websites are full of blank pages.  I could set it to prompt, but I'm telling you, I would spend 80% of my time on the internet clearing the prompts.  Believe me, I've tried Prompt, but it's a nightmare!  To my knowledge, Allowed is the default setting for the Internet Zone, isn't it?  I could disable Drag and drop, copy and paste, but then the copy and paste buttons don't work in forums.  Granted I don't need File Download at every Trusted Zone site, but there is no Prompt setting available, and no other way to download programs, unless I change the setting every time I want to download something.

If there's a better way around using these Web Content/Security Zones, please tell me what it is.  But to my knowledge, having IE locked down is the safest alternative.  Honestly, I'm aware that most people don't use these Zones, and I don't know how they get away with it.  How do they do it?

Otherwise, I guess I'm stuck with these 3 Norton/Symantec files, unless someone can tell me how to find them in the registry.  I mean, they are empty, so they're not hurting anything.  As I said, it just annoys me!  Btw, I do respect all the warnings I hear about going into the registry, and won't search them out on my own.

Thanks again, Corrine   :flowers:

Have you searched for Symantec on your hard drive. Those items are the headers from Downloaded files. The Symantec removal tool cleans up the registry but not any folders or sub folders, these have to be done manually.

Hi MikeW,
Yes, I had previously searched for 'Symantec', 'Norton', and even 'Sym' in the filenames, but the searches did not locate these 3 files.  But, at your suggestion, I searched again, and surprisingly found a few odd files here and there.  For example, a screen shot I had made to send tech support a couple of years ago, which happened to have "Symantec" in it, a couple of old logs, and parts of the SymNRT removal tool.  Plus as expected, all the scans I've saved.

I've even searched with the exact strings of letters and numbers, but Windows Explorer just says 'No results to display.'  And I double- and triple-checked the "spelling", plus I copied and pasted the name, to make sure I got it right.  And I made sure to show hidden files before searching.  But these folders appear not to be in my system....yet clearly, we know that they are....somewhere.  I just don't get why they can't be found????

I don't get why a search doesn't reveal their location, and I don't get why HT can't permanently remove them.

Oh!  Say, I wonder if a different spyware removal tool might be more successful???  I don't routinely save scans of others, besides HT, so I'll go ahead and save a scan from CWShredder, Ad-Aware, Spybot S&D.  Maybe there is some way to use their removal tools?  Although, I'm not sure I can use them if the program doesn't recognize these files as malware.

Well, I'll see if I can learn anything about this idea, and I'll post if I have any luck.  Meanwhile, I certainly would welcome any other ideas or comments.  Thank you all very much for you help and especially for your patience :D

Hi, Brynn.  I thought of you when I read Sandi's latest blog entry -- not related to Symantec, but of interest -- "IE with Outlook - When typing a new email in Outlook, or replying to an email, in html format there is a significant delay from when the letters are typed to when they appear on the screen" (http://msmvps.com/blogs/spywaresucks/archive/2007/05/13/901386.aspx).  Note, in particular what she writes about the Restricted Zone. 

Hi again Corrine.  Thanks for thinking of me  :D
I read the blog entry, but I'm not quite connecting its relevance to this thread.  My brain's not all on, at the moment, I guess.  But a really LOT of people use the Restricted Zone, don't they?  Through IE-SpyAd, Spybot S&D, SpywareBlaster, and maybe Ad-Aware, I'm not positive about Ad-Aware.  Any maybe some other programs.

I mean, I understand the point, that the number of bad sites is probably infinite.  And eventually the space that a list of them takes up could become a problem -- case in point, the typing issue in Outlook mentioned in the blog.  (Although I do not understand why Outlook scans the list of Restricted Zones with every keystroke....what's the purpose?  I know I'm no techie, but fixing Outlook seems to be the appropriate option, to me.)(Not that I even use Outlook.)  But what's a gal to do?  I really, really appreciate seeing that little Restricted Zone icon that shows up on the bottom of IE windows when I stray onto a bad site.  While a lot of them are obvious "danger zones", some of them look like normally safe sites.

Regarding those stubborn O16 items ...

My personal opinion is that while it would be nice to get rid of them, they aren't really much of a problem since we/you know what they belong to.

HijackThis attempts to delete O16 items from your hard drive, and while this is not normally difficult, there are times that it is not be able to delete the offending file.  Most times, rebooting into safe mode and deleting will work, but apparently you have found the exception ...  8)

If it were my computer, I wouldn't sweat it.

Yeah, thanks winchester.  That has been my conclusion as well.  The files are empty and they're not causing any trouble.

However, something about the wording of you comments remind me of a time, before LzD ever existed, when I had some difficult-to-remove malware.  Actually it was on the old Lavasoft forums -- the tech person who was helping me said that sometimes Tea Timer (in Spybot S&D) interferes with HijackThis removing files.  He had me to disable Tea Timer, then go to Safe Mode and Fix with HT.  And it worked!

Well, it sure won't hurt to try it  ;)  Thanks for your commenets.  I'll let you know if it works.

Any real time monitor can potentially interfere.  Worth a shot.   :thumbsup:

Quoteit was on the old Lavasoft forums -- the tech person who was helping me

:lol:  That was more than likely Winchester or SpyDie as they provided most of the assistance there.

Hhmmm, I don't remember the name of the person who helped me back then.  But I don't think it was winchester or SpyDie....unless they used a different name on that forum.  For some reason I'm thinking it started with 'n'.  And by the grammar he or she used, I had the impression they were not American.  Beyond that, I don't remember.

Hey, good news!!
Looks like disabling TeaTimer before removing the files worked.  Well, it's so far, so good, anyway.  But usually the files would have reappeared by now, in previous 'Fixing' attempts.  But no sign of them.  So


Thank you all SO MUCH for your patience, and for your help with this really insignificant problem.  I can say from experience that most security support forums would have ignored it.  That's what's so great about LzD -- staff and members care more about helping people, than flexing their tech muscles.  Although they surely are extremely strong, with respect to the latter!

Begins with an 'n' could only be one person and that is our Normmork (http://www.landzdown.com/index.php?action=profile;u=12)!

QuoteThat's what's so great about LzD -- staff and members care more about helping people

Brynn, you are an important part of the LzD community too.  :rose:

I'm glad this problem was solved.  Next . . . :D