Win 2000 and runmgr.exe

Unknown

Hi,

Could somebody help in the following case?

Some day I received after PC restart a popup with message that runmgr.exe has application error and "The instruction at "0x0040b22f" referenced memory at "0xbd00bd0f9". The memory could not be read. Click OK to terminate the program."

It exists as C:\runmgr.exe and created again after deleting and PC restarting. My PC is very old with Windows 2000 Professional. My McAfee 8.5 Enterprise cannot detect it. Same story with SuperAntiSpyware.

Please advise what can I do now...

Thank you all.

Katana

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

---

Click here to download HJTinstall.exe

• Save HJTinstall.exe to your desktop.
• Double click on the HJTinstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\Hijack This.
• Click I accept
• Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
• Click Save to save the log file and then the log will open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Installed Programs

Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

pgmigg

Hi Katana,

It is nice to met you here and thank you for you help.
There are two lists you asked:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:23 PM, on 7/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\NORTON~1\System\SDSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINNT\system32\glidew32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\winhet.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvGraphicsInterface] C:\winhet.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINNT\system32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{89F6D34A-793E-4EE6-950E-31FB2C0FA477}: NameServer = 167.206.112.4,167.206.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 172.18.1.100 172.18.1.150
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 172.18.1.100 172.18.1.150
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 172.18.1.100 172.18.1.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Norton SpeedDisk - Unknown owner - C:\PROGRA~1\NORTON~1\System\SDSRV.EXE
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
--
End of file - 6234 bytes

---

Please don't worry about "??ee Aecai?" and "Aeaenaia? Aaee?" - they are russian programs - actually its 2 special audio players for russian famous singers...

??ee Aecai?
Adobe Acrobat 6.0 Professional - English, Francais, Deutsch
Adobe Flash Player ActiveX
Adobe Photoshop 5.5
Aeaenaia? Aaee?
AFPL Ghostscript 7.30
AFPL Ghostscript Fonts
ATI Multimedia Center
ATI Win2k Display Driver
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EPSON Printer Software
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GSview 4.3
HijackThis 2.0.2
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
IBM Personal Communications
Internet Explorer Q903235
InterVideo WinDVD
iPod for Windows 2005-02-22
ItsDeductible Express
iTunes
Mathematica 5
McAfee VirusScan Enterprise
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Premium
Microsoft Office Standard Edition 2003
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Microsoft Windows 2000 Professional Resource Kit
MiKTeX
Norton Utilities for Windows NT
OLYMPUS CAMEDIA Master 4.2
Origin Evaluation Copy
PaperPort 6.5
PicPerk 4.3
PowerDVD
QuickTime
RealPlayer
RegistryFix v6.2
Remote Desktop Connection
Security Update for DirectX 9 (KB951698)
Security Update for Windows 2000 (KB904706)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Shiva VPN Client
Shockwave
SSH Secure Shell
SUPERAntiSpyware Free Edition
Touchpad
TurboTax Deluxe 2003
TurboTax ItsDeductible 2006
TurboTax Premier 2004
TurboTax Premier Investments 2006
Update Rollup 1 for Windows 2000 SP4
VIAhm
Visioneer 4400 Scanner
VPN Client
WexTech AnswerWorks
Windows 2000 Hotfix - KB329115
Windows 2000 Hotfix - KB833407
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB941693
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB948590
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950759
Windows 2000 Hotfix - KB950760
Windows Installer 3.1 (KB893803)
Windows Media Player 7
Windows Media Player Hotfix [See Q828026 for more information]
WinZip
Wolfram Mathematica 6
Wolfram Notebook Indexer 2.0

Sincerely,
pgmigg

Katana

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by C:\winhet.exe == Troj/Bckdr-QKI

Troj/Bckdr-QKI is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

• The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
• The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a Backdoor Trojan, the worst kind.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.

pgmigg

Thank you so much for your quick answer and detailed recommendations.

I decided that Re-Formatting is the last action I can do and before that I would like to try to clean it.

So I,
- killed the winhet.exe process;
- removed item that is set it to start up when PC boot up by RegistryFix;
- run old Norton Commander from SaveMode with CommandPrompt mode, opened winhet.exe by NC viewer in Hex mode, and wrote executable signature somewhere;
- deleted C:\winhet.exe;
- searched all libraries and executables (fortunately this PC has one C drive only and it is small - 30GB) and found one more instance of original source C:\WINNT\system32\LCXTAJIW.EXE which had the same signature;
- deleted it as well;
- run registry editor and searched for all occurrences of 'winhet', 'lcxtajiw' - deleted all were found;
- run RegistryFix in ScanNow... mode;
- same step were repeated for runmgr.exe and nLogon.exe
- rebooted PC.

I hope that now this machine is clean and disinfect for now...

Katana,

Could you please recommend the way to check that PC to be sure that every bad boy is gone?

Sincerely,
pgmigg

Katana

Katana wrote:

but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

It is your choice, as long as you are aware of the above

pgmigg wrote:

- run old Norton Commander from SaveMode with CommandPrompt mode, opened winhet.exe by NC viewer in Hex mode, and wrote executable signature somewhere;
- searched all libraries and executables and found one more instance of original source
- run registry editor and searched for all occurrences of 'winhet', 'lcxtajiw' -

Why on earth do you need my help if you can do all that ????? :wow2:
Are you interested in helping on the forums ?




Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post both logs in your reply

Katana

You can still post the ComboFix and Kaspersky logs here

Katana

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
  • 

You can also delete any logs we have produced, and empty your Recycle bin.




The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is

not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
[*]Spybot - Search & Destroy <<< A must have program

• It includes host protection and registry protection
• A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

[*] MalwareBytes Anti-malware <<< A New and effective program
[*]a-squared Free <<< A good "realtime" or "on demand" scanner
[*]superantispyware <<< A good "realtime" or "on demand" scanner



Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place. Each does a different job, so you can have more than one
• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys. Using a different web browser can help stop malware getting on your machine.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
     
     • Change the Download signed ActiveX controls to Prompt
     • Change the Download unsigned ActiveX controls to Disable
     • Change the Initialise and script ActiveX controls not marked as safe to Disable
     • Change the Installation of desktop items to Prompt
     • Change the Launching programs and files in an IFRAME to Prompt
     • Change the Navigate sub-frames across different domains to Prompt
     • When all these settings have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

• FireFox
  • With many addons available that make customization easy this is a very popular choice
  • NoScript and AdBlockPlus addons are essential
• Opera
  • Another popular alternative
• Netscape
  • Another popular alternative
  • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page. Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware. It is a good idea to empty the Temporary Internet Files folder on a regular basis. Tracking Cookies are files that websites use to monitor which sites you visit and how often. A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted. CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords Both of these can be cleaned manually, but a quicker option is to use a program
• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


Happy surfing K'

pgmigg

I would like to talk a little about compatibility problems between defense software (like recommended by Katana) and "day-to-day using applications" just for which we are using computers.

By some circumstances, two days per week I am working from home and do it remotely on my office computer. Our company required to use Shiva VPN Client (during last few years it was ver. 8.42, build #081007-1451, 168bit 3DES) for Windows XP Pro SP2 machines. Another requirement is McAfee Virus Scan Enterprise 8.5.0i or 8.0.

Unfortunately, Spybot S&D (that time it was v.1.3) was incompatible with combination of my VPN and MaCafee. Connection via this VPN client was frozen forever at step when VPN channel negotiated with host IP first time. The problem related to some incompatibility between active Spybot with registry guard ‘On’ and Shiva VPN. It was found after many experiments with installing and uninstalling in different combinations all of three with different settings and long time conversations between technical supports of Eicon Corp. (VPN), McAfee, Spybot and me. Nobody could found what was wrong exactly but after I uninstalled Spybot all my connection problems were gone.

I asked my workmates and we found at least four more cases which were exactly the same as mine. Right now internal manual for remote connection in our company contains notes about this potential problem.

Now I use combination of SUPERAntiSpyware and RegistryFix (usually once per month) and happy…

-- pgmigg

Katana

The problem you describe is caused because the tools we use and recommend are for "Home Users Only".
Machines that are connected to office networks usually have the companies own security software and safeguards in place.

The "Registry Guard" (Teatimer ) module of Spybot S&D is used to stop malware from changing registry settings without you knowing about it.
Without knowing all the details of the Shiva VPN Client, I can't say why this would interfere.
However, the Teatimer can be turned on or off, so you could have still used the on demand scanner section of S&D.

This type of incompatibility will always occur, because the entire point of security programs is to stop other programs from doing things that might be dangerous.
Malware changes at an alarming rate, so to try and keep up with the different varieties security programs have to use a two layered approach
1)Virus/Spyware definitions in a database ie. a list of known nasties
2)"Heuristic" which looks for suspicious behaviour.

I hope this helps/explains things a bit better

pgmigg

Thank you, Katana!

I see here at least two more things.

The sentence below is not 100% true (I am sorry ), because Teatimer has setting to turn On/Off notification about every trying for registry changing and user can know or not about it.

Katana wrote:

The "Registry Guard" (Teatimer ) module of Spybot S&D is used to stop malware from changing registry settings without you knowing about it.

One of the first things was done then was switching off Teatimer but nothing was changed. I think that Teatimer is the best part of Spybot because every malware or any "right" software by one way or another must change registry setting (installation process) and Spybot allows making right (every user hoped that it was really "right") decision via analyzing of Teatimer notification.

Katana wrote:

However, the Teatimer can be turned on or off, so you could have still used the on demand scanner section of S&D.

Sincerely,
pgmigg

Katana

The sentence below is not 100% true (I am sorry ), because Teatimer has setting to turn On/Off notification about every trying for registry changing and user can know or not about it.

True, you can set the the notification to on or off, but first you have to tell teatimer what action to take if it detects a change.
If you don't pick an option ( allow or deny ) then you will get a notification.
So really, you do know. You have either allowed changes all the time or denied them

One of the first things was done then was switching off Teatimer but nothing was changed

Teatimer is the only "active" part of Spybot, if it was turned off I don't see how Spybot could have interfered.
BUT, since I have no idea about Shiva VPN Client I probably never will :bigggrin:

pgmigg

Hi Katana,

You should know about last (and I hope final) act of my personal battle against winhet.exe .

After my successful removing of it a few days ago, I restarted that PC a few times and all of them were done with network cable unplugged as I could recognized. Today I started it with network connected and was surprised when saw that winhet.exe returned back as running process and file in C:\.

Well, I said myself and changed tactics...

- I removed start up point by RegistryFix and killed process.
- I renamed "winhet.exe" to "winhetexe" and opened it by Norton Commander editor and randomly changed a several bytes but I monitored size of file all time.
- I superseded first few bytes, last few bytes, and a few more spots somewhere with garbage of data.
- I renamed it back to original name and made it "read-only".
- I searched registry for "NvGraphicsInterface" and deleted two keys with this name which was a Program Name from RegistryFix.
- I restarted PC first time and during Windows loading after login to system winhet.exe tried to run in black cmd.exe window but unsuccessfully. That time, Windows Task Manager said that Application cmd.exe not responded.
- I run RegistryFix again and removed “winhet” start up point.
- I restarted PC few times after that with and without network. Everything was working properly and Kaspersky Scan said it is OK too...

But corrupted read-only winhet.exe exists on C:\!

What do you think? Could you please comment it?..

-- pgmigg

Katana

Let's try the ComboFix scan since you didn't post the log

Make sure that you have deleted any copy of comboFix that you may still have


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

pgmigg

Unfortunately, I don't have original CD with Windows 2000 Pro and I am not sure that I could install Recovery Console as Bleeping Computer ComboFix tutorial required.

Anyway I will think about it tomorrow...

Thank you,
pgmigg

Katana

Run this tool instead then


Deckard's System Scanner (DSS)

Please download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

pgmigg

Hi Katana,

Per your request I placed here two DDS logs:

---

main.txt

---

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-13 11:12:12
Computer is in Normal Mode.

---

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:42 AM, on 7/13/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\NORTON~1\System\SDSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINNT\system32\glidew32.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINNT\system32\shdocvw.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\..\{89F6D34A-793E-4EE6-950E-31FB2C0FA477}: NameServer = 167.206.112.4,167.206.112.138
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Norton SpeedDisk - Unknown owner - C:\PROGRA~1\NORTON~1\System\SDSRV.EXE
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
--
End of file - 6945 bytes
-- File Associations

---

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js - JSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,3
.js - JSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\WINNT\System32\Notepad.exe %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R1 ICsrvr (VPN Client Protocol) - c:\winnt\system32\drivers\icsrvr.sys <Not Verified; ; VPN Client (Windows 2000)>
R1 ICtdi (VPN Client TDI Driver) - c:\winnt\system32\drivers\ictdi.sys <Not Verified; ; VPN Client (Windows 2000)>
R2 CINEMSUP (Software Cinemaster NT4.0 Driver) - c:\winnt\system32\drivers\cinemsup.sys <Not Verified; Divicore Inc.; Software CineMaster NT 4/Win2K>
R2 NsTrcNT - c:\winnt\system32\drivers\nstrcnt.sys
R2 pcscoax (3270 Coax Driver) - c:\winnt\system32\drivers\pcscoax.sys
R3 allegro (Diamond S100 Audio Driver (WDM)) - c:\winnt\system32\drivers\es198x.sys <Not Verified; Diamond S100; Windows (R) 2000 DDK driver>
R3 atinrvxx (ATI WDM RageTheater Video Capture) - c:\winnt\system32\drivers\atinrvxx.sys
R3 glidesvc (GlidePoint Mouseclass Service) - c:\winnt\system32\drivers\glidesvc.sys <Not Verified; Cirque Corp.; GlidePoint® Mouse Services Driver>
R3 gpmoups2 (GlidePoint PS2 Touchpad Service) - c:\winnt\system32\drivers\gpmoups2.sys <Not Verified; Cirque Corp.; GlidePoint® PS2 Mouse Filter Driver>
R3 ICvnic (VPN Client Virtual Adapter) - c:\winnt\system32\drivers\icvnic.sys <Not Verified; ; VPN Client (Windows 2000)>
R3 KLOGNT - c:\winnt\system32\drivers\klognt.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 als4k (Avance Wave Audio Miniport Driver (WDM)) - c:\winnt\system32\drivers\als4000.sys <Not Verified; Avance Logic Inc.; ALS4000>
S3 alsgame (Gameport for ALS4000 (WDM)) - c:\winnt\system32\drivers\alsgame.sys <Not Verified; ; ALS4000 Game Port>
S3 AviatorPro (WebGear Wireless PCMCIA Network Adapter Driver) - c:\winnt\system32\drivers\webdrv2.sys <Not Verified; WebGear Inc.; WebGear AviatorPro PC Card WLAN Adapter>
S3 gpmouser (GlidePoint Serial Touchpad Service) - c:\winnt\system32\drivers\gpmouser.sys <Not Verified; Cirque Corp.; GlidePoint® Serial Mouse Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 ICService (Shiva VPN Client) - c:\program files\shiva\shiva vpn client\icsrv.exe
R2 Norton SpeedDisk - c:\progra~1\norton~1\system\sdsrv.exe <Not Verified; ; SDSRV Application>
R2 TrcBoot - c:\winnt\system32\drivers\trcboot.exe

-- Device Manager: Disabled

---

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

-- Files created between 2008-06-13 and 2008-07-13

---

2008-07-12 14:38:09 0 d

---

C:\Documents and Settings\Administrator\Application Data\FastStone
2008-07-12 14:37:56 0 d

---

C:\Program Files\FastStone Image Viewer
2008-07-11 23:34:46 0 d

---

C:\Documents and Settings\Administrator\Application Data\TS_STD
2008-07-11 23:34:34 0 d

---

C:\Program Files\Turbo Searcher
2008-07-11 22:36:02 68096 --a

---

C:\WINNT\zip.exe
2008-07-11 22:36:02 49152 --a

---

C:\WINNT\VFind.exe
2008-07-11 22:36:02 161792 --a

---

C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-11 22:36:02 98816 --a

---

C:\WINNT\sed.exe
2008-07-11 22:36:02 80412 --a

---

C:\WINNT\grep.exe
2008-07-11 22:36:02 89504 --a

---

C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-11 22:36:01 212480 --a

---

C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-11 22:36:01 136704 --a

---

C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-11 22:16:32 31128 --a

---

C:\Documents and Settings\Administrator\cmanger.exe
2008-07-09 00:06:00 0 d

---

C:\WINNT\Sun
2008-07-09 00:05:59 0 d

---

C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-09 00:04:19 0 d

---

C:\Program Files\Sun
2008-07-09 00:02:17 0 d

---

C:\Program Files\Java
2008-07-09 00:01:33 0 d

---

C:\Program Files\Common Files\Java
2008-07-08 23:58:42 30363 -ra

---

C:\winhet.exe
2008-07-06 22:39:40 0 d

---

C:\Program Files\Trend Micro
2008-07-05 15:56:56 0 d--h---c- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2008-07-05 15:51:42 0 d

---

C:\WINNT\mui
2008-07-05 14:42:05 0 d

---

C:\Documents and Settings\All Users.WINNT\Application Data\Systweak
2008-07-05 14:42:05 0 d

---

C:\Documents and Settings\Administrator\Application Data\Systweak
2008-06-30 01:38:29 1826508 ---h

---

C:\WINNT\ShellIconCache
2008-06-29 23:07:06 0 d

---

C:\Documents and Settings\All Users.WINNT\Application Data\Prevx
2008-06-29 23:06:28 0 d

---

C:\Documents and Settings\Administrator\Application Data\PrevxCSI
2008-06-29 18:46:54 1980 --a

---

C:\WINNT\system32\tmp.reg
2008-06-29 11:15:23 0 d

---

C:\Documents and Settings\All Users.WINNT\Application Data\PrevxCSI
2008-06-29 00:58:47 0 d

---

C:\Program Files\RegistryFix
2008-06-28 22:29:52 0 d

---

C:\Documents and Settings\All Users.WINNT\Application Data\SUPERAntiSpyware.com
2008-06-28 22:29:41 0 d

---

C:\Program Files\SUPERAntiSpyware
2008-06-28 22:29:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-28 22:29:25 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-06-28 01:43:24 1495552 --a

---

C:\WINNT\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2008-06-28 01:43:24 0 d

---

C:\Program Files\Common Files\Cisco Systems
2008-06-28 01:43:24 0 d

---

C:\Documents and Settings\All Users.WINNT\Application Data\McAfee
2008-06-28 01:42:43 0 d

---

C:\Program Files\McAfee
2008-06-28 01:42:43 0 d

---

C:\Program Files\Common Files\McAfee
2008-06-28 01:36:34 0 d

---

C:\IGG

-- Find3M Report

---

2008-07-12 16:16:34 3103 --a

---

C:\WINNT\system32\HPANT.DAT
2008-07-09 00:01:33 0 d-a

---

C:\Program Files\Common Files
2008-06-29 00:54:30 0 d

---

C:\Program Files\Exceed
2008-06-29 00:53:39 0 d

---

C:\Program Files\ACD Systems
2008-05-28 19:43:33 20376 --a

---

C:\ZF310all
2008-05-16 13:21:43 1960 --a

---

C:\WINNT\system32\d3d9caps.dat

-- Registry Dump

---

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [06/05/00 02:46p C:\WINNT\system32\atiptaxx.exe]
"CirqueGesture"="C:\Program Files\Touchpad\Gesture.exe" [12/08/00 03:58p]
"Glide"="glidew32.exe" [12/08/00 03:58p C:\WINNT\system32\glidew32.exe]
"LoadQM"="loadqm.exe" [05/03/00 05:23p C:\WINNT\loadqm.exe]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/06 08:50a]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/06 01:39p]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/08 04:27a]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [12/07/99 08:00a C:\WINNT\system32\internat.exe]
"HP JetDiscovery"="HPJETDSC.EXE" [03/28/00 05:24p C:\WINNT\system32\hpjetdsc.exe]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" [03/01/00 09:37a]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/29/08 12:43a]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
CAMEDIA Master.lnk - C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe [8/29/2004 8:23:46 AM]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [10/22/1999 2:10:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 12:15:54 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/29/08 12:43a 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 12:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@=&quot;Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@=&quot;Driver"


-- Hosts

---

127.0.0.1 localhost

-- End of Deckard's System Scanner: finished at 2008-07-13 11:13:20

---

---

extra.txt

---

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

---

-- System Information

---

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) processor
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 511.48 MiB / 263.03 MiB
Pagefile Memory (total/avail): 1247.18 MiB / 937.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1956.51 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 27.95 GiB total, 7.01 GiB free.
D: is CDROM (No Media)
[URL="file://\\.\PHYSICALDRIVE0"]\\.\PHYSICALDRIVE0[/URL] - QUANTUM FIREBALLP LM30 - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 27.95 GiB - C:

-- Security Center

---

AUOptions is set to notify before install.

-- Environment Variables

---

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINNT
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=24-10-ROSALIE
ComSpec=C:\WINNT\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users.WINNT\Application Data\McAfee\DesktopProtection
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\24-10-ROSALIE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\texmf\miktex\bin;C:\Program Files\IBM\Trace Facility;C:\Program Files\Personal Communications;C:\Program Files\Resource Pro Kit;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCOMM_Root=C:\Program Files\Personal Communications
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 4 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0402
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=24-10-ROSALIE
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
VSEDEFLOGDIR=C:\Documents and Settings\All Users.WINNT\Application Data\McAfee\DesktopProtection
windir=C:\WINNT

-- User Profiles

---

Administrator (admin)

-- Add/Remove Programs

---

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
--> C:\WINNT\IsUninst.exe -f"C:\Program Files\ibm\gsk4\gsk4BUI.isu"
Àëåêñàíäð Ãàëè÷ --> C:\WINNT\ST5UNST.EXE -n "C:\Program Files\Galich\ST5UNST.LOG"
Þðèé Âèçáîð --> C:\WINNT\ST5UNST.EXE -n "C:\Program Files\Visbor\ST5UNST.LOG"
Adobe Acrobat 6.0 Professional - English, Français, Deutsch --> MsiExec.exe /I{AC76BA86-1033-F400-7760-000000000001}
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 5.5 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.5\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 5.5\Uninst.dll"
AFPL Ghostscript 7.30 --> C:\gs\uninstgs.exe "C:\gs\gs7.30\uninstal.txt"
AFPL Ghostscript Fonts --> C:\gs\uninstgs.exe "C:\gs\fonts\uninstal.txt"
ATI Multimedia Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4EAED9E0-1517-11D4-AEAA-006008C398D0}\setup.exe"
ATI Win2k Display Driver --> rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON Printer Software --> C:\WINNT\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
FastStone Image Viewer 3.5 --> C:\Program Files\FastStone Image Viewer\uninst.exe
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IBM Personal Communications --> C:\WINNT\PCSUNIST.EXE C:\WINNT\unisthook.exe C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Personal Communications\DeIsL1.isu" -y
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
InterVideo WinDVD --> C:\WINNT\IsUninst.exe -f"C:\Program Files\InterVideo\WinDVD\Uninst.isu"
iPod for Windows 2005-02-22 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B6ACFF51-248A-4290-B50B-E50C81F25B97} /l1033
ItsDeductible Express --> MsiExec.exe /X{36495C59-089C-49D1-BD15-9E5BD86DC9A1}
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JetAdmin v3.42 --> C:\WINNT\uninst.exe -fC:\WINNT\System32\DeIsL1.isu -c"C:\WINNT\System32\hpuninst.dll
Mathematica 5 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D82FFD53-3F9A-4D61-A653-6243645F884F}
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Data Access Components KB870669 --> C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual Studio 6.0 Enterprise Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINNT\INF\wpie3x86.inf,WebPostUninstall
Microsoft Windows 2000 Professional Resource Kit --> MsiExec.exe /I{5037210E-66F6-4D7E-9B44-8724970498FF}
MiKTeX --> "C:\texmf\miktex\bin\copystart.exe" "C:\texmf\miktex\config\uninstall.dat"
Norton Utilities for Windows NT --> C:\PROGRA~1\NORTON~1\SETUP.EXE /U
OLYMPUS CAMEDIA Master 4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.2
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Origin Evaluation Copy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E8DF23F9-1F6C-4803-ABFC-BB27DABD207B}\setup.exe"
PaperPort 6.5 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\ScanSoft\PaperPort\Config\DeIsL1.isu" -y -c"C:\Program Files\ScanSoft\PaperPort\UnInstl2.dll"
PicPerk 4.3 --> C:\Program Files\PicPerk\RemovePicPerk.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegistryFix v6.2 --> "C:\Program Files\RegistryFix\unins000.exe"
Remote Desktop Connection --> MsiExec.exe /X{3E713D52-C967-41FB-AA24-3A92CC1025A4}
Security Update for DirectX 9 (KB951698) --> "C:\WINNT\$NtUninstallKB951698_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Shiva VPN Client --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Shiva\Shiva VPN Client\Uninst.isu" -c"C:\Program Files\Shiva\Shiva VPN Client\snetcfg.dll"
Shockwave --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Touchpad --> MsiExec.exe /I{1380CA9A-C3EC-4387-9E28-9A5AD4C48E4C}
TurboTax Deluxe 2003 --> C:\Program Files\TurboTax\Deluxe 2003\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2003\Uninstall.log" -NoGui
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
TurboTax Premier 2004 --> C:\Program Files\TurboTax\Premier 2004\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2004\Uninstall.log" -NoGui
TurboTax Premier Investments 2006 --> C:\Program Files\TurboTax\Premier 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2006\Uninstall.log" -NoGui
VIAhm --> C:\WINNT\IsUninst.exe -fc:\VIAhm\Uninst.isu
Visioneer 4400 Scanner --> C:\PROGRA~1\VISION~1\UNWISE.EXE C:\PROGRA~1\VISION~1\INSTALL.LOG
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Media Player 7 --> C:\Program Files\Windows Media Player\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wolfram Mathematica 6 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2D74307D-7B6F-4A81-9D13-0FDA0F5060BA}
Wolfram Notebook Indexer 2.0 --> MsiExec.exe /I{4FE315B7-4634-4587-80FF-D40BF0989567}

-- Application Event Log

---

Event Record #/Type1029 / Error
Event Submitted/Written: 07/11/2008 10:53:08 PM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.
DETAIL - Access is denied. , Build number ((2195)).
Event Record #/Type1027 / Error
Event Submitted/Written: 07/11/2008 10:37:44 PM
Event ID/Source: 259 / McLogEvent
Event Description:
The file C:\Documents and Settings\Administrator\Local Settings\Temp\Av-test.txt contains the EICAR test file Test. No cleaner available, file deleted successfully. Detected using Scan engine version 5200.2160 DAT version 5337.0000.
Event Record #/Type1018 / Error
Event Submitted/Written: 07/10/2008 00:06:50 AM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.
DETAIL - Access is denied. , Build number ((2195)).
Event Record #/Type1017 / Warning
Event Submitted/Written: 07/09/2008 09:40:35 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The update failed; see event log.
Event Record #/Type1013 / Error
Event Submitted/Written: 07/09/2008 08:24:36 AM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.
DETAIL - Access is denied. , Build number ((2195)).

-- Security Event Log

---

No Errors/Warnings found.

-- System Event Log

---

Event Record #/Type6719 / Error
Event Submitted/Written: 07/13/2008 11:04:39 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083
Event Record #/Type6714 / Error
Event Submitted/Written: 07/12/2008 01:38:42 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083
Event Record #/Type6705 / Error
Event Submitted/Written: 07/12/2008 01:29:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083
Event Record #/Type6700 / Error
Event Submitted/Written: 07/12/2008 00:33:23 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083
Event Record #/Type6695 / Error
Event Submitted/Written: 07/11/2008 11:50:49 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

-- End of Deckard's System Scanner: finished at 2008-07-13 11:13:20

---

Thank you,
-- pgmigg

Katana

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Documents and Settings\Administrator\cmanger.exe

Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\winhet.exe
C:\WINNT\system32\epoPGPsdk.dll

If Virustotal is too busy please try Jotti



Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

cmd.exe /c dir C:\ZF310all >> "%userprofile%\desktop\look.txt"

When finished, it shall produce a log for you (look.txt on your desktop). Post that log in your next reply.

pgmigg

I will do that but, C:\winhet.exe was broken by me and I did not keep original copy...

Katana

Doesn't matter, upload it anyway

pgmigg

OK.

1. C:\Documents and Settings\Administrator\cmanger.exe

File has already been analysed:
MD5:
57bc3d430cdd94725b6b63f09a25aec8
First received:
07.10.2008 09:28:51 (CET)
Date:
07.13.2008 04:11:13 (CET) [<1D]
Results:
19/33
Permalink:
analisis/fb7e007006634e553fe5d1fe7450a05e <http://www.virustotal.com/analisis/fb7e007006634e553fe5d1fe7450a05e&gt;


File cmanger.exe received on 07.13.2008 19:55:22 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 21/33 (63.64%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact
Print results <javascript:window.print()>
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Top of Form 1

Email:

Bottom of Form 1

Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.11.0
2008.07.11
-
AntiVir
7.8.0.64
2008.07.13
TR/Crypt.XPACK.Gen
Authentium
5.1.0.4
2008.07.13
W32/Onlinegames.gen
Avast
4.8.1195.0
2008.07.13
Win32:Trojan-gen {Other}
AVG
7.5.0.516
2008.07.12
-
BitDefender
7.2
2008.07.13
Trojan.Peed.Gen
CAT-QuickHeal
9.50
2008.07.11
(Suspicious) - DNAScan
ClamAV
0.93.1
2008.07.13
-
DrWeb
4.44.0.09170
2008.07.12
Trojan.Proxy.2379
eSafe
7.0.17.0
2008.07.13
Suspicious File
eTrust-Vet
31.6.5949
2008.07.12
Win32/Nvgra.H
Ewido
4.0
2008.07.13
-
F-Prot
4.4.4.56
2008.07.13
W32/Onlinegames.gen
F-Secure
7.60.13501.0
2008.07.12
-
Fortinet
3.14.0.0
2008.07.13
PossibleThreat
GData
2.0.7306.1023
2008.07.13
Win32:Trojan-gen
Ikarus
T3.1.1.26.0
2008.07.13
Trojan.Peed
Kaspersky
7.0.0.125
2008.07.13
-
McAfee
5337
2008.07.11
New Malware.bl
Microsoft
1.3704
2008.07.13
-
NOD32v2
3263
2008.07.11
-
Norman
5.80.02
2008.07.11
W32/Tibs.CKIK
Panda
9.0.0.4
2008.07.13
Suspicious file
Prevx1
V2
2008.07.13
Suspicious
Rising
20.52.62.00
2008.07.13
-
Sophos
4.31.0
2008.07.13
Mal/Generic-A
Sunbelt
3.1.1536.1
2008.07.12
VIPRE.Suspicious
Symantec
10
2008.07.13
Backdoor.Trojan
TheHacker
6.2.96.378
2008.07.13
-
TrendMicro
8.700.0.1004
2008.07.11
PAK_Generic.001
VBA32
3.12.6.9
2008.07.12
-
VirusBuster
4.5.11.0
2008.07.13
-
Webwasher-Gateway
6.6.2
2008.07.13
Trojan.Crypt.XPACK.Gen


Additional information
File size: 31128 bytes
MD5...: 57bc3d430cdd94725b6b63f09a25aec8
SHA1..: 84ae2fcef23489b6095b435e04138563fc9c631f
SHA256: aa2ee125132eea3e55c66e6b2834852c39988f4159a4afe9055c8e1520c27257
SHA512: 12bcceed797c1bc40a0895610c4b26b9dc92ebb44ec8427fad43ca9f2c7fc676 5b2e3f8fdc3236775035f982c6091bf592fba9ac549f3eb7df0c933cd2f38246
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x412200 timedatestamp.....: 0x472db526 (Sun Nov 04 12:03:50 2007) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xb000 0x7000 0x6400 7.90 b1477ec2a831713e3280ccd9ac9bf6f0 0x12000 0x2000 0x1198 6.51 a08ad4ee2a892dad96eb170712baba88 ( 0 imports ) ( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=93BA83A29885F37079C400D7136D2E00E87E20AD

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

2. C:\winhet.exe

File winhet.exe received on 07.13.2008 20:00:31 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact
Print results <javascript:window.print()>
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Top of Form 1

Email:

Bottom of Form 1

Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.11.0
2008.07.11
-
AntiVir
7.8.0.64
2008.07.13
-
Authentium
5.1.0.4
2008.07.13
-
Avast
4.8.1195.0
2008.07.13
-
AVG
7.5.0.516
2008.07.12
-
BitDefender
7.2
2008.07.13
-
CAT-QuickHeal
9.50
2008.07.11
-
ClamAV
0.93.1
2008.07.13
-
DrWeb
4.44.0.09170
2008.07.12
-
eSafe
7.0.17.0
2008.07.13
-
eTrust-Vet
31.6.5949
2008.07.12
-
Ewido
4.0
2008.07.13
-
F-Prot
4.4.4.56
2008.07.13
-
F-Secure
7.60.13501.0
2008.07.12
-
Fortinet
3.14.0.0
2008.07.13
-
GData
2.0.7306.1023
2008.07.13
-
Ikarus
T3.1.1.26.0
2008.07.13
-
Kaspersky
7.0.0.125
2008.07.13
-
McAfee
5337
2008.07.11
-
Microsoft
1.3704
2008.07.13
-
NOD32v2
3263
2008.07.11
-
Norman
5.80.02
2008.07.11
-
Panda
9.0.0.4
2008.07.13
-
Prevx1
V2
2008.07.13
-
Rising
20.52.62.00
2008.07.13
-
Sophos
4.31.0
2008.07.13
-
Sunbelt
3.1.1536.1
2008.07.12
-
Symantec
10
2008.07.13
-
TheHacker
6.2.96.378
2008.07.13
-
TrendMicro
8.700.0.1004
2008.07.11
-
VBA32
3.12.6.9
2008.07.12
-
VirusBuster
4.5.11.0
2008.07.13
-
Webwasher-Gateway
6.6.2
2008.07.13
-


Additional information
File size: 30363 bytes
MD5...: 932b0fbe2fa9896b64b66b9afb31b34c
SHA1..: 3e39853547a57aa1815ce5c329aeabc6bfeec46d
SHA256: 78f44331dbe793977f371e8631f7aa1e65bc01d84a5279381298bd9f31daa130
SHA512: e1683daaa8ed305e104712006d5300d7c7e72d3506161089fb5420845f036505 b5753603cfebcf484ad4b8345655db208770b2843af8a46d17b8ddde5ea64b41
PEiD..: -
PEInfo: -

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

3. C:\WINNT\system32\epoPGPsdk.dll


File has already been analysed:
MD5:
9e1bb090d2d8dbf73d9042b4fae99a6b
First received:
-
Date:
07.12.2008 18:34:18 (CET) [+1D]
Results:
0/33
Permalink:
analisis/c60c03fce3b9b6d187b48c40ba15c6b1 <http://www.virustotal.com/analisis/c60c03fce3b9b6d187b48c40ba15c6b1&gt;


File epoPGPsdk.dll received on 07.13.2008 20:04:11 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/33 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact
Print results <javascript:window.print()>
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Top of Form 1

Email:

Bottom of Form 1

Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.11.0
2008.07.11
-
AntiVir
7.8.0.64
2008.07.13
-
Authentium
5.1.0.4
2008.07.13
-
Avast
4.8.1195.0
2008.07.13
-
AVG
7.5.0.516
2008.07.12
-
BitDefender
7.2
2008.07.13
-
CAT-QuickHeal
9.50
2008.07.11
-
ClamAV
0.93.1
2008.07.13
-
DrWeb
4.44.0.09170
2008.07.12
-
eSafe
7.0.17.0
2008.07.13
-
eTrust-Vet
31.6.5949
2008.07.12
-
Ewido
4.0
2008.07.13
-
F-Prot
4.4.4.56
2008.07.13
-
F-Secure
7.60.13501.0
2008.07.12
-
Fortinet
3.14.0.0
2008.07.13
-
GData
2.0.7306.1023
2008.07.13
-
Ikarus
T3.1.1.26.0
2008.07.13
-
Kaspersky
7.0.0.125
2008.07.13
-
McAfee
5337
2008.07.11
-
Microsoft
1.3704
2008.07.13
-
NOD32v2
3263
2008.07.11
-
Norman
5.80.02
2008.07.11
-
Panda
9.0.0.4
2008.07.13
-
Prevx1
V2
2008.07.13
-
Rising
20.52.62.00
2008.07.13
-
Sophos
4.31.0
2008.07.13
-
Sunbelt
3.1.1536.1
2008.07.12
-
Symantec
10
2008.07.13
-
TheHacker
6.2.96.378
2008.07.13
-
TrendMicro
8.700.0.1004
2008.07.11
-
VBA32
3.12.6.9
2008.07.12
-
VirusBuster
4.5.11.0
2008.07.13
-
Webwasher-Gateway
6.6.2
2008.07.13
-


Additional information
File size: 1495552 bytes
MD5...: 9e1bb090d2d8dbf73d9042b4fae99a6b
SHA1..: d24097d1f3345bea213051addaca5e624546dc45
SHA256: d03e0bbc6f38ac68717943125427f1f0d0af62a19b5e8b37622008969d1c78dc
SHA512: f615b91bc43960732244b392e5c9307434e0ea37f8f5d405b44b168f999fc687 691f0b9bd6656eed2fff3bcd9f432f1a13c0f554a10183039d07e0c05990d533
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10115cdd timedatestamp.....: 0x4373d0af (Thu Nov 10 22:58:55 2005) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1217ed 0x121800 6.56 8fcc8d8ed2026e77ccda79f4092fa872 .rdata 0x123000 0x3cde6 0x3ce00 6.89 f9898dd51c9d2f72303d8a202fccd3ca .data 0x160000 0xa6e8 0x6800 4.88 4926357484dc32cdc02d55a82718a9f3 .rsrc 0x16b000 0x440 0x600 2.58 ddba1f9f3bcda1e83d54db9251ec5e4d .reloc 0x16c000 0x78ac 0x7a00 5.98 65aa2b4626a800e28c06e49929a52fb4 ( 5 imports ) > RPCRT4.dll: RpcBindingReset, RpcStringBindingComposeA, RpcBindingFromStringBindingA, RpcBindingSetAuthInfoA, RpcBindingFree, NdrConformantArrayBufferSize, NdrConformantArrayMarshall, NdrSimpleStructUnmarshall, NdrClientInitializeNew, NdrGetBuffer, NdrSendReceive, NdrConvert, NdrFreeBuffer, NdrMapCommAndFaultStatus, RpcRaiseException > KERNEL32.dll: GetFullPathNameA, SetStdHandle, GetStartupInfoA, GetStdHandle, SetHandleCount, WriteFile, lstrcpyA, CreateEventA, CloseHandle, WaitForSingleObject, ReleaseMutex, SetEvent, GetCurrentThreadId, GetWindowsDirectoryA, FreeLibrary, lstrcatA, LoadLibraryA, lstrcmpA, GetLastError, FindClose, lstrcmpiA, CreateFileA, GetVersionExA, VirtualLock, DeviceIoControl, VirtualUnlock, VirtualAlloc, VirtualFree, GetTickCount, CreateMutexA, CreateDirectoryA, GetFileAttributesA, GetSystemTime, GetCurrentDirectoryA, GetModuleHandleA, Sleep, GetCurrentProcessId, ReleaseSemaphore, GetModuleFileNameA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, OpenProcess, FlushFileBuffers, FlushViewOfFile, MapViewOfFile, UnmapViewOfFile, BackupSeek, BackupRead, CreateFileMappingA, GetSystemInfo, CompareStringA, GetSystemDirectoryA, InterlockedExchange, SetLastError, SetEnvironmentVariableA, RaiseException, HeapSize, InitializeCriticalSection, GetOEMCP, GetACP, ReadFile, GetLocaleInfoA, VirtualProtect, VirtualQuery, UnhandledExceptionFilter, GetTimeZoneInformation, SetFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, QueryPerformanceCounter, SetFileAttributesA, GetStringTypeA, GetEnvironmentStrings, HeapAlloc, HeapReAlloc, HeapFree, GetSystemTimeAsFileTime, ExitProcess, SetFilePointer, FileTimeToSystemTime, FileTimeToLocalFileTime, GetFileInformationByHandle, PeekNamedPipe, GetFileType, GetDriveTypeA, FindFirstFileA, SetEndOfFile, RtlUnwind, ExitThread, CreateThread, TerminateProcess, GetCurrentProcess, GetTimeFormatA, GetDateFormatA, GetCommandLineA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, HeapCreate, LCMapStringA, FreeEnvironmentStringsA > USER32.dll: MessageBoxA, PostThreadMessageA, RegisterWindowMessageA, PeekMessageA, MsgWaitForMultipleObjects, GetMessageA, SetTimer, CharPrevA, CharNextA, wsprintfA > ADVAPI32.dll: OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus, CryptGenRandom, CryptReleaseContext, RegOpenKeyExA, RegQueryValueExA, RegCloseKey > SHELL32.dll: SHGetDesktopFolder, SHGetMalloc ( 675 exports ) IsdGetCapability, IsdGetRandomNumber, IsdGetStatistic, IsdTestRandomGenerator, PGPAddAttributeUserID, PGPAddItemToGroup, PGPAddJobOptions, PGPAddKey, PGPAddKeyOptions, PGPAddKeys, PGPAddUserID, PGPAddUserIDU16, PGPAddUserIDU8, PGPAppendOptionList, PGPAssignBigNum, PGPBigNumAdd, PGPBigNumAddQ, PGPBigNumCompare, PGPBigNumCompareQ, PGPBigNumDivide, PGPBigNumDoubleExpMod, PGPBigNumExpMod, PGPBigNumExtractBigEndianBytes, PGPBigNumExtractLittleEndianBytes, PGPBigNumGCD, PGPBigNumGetLSWord, PGPBigNumGetSignificantBits, PGPBigNumInsertBigEndianBytes, PGPBigNumInsertLittleEndianBytes, PGPBigNumInv, PGPBigNumLeftShift, PGPBigNumMakeOdd, PGPBigNumMod, PGPBigNumModQ, PGPBigNumMultiply, PGPBigNumMultiplyQ, PGPBigNumRightShift, PGPBigNumSetQ, PGPBigNumSquare, PGPBigNumSubtract, PGPBigNumSubtractQ, PGPBigNumTwoExpMod, PGPBuildOptionList, PGPCBCDecrypt, PGPCBCEncrypt, PGPCBCGetSymmetricCipher, PGPCFBDecrypt, PGPCFBEncrypt, PGPCFBGetRandom, PGPCFBGetSymmetricCipher, PGPCFBRandomCycle, PGPCFBRandomWash, PGPCFBSync, PGPCacheKeyDB, PGPCalculateTrust, PGPCertifyUserID, PGPChangePassphrase, PGPCheckKeyRingSigs, PGPCleanSignatures, PGPCombineShares, PGPCompareKeyIDs, PGPCompareKeys, PGPCompareShareIDs, PGPCompareUserIDStrings, PGPCompareUserIDStringsU16, PGPCompareUserIDStringsU8, PGPContextGetRandomBytes, PGPContextReserveRandomBytes, PGPContinueHMAC, PGPContinueHash, PGPCopyBigNum, PGPCopyCBCContext, PGPCopyCFBContext, PGPCopyFileSpec, PGPCopyGroupSet, PGPCopyHashContext, PGPCopyKeyDBObj, PGPCopyKeyIter, PGPCopyKeys, PGPCopyOptionList, PGPCopySharesFromFile, PGPCopySharesToFile, PGPCopySymmetricCipherContext, PGPCountAdditionalRecipientRequests, PGPCountCachedPassphrases, PGPCountGroupItems, PGPCountGroupsInSet, PGPCountKeys, PGPCountKeysInKeyDB, PGPCountNotations, PGPCountObjsInTARCache, PGPCountPublicKeyAlgorithms, PGPCountRevocationKeys, PGPCountSymmetricCiphers, PGPCountTokens, PGPCreateDistinguishedName, PGPCreateDistinguishedNameU16, PGPCreateDistinguishedNameU8, PGPCreateSelfSignedX509Certificate, PGPCreateShares, PGPCreateX509CRL, PGPCreateX509Certificate, PGPCreateX509CertificateFromRequest, PGPDSAKeyVerifyRaw, PGPDSAVSTest, PGPDecode, PGPDeleteFile, PGPDeleteGroup, PGPDeleteIndItemFromGroup, PGPDeleteItemFromGroup, PGPDeleteKeyDBObj, PGPDeleteKeyDBObjOnToken, PGPDeleteKeyOnToken, PGPDeleteKeys, PGPDeleteTARCacheObj, PGPDiscreteLogExponentBits, PGPDump, PGPECCreate2mContext, PGPECFreeContext, PGPECGetBufferSize, PGPECPointAdd, PGPECPointAssignContext, PGPECPointCompress, PGPECPointCreate, PGPECPointDecompress, PGPECPointExtractBytes, PGPECPointExtractXYBytes, PGPECPointFree, PGPECPointInsertBytes, PGPECPointIsConsistent, PGPECPointIsZero, PGPECPointMul, PGPECPointPrefBasis, PGPECPointSetZero, PGPECScalarCreate, PGPECScalarFree, PGPECScalarInsertBytes, PGPECSetEC2mParamA, PGPECSetEC2mParamAInt, PGPECSetEC2mParamB, PGPECSetEC2mParamBInt, PGPEnableFIPSMode, PGPEncode, PGPExport, PGPExportGroupSetToBuffer, PGPExportTARCacheObj, PGPFilterChildObjects, PGPFilterKeyDB, PGPFilterKeySet, PGPFinalizeHMAC, PGPFinalizeHash, PGPFindKeyByKeyID, PGPFlushKeyDB, PGPFormatToken, PGPFreeBigNum, PGPFreeCBCContext, PGPFreeCFBContext, PGPFreeContext, PGPFreeData, PGPFreeFileSpec, PGPFreeFilter, PGPFreeGroupItemIter, PGPFreeGroupSet, PGPFreeHMACContext, PGPFreeHashContext, PGPFreeKeyDB, PGPFreeKeyIter, PGPFreeKeyList, PGPFreeKeySet, PGPFreeMemoryMgr, PGPFreeOptionList, PGPFreePrivateKeyContext, PGPFreePublicKeyContext, PGPFreeShareFile, PGPFreeShares, PGPFreeSymmetricCipherContext, PGPFreeTARCache, PGPFreeTARCacheIter, PGPFreeWipePatternContext, PGPGenerateKey, PGPGenerateSubKey, PGPGetAdditionalRecipientRequests, PGPGetCRLDistributionPoints, PGPGetCRLDistributionPointsPrintable, PGPGetContextUserValue, PGPGetDefaultMemoryMgr, PGPGetErrorString, PGPGetErrorStringU16, PGPGetErrorStringU8, PGPGetFeatureFlags, PGPGetFullPathFromFileSpec, PGPGetFullPathFromFileSpecU16, PGPGetFullPathFromFileSpecU8, PGPGetGroupInfo, PGPGetGroupLowestValidity, PGPGetGroupSetContext, PGPGetHashSize, PGPGetHashWordString, PGPGetHashWordStringU16, PGPGetHashWordStringU8, PGPGetIndGroupID, PGPGetIndGroupItem, PGPGetIndexedAdditionalRecipientRequestKey, PGPGetIndexedAllocatedNotation, PGPGetIndexedNotation, PGPGetIndexedPublicKeyAlgorithmInfo, PGPGetIndexedRevocationKey, PGPGetIndexedSymmetricCipherInfo, PGPGetKeyDBObjAllocatedDataProperty, PGPGetKeyDBObjAllocatedDataPropertyU16, PGPGetKeyDBObjAllocatedDataPropertyU8, PGPGetKeyDBObjBooleanProperty, PGPGetKeyDBObjDataProperty, PGPGetKeyDBObjDataPropertyU16, PGPGetKeyDBObjDataPropertyU8, PGPGetKeyDBObjNumericProperty, PGPGetKeyDBObjTimeProperty, PGPGetKeyDBObjUserValue, PGPGetKeyEntropyNeeded, PGPGetKeyForUsage, PGPGetKeyID, PGPGetKeyIDAlgorithm, PGPGetKeyIDBytes, PGPGetKeyIDFromShares, PGPGetKeyIDString, PGPGetKeyIDStringU16, PGPGetKeyIDStringU8, PGPGetKnownX509CAs, PGPGetMemoryMgrCustomValue, PGPGetMemoryMgrDataInfo, PGPGetNumSharesInFile, PGPGetNumberOfShares, PGPGetPGPTimeFromStdTime, PGPGetPGPsdkAPIVersion, PGPGetPGPsdkVersion, PGPGetPGPsdkVersionString, PGPGetPGPsdkVersionStringU16, PGPGetPGPsdkVersionStringU8, PGPGetPasskeyBuffer, PGPGetPasskeyFromShares, PGPGetPrimaryAttributeUserID, PGPGetPrimaryUserID, PGPGetPrimaryUserIDName, PGPGetPrimaryUserIDNameU16, PGPGetPrimaryUserIDNameU8, PGPGetPrimaryUserIDValidity, PGPGetPrivateKeyOperationSizes, PGPGetPublicKeyOperationSizes, PGPGetRevocationKeys, PGPGetSDKErrorState, PGPGetShareFileMemoryMgr, PGPGetShareFileOwnerFingerprint, PGPGetShareFileOwnerKeyID, PGPGetShareFileShareID, PGPGetShareFileSharedKeyID, PGPGetShareFileSpec, PGPGetShareFileUserID, PGPGetShareFileUserIDU16, PGPGetShareFileUserIDU8, PGPGetShareID, PGPGetShareThreshold, PGPGetShareThresholdInFile, PGPGetSigCertifierKey, PGPGetSigX509CertifierSig, PGPGetSigX509TopSig, PGPGetStdTimeFromPGPTime, PGPGetSymmetricCipherSizes, PGPGetTARCacheObjAllocatedDataProperty, PGPGetTARCacheObjDataProperty, PGPGetTARCacheObjDataPropertyU16, PGPGetTARCacheObjDataPropertyU8, PGPGetTARCacheObjNumericProperty, PGPGetTARCacheObjTimeProperty, PGPGetTARCacheScanProgress, PGPGetTime, PGPGetTokenInfo, PGPGetTokenInfoBooleanProperty, PGPGetTokenInfoDataProperty, PGPGetTokenInfoDataPropertyU16, PGPGetTokenInfoDataPropertyU8, PGPGetTokenInfoNumericProperty, PGPGetTotalNumberOfShares, PGPGetYMDFromPGPTime, PGPGlobalRandomPoolAddKeystroke, PGPGlobalRandomPoolAddMouse, PGPGlobalRandomPoolAddSystemState, PGPGlobalRandomPoolGetEntropy, PGPGlobalRandomPoolGetMinimumEntropy, PGPGlobalRandomPoolGetSize, PGPGlobalRandomPoolHasIntelRNG, PGPGlobalRandomPoolHasMinimumEntropy, PGPGlobalRandomPoolMouseMoved, PGPGroupItemIterNext, PGPGroupSetNeedsCommit, PGPHKSQueryFromFilter, PGPHKSQueryFromFilterU16, PGPHKSQueryFromFilterU8, PGPImport, PGPImportGroupSetFromBuffer, PGPImportTARCacheObj, PGPIncFilterRefCount, PGPIncKeyDBRefCount, PGPIncKeyListRefCount, PGPIncKeySetRefCount, PGPInitCBC, PGPInitCFB, PGPInitSymmetricCipher, PGPIntersectFilters, PGPIsSameShares, PGPIsSameSharesInFiles, PGPKeyDBIsMutable, PGPKeyDBIsUpdated, PGPKeyIterGetKeyDBObj, PGPKeyIterIndex, PGPKeyIterMove, PGPKeyIterNextKeyDBObj, PGPKeyIterPrevKeyDBObj, PGPKeyIterRewind, PGPKeyIterSeek, PGPKeySetIsMember, PGPLDAPQueryFromFilter, PGPLDAPQueryFromFilterU16, PGPLDAPQueryFromFilterU8, PGPLDAPX509QueryFromFilter, PGPLDAPX509QueryFromFilterU16, PGPLDAPX509QueryFromFilterU8, PGPMacBinaryToLocal, PGPMergeGroupIntoDifferentSet, PGPMergeGroupSets, PGPNegateFilter, PGPNetToolsCAHTTPQueryFromFilter, PGPNetToolsCAHTTPQueryFromFilterU16, PGPNetToolsCAHTTPQueryFromFilterU8, PGPNewBigNum, PGPNewCBCContext, PGPNewCFBContext, PGPNewContext, PGPNewContextCustom, PGPNewData, PGPNewEmptyInclusiveKeySet, PGPNewEmptyKeySet, PGPNewFileSpecFromFullPath, PGPNewFileSpecFromFullPathU16, PGPNewFileSpecFromFullPathU8, PGPNewFlattenedGroupFromGroup, PGPNewGroup, PGPNewGroupItemIter, PGPNewGroupSet, PGPNewGroupSetFromFile, PGPNewHMACContext, PGPNewHashContext, PGPNewKeyDB, PGPNewKeyDBObjBooleanFilter, PGPNewKeyDBObjDataFilter, PGPNewKeyDBObjDataFilterU16, PGPNewKeyDBObjDataFilterU8, PGPNewKeyDBObjNumericFilter, PGPNewKeyDBObjTimeFilter, PGPNewKeyID, PGPNewKeyIDFromString, PGPNewKeyIDFromStringU16, PGPNewKeyIDFromStringU8, PGPNewKeyIter, PGPNewKeyIterFromKeyDB, PGPNewKeyIterFromKeySet, PGPNewKeySet, PGPNewKeySetFromGroup, PGPNewMemoryMgr, PGPNewMemoryMgrCustom, PGPNewOneInclusiveKeySet, PGPNewOneKeySet, PGPNewOptionList, PGPNewPrivateKeyContext, PGPNewPublicKeyContext, PGPNewSecureData, PGPNewShareFile, PGPNewSymmetricCipherContext, PGPNewTARCacheIter, PGPNewWipePatternContext, PGPOAdditionalRecipientRequestKeySet, PGPOAllocatedOutputBuffer, PGPOAllocatedOutputKeyContainer, PGPOAllowBareESKs, PGPOAppendOutput, PGPOArmorOutput, PGPOAskUserForEntropy, PGPOAttributeValue, PGPOCachePassphrase, PGPOCipherAlgorithm, PGPOCleanSignatures, PGPOClearSign, PGPOCommentString, PGPOCommentStringU16, PGPOCommentStringU8, PGPOCompression, PGPOCompressionAlgorithm, PGPOConventionalEncrypt, PGPOCreationDate, PGPODataIsASCII, PGPODetachedSig, PGPODiscardOutput, PGPOEncryptToKeyDBObj, PGPOEncryptToKeySet, PGPOEventHandler, PGPOExpiration, PGPOExportFormat, PGPOExportKeyDBObj, PGPOExportKeySet, PGPOExportPrivateKeys, PGPOExportPrivateSubkeys, PGPOExportable, PGPOFailBelowValidity, PGPOFileNameString, PGPOFileNameStringU16, PGPOFileNameStringU8, PGPOForYourEyesOnly, PGPOHashAlgorithm, PGPOImportKeysTo, PGPOInputBuffer, PGPOInputFile, PGPOInputFormat, PGPOInputTARCache, PGPOIntegrityProtection, PGPOKeyContainer, PGPOKeyDBRef, PGPOKeyFeatures, PGPOKeyFlags, PGPOKeyGenFast, PGPOKeyGenMasterKey, PGPOKeyGenName, PGPOKeyGenNameU16, PGPOKeyGenNameU8, PGPOKeyGenOnToken, PGPOKeyGenParams, PGPOKeyGenUseExistingEntropy, PGPOKeyServerPreferences, PGPOLastOption, PGPOLocalEncoding, PGPONotationData, PGPONullOption, PGPOObfuscateRecipients, PGPOOmitMIMEVersion, PGPOOutputBuffer, PGPOOutputDirectory, PGPOOutputFile, PGPOOutputFormat, PGPOOutputLineEndType, PGPOOutputTARCache, PGPOOutputToken, PGPOPGPMIMEEncoding, PGPOPGPMIMEEncodingU16, PGPOPGPMIMEEncodingU8, PGPOPassThroughClearSigned, PGPOPassThroughIfUnrecognized, PGPOPassThroughKeys, PGPOPasskeyBuffer, PGPOPassphrase, PGPOPassphraseBuffer, PGPOPassphraseBufferU16, PGPOPassphraseBufferU8, PGPOPassphraseU16, PGPOPassphraseU8, PGPOPreferredAlgorithms, PGPOPreferredCompressionAlgorithms, PGPOPreferredEmailEncoding, PGPOPreferredHashAlgorithms, PGPOPreferredKeyServer, PGPOPreferredKeyServerU16, PGPOPreferredKeyServerU8, PGPORawPGPInput, PGPORecursivelyDecode, PGPORelativePath, PGPORevocationKeySet, PGPORootPath, PGPOSMIMEMatchCriterion, PGPOSMIMESigner, PGPOSendEventIfKeyFound, PGPOSendNullEvents, PGPOSessionKey, PGPOSigRegularExpression, PGPOSigRegularExpressionU16, PGPOSigRegularExpressionU8, PGPOSigTrust, PGPOSignWithKey, PGPOSignedHash, PGPOTokenNumber, PGPOVersionString, PGPOVersionStringU16, PGPOVersionStringU8, PGPOWarnBelowValidity, PGPOX509Encoding, PGPOpenKeyDBFile, PGPOpenShareFile, PGPOpenTARCacheFile, PGPOrderKeySet, PGPPassphraseIsValid, PGPPeekContextMemoryMgr, PGPPeekKeyDBContext, PGPPeekKeyDBObjContext, PGPPeekKeyDBObjKey, PGPPeekKeyDBObjKeyDB, PGPPeekKeyDBObjUserID, PGPPeekKeyDBRootKeySet, PGPPeekKeyIterContext, PGPPeekKeyListContext, PGPPeekKeySetContext, PGPPeekKeySetKeyDB, PGPPrivateKeyDecrypt, PGPPrivateKeySign, PGPPrivateKeySignRaw, PGPPublicKeyEncrypt, PGPPublicKeyVerifyRaw, PGPPublicKeyVerifySignature, PGPPurgeKeyDBCache, PGPPurgePassphraseCache, PGPRSAVSTest, PGPReallocData, PGPRemoveKeyOptions, PGPRenameFile, PGPRenameFileU16, PGPRenameFileU8, PGPResetHMAC, PGPResetHash, PGPResetSDKErrorState, PGPRevoke, PGPRevokeSig, PGPRunAllSDKSelfTests, PGPRunSDKSelfTest, PGPSaveGroupSetToFile, PGPSaveShareFile, PGPSecretReconstructData, PGPSecretShareData, PGPSetContextUserValue, PGPSetDefaultMemoryMgr, PGPSetGroupDescription, PGPSetGroupName, PGPSetGroupUserValue, PGPSetIndGroupItemUserValue, PGPSetKeyAxiomatic, PGPSetKeyDBObjUserValue, PGPSetKeyEnabled, PGPSetKeyTrust, PGPSetMemoryMgrCustomValue, PGPSetNotificationCallback, PGPSetPKCS11DrvFile, PGPSetPKCS11DrvFileU16, PGPSetPKCS11DrvFileU8, PGPSetPrimaryUserID, PGPSetRandSeedFile, PGPSetShareFileOwnerFingerprint, PGPSetShareFileOwnerKeyID, PGPSetShareFileUserID, PGPSetShareFileUserIDU16, PGPSetShareFileUserIDU8, PGPSetTARCacheObjDataProperty, PGPSetTARCacheObjNumericProperty, PGPSetTARCacheObjTimeProperty, PGPSortGroupItems, PGPSortGroupSet, PGPSortGroupSetStd, PGPSplitShares, PGPSwapBigNum, PGPSymmetricCipherDecrypt, PGPSymmetricCipherEncrypt, PGPSymmetricCipherRollback, PGPSyncTokenKeys, PGPTARCacheIterGetTARCacheObj, PGPTARCacheIterIndex, PGPTARCacheIterMove, PGPTARCacheIterNextTARCacheObj, PGPTARCacheIterPrevTARCacheObj, PGPTARCacheIterRewind, PGPTokenAuthIsValid, PGPTokenPassphraseIsValid, PGPUnionFilters, PGPUpdateKeyOptions, PGPValidateMemoryMgr, PGPVerifyX509CertificateChain, PGPWashSymmetricCipher, PGPWipeFile, PGPWipePatternNext, PGPWipePatternRewind, PGPWipeSymmetricCipher, PGPWipeToken, PGPX509MatchNetworkName, PGPsdkCleanup, PGPsdkInit, PGPsdkReconnect, PGPsdkSetLanguage, pgpAddKeyOptions_back, pgpAddUserID_back, pgpCacheKeyDB_back, pgpCertifyPrimaryUserID_back, pgpCertifyUserID_back, pgpCheckKeyRingSigs_back, pgpCheckSig_back, pgpContextGetEnvironment, pgpContextIsValid, pgpContextMemAlloc, pgpContextMemFree, pgpContextMemRealloc, pgpContextSetConnectRef, pgpCopyKeyToToken_back, pgpCopyKeys_back, pgpCountCachedPassphrases_back, pgpCountTokens_back, pgpCreateKeypair_back, pgpCreateShares, pgpCreateSubkeypair_back, pgpDeleteKeyDBObjOnToken_back, pgpDoChangePassphrase_back, pgpDoGenerateKey_back, pgpEventKeyServer, pgpEventKeyServerSign, pgpEventKeyServerTLS, pgpExpireKeyDBCache, pgpExpirePassphraseCache, pgpFetchKeyInfo_back, pgpFetchObjectData_back, pgpFingerprint20HashBuf, pgpFormatToken_back, pgpFreeKeyDB_back, pgpGetKeyByKeyID_back, pgpGetPasskeyBuffer_back, pgpGetRevocationsOrADKs_back, pgpGetShareData, pgpGetTokenInfo_back, pgpGlobalRandomPoolAddState_back, pgpGlobalRandomPoolGetInfo_back, pgpImportKeyBinary_back, pgpKeyDBAddObject_back, pgpKeyDBArray_back, pgpKeyDBFindKey20n, pgpKeyDBFlush_back, pgpKeyDBRemoveObject_back, pgpKeyDecrypt_back, pgpKeyEncrypt_back, pgpKeyMaxSizes_back, pgpKeySign_back, pgpKeyVerify_back, pgpNewKeyDB_back, pgpOpenKeyDBFile_back, pgpPassphraseCacheAddClient, pgpPassphraseCacheRemoveClient, pgpPassphraseIsValid_back, pgpPrepareToCheckKeyRingSigs_back, pgpPropagateTrust_back, pgpPurgeKeyDBCache_back, pgpPurgePassphraseCache_back, pgpRandomAddBytes_back, pgpRandomGetBytesEntropy_back, pgpRandomStir_back, pgpRevokeKey_back, pgpRevokeSig_back, pgpSaveGlobalRandomPool, pgpSecPassphraseOK_back, pgpSecProperties_back, pgpSetKeyAxiomatic_back, pgpSetKeyEnabled_back, pgpSetKeyTrust_back, pgpSetPKCS11DrvFile_back, pgpSetRandSeedFile_back, pgpSyncTokenKeys_back, pgpTokenGetKeyContainer_back, pgpTokenImportX509_back, pgpTokenPassphraseIsValid_back, pgpTokenPutKeyContainer_back, pgpUnloadTCL, pgpUpdateKeyDB_back, pgpUpdateKeyOptions_back, pgpWipeToken_back, pgpenvGetCString, pgpenvGetInt, pgpenvSetInt, pgpenvSetString

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

4. ... enjoy :bigggrin:
-- pgmigg

Katana

OTMoveIt
Please download OTMoveIt2 by OldTimer and save it to your desktop

• Double-click OTMoveIt2.exe to run it.
• Copy the lines in the codebox below.

C:\Documents and Settings\Administrator\cmanger.exe
C:\winhet.exe

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Eset NOD32 Online AntiVirus

Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

pgmigg

I have two more logs:

C:\Documents and Settings\Administrator\cmanger.exe moved successfully.
C:\winhet.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07132008_145515

-- and --

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3263 (20080711)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=97ce88f851d3984e82684f39fe262594
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-07-13 08:15:03
# local_time=2008-07-13 04:15:03 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=378333
# found=1
# scan_time=4408
C:\WINNT\system32\dk\lam4.exe Win32/HideWindow application D0005C64D093FE27ED12C3C509AA1120

-- pgmigg

pgmigg

Katana,

I gueuss you will need this log also:

---

File lam4.exe received on 07.14.2008 06:54:49 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 28/33 (84.85%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact
Print results <javascript:window.print()>
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Top of Form 1

Email:

Bottom of Form 1

Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.11.0
2008.07.11
-
AntiVir
7.8.0.64
2008.07.13
SPR/HideWindows.D
Authentium
5.1.0.4
2008.07.13
W32/Hidestd.component
Avast
4.8.1195.0
2008.07.13
Win32:HideWindows-B
AVG
7.5.0.516
2008.07.13
Potentially harmful program HideExec.C
BitDefender
7.2
2008.07.14
Virtool.HiddenRun.B
CAT-QuickHeal
9.50
2008.07.11
RiskWare.Tool.HideWindows (Not a Virus)
ClamAV
0.93.1
2008.07.14
Virtool.Hiddenrun.G
DrWeb
4.44.0.09170
2008.07.13
IRC.Flood
eSafe
7.0.17.0
2008.07.13
Suspicious File
eTrust-Vet
31.6.5949
2008.07.12
-
Ewido
4.0
2008.07.13
Backdoor.Hupigon.hk
F-Prot
4.4.4.56
2008.07.13
W32/Hidestd.component
F-Secure
7.60.13501.0
2008.07.12
RiskTool.Win32.HideWindows
Fortinet
3.14.0.0
2008.07.14
HackerTool/HiddenRun
GData
2.0.7306.1023
2008.07.14
Win32:HideWindows-B
Ikarus
T3.1.1.26.0
2008.07.14
not-a-virus:RiskTool.Win32.HideWindows
Kaspersky
7.0.0.125
2008.07.14
not-a-virus:RiskTool.Win32.HideWindows
McAfee
5337
2008.07.11
potentially unwanted program HideRun
Microsoft
1.3704
2008.07.14
VirTool:Win32/HiddenRun.B
NOD32v2
3263
2008.07.11
Win32/HideWindow
Norman
5.80.02
2008.07.11
-
Panda
9.0.0.4
2008.07.13
Application/HideWindow.A
Prevx1
V2
2008.07.14
Malicious Software
Rising
20.53.00.00
2008.07.14
Hack.Hiddenrun.o
Sophos
4.31.0
2008.07.14
HideWindow
Sunbelt
3.1.1536.1
2008.07.12
-
Symantec
10
2008.07.14
Hacktool.HideWindow
TheHacker
6.2.96.378
2008.07.13
-
TrendMicro
8.700.0.1004
2008.07.14
PAK_Generic.005
VBA32
3.12.6.9
2008.07.13
Win32.HLLW.MyBot.based
VirusBuster
4.5.11.0
2008.07.13
Virtool.HideRun.B
Webwasher-Gateway
6.6.2
2008.07.13
Riskware.HideWindows.D


Additional information
File size: 17408 bytes
MD5...: d0005c64d093fe27ed12c3c509aa1120
SHA1..: 6a25794d2b8f349edceba47d2944418d43e549a6
SHA256: b7faf2327d985c02df85c1d593e1fb779b136862ac149e87f7e366da9acca6da
SHA512: e79fd09a31b9c2f2414eb51d093fd11f4814b402a3959c5f79fbe6855acd3137 a6d133fad6070e4556c714dddfd39fb9c6f28d1f224d446ea1cf644b51541938
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40e730 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0xb000 0x4000 0x3a00 7.81 71c94667568e367f8aa81112852f943a .rsrc 0xf000 0x1000 0x600 3.62 bc3cc9b61de8e20cea11aac882419060 .uro 0x10000 0x7001 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 3 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > oleaut32.dll: VariantClear > user32.dll: MessageBoxA ( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=01890A1600CB70B544E1005DF5F52B00D4F99F44
packers (Kaspersky): UPX
packers (Avast): UPX

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

---

-- pgmigg

Katana

OTMoveIt
Please download OTMoveIt2 by OldTimer and save it to your desktop

• Double-click OTMoveIt2.exe to run it.
• Copy the lines in the codebox below.

C:\WINNT\system32\dk

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Download and Run SR Engineer
Please download SREng.

• Extract it to your desktop.
• Double click SREng.exe to run it.
• Select Smart Scan and tick Verify Digital Signatures.
• Click on the Scan button.
• When finished click on the Save Reports button and save the log to your desktop.

Please Download GMER to your desktop

Please create a folder in the Program Files folder called GMER.

Download GMER and extract it to the C:\program files\GMER folder you have just made.

Run the Gmer.exe program by double-clicking the executable file gmer.exe.
You may be prompted to scan immediately if GMER detects rootkit activity.

If you are prompted to scan your system click "yes" to begin the scan.
If you are not prompted, Click the "Rootkit" tab, then click "Scan".


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Save the log as Gmer.txt on your desktop



You may need to attach the SREng log as it will probably be quite large

pgmigg

There are 3 new logs in your sequence:

1. OTMoveIt2 log:

C:\WINNT\system32\dk moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07142008_215817


2. SREng.exe log:

[B]2008-07-14,22:22:14[/B]
[B]System Repair Engineer 2.6.11.992[/B]
[B]Smallfrogs ([URL]http://www.KZTechs.com[/URL])[/B]
[B]Windows 2000 Professional Service Pack 4 (Build 2195) - Administrative User - Completed Functions Allowed[/B]
[B]Follow item(s) have been selected:[/B]
[B]   All Boot Items (Including Registry, Startup Folders, Services and so on)[/B]
[B]   Browser Add-ons[/B]
[B]   Running Processes (Including process model information)[/B]
[B]   File Associations[/B]
[B]   Winsock Provider[/B]
[B]   Autorun.Inf[/B]
[B]   HOSTS File[/B]
[B]   Process Privileges Scan[/B]
[B]Boot Items[/B]
[B]Registry[/B]
[B][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run][/B]
[B]   <internat.exe><internat.exe>  [(Verified)Microsoft Windows 2000 Publisher][/B]
[B]   <HP JetDiscovery><HPJETDSC.EXE>  [Hewlett-Packard][/B]
[B]   <PPWebCap><C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe>  [Scansoft Inc.][/B]
[B]   <SUPERAntiSpyware><C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe>  [(Verified)SuperAdBlocker.com][/B]
[B][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run][/B]
[B]   <Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher][/B]
[B]   <AtiPTA><atiptaxx.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher][/B]
[B]   <CirqueGesture><C:\Program Files\Touchpad\Gesture.exe>  [Cirque Corp.][/B]
[B]   <Glide><glidew32.exe>  [Cirque Corp][/B]
[B]   <LoadQM><loadqm.exe>  [Microsoft Corporation][/B]
[B]   <ShStatEXE><"C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE>  [(Verified)"McAfee, Inc."][/B]
[B]   <McAfeeUpdaterUI><"C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey>  [(Verified)"McAfee, Inc."][/B]
[B]   <SunJavaUpdateSched><"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe">  [(Verified)"Sun Microsystems, Inc."][/B]
[B]   <ZoneAlarm Client><"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe">  [(Verified)Check Point Software Technologies Ltd.][/B]
[B][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon][/B]
[B]   <shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher][/B]
[B]   <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks][/B]
[B]   <{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}><C:\Program Files\SUPERAntiSpyware\SASSEH.DLL>  [SuperAdBlocker.com][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon][/B]
[B]   <WinlogonNotify: !SASWinLogon><C:\Program Files\SUPERAntiSpyware\SASWINLO.dll>  [SUPERAntiSpyware.com][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}][/B]
[B]   <Internet Explorer Access><"C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE>  [File is missing][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}][/B]
[B]   <Outlook Express Access><"C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE>  [File is missing][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}][/B]
[B]   <Microsoft Windows Media Player 6.4><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT>  [(Verified)Microsoft Windows 2000 Publisher][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}][/B]
[B]   <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}][/B]
[B]   <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows 2000 Publisher][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}][/B]
[B]   <Microsoft Windows Media Player 7><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub>  [][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}][/B]
[B]   <Address Book 5><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing][/B]
[B][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}][/B]
[B]   <CRLUpdate><%SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl>  [File is missing][/B]
[B]==================================[/B]
[B]Startup Folders[/B]
[B][Acrobat Assistant][/B]
[B] <C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Acrobat Assistant.lnk --> C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\acrotray.exe [Adobe Systems Inc.]><N>[/B]
[B][CAMEDIA Master][/B]
[B] <C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\CAMEDIA Master.lnk --> C:\PROGRA~1\OLYMPUS\CAMEDI~1.2\CM_CAM~1.EXE [OLYMPUS CORPORATION]><N>[/B]
[B][EPSON Status Monitor 3 Environment Check][/B]
[B] <C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk --> C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [SEIKO EPSON CORPORATION]><N>[/B]
[B][Microsoft Office][/B]
[B] <C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>[/B]
[B]==================================[/B]
[B]Services[/B]
[B][Ati HotKey Poller / Ati HotKey Poller][Stopped/Auto Start][/B]
[B] <C:\WINNT\System32\Ati2evxx.exe><>[/B]
[B][Cisco Systems, Inc. VPN Service / CVPND][Stopped/Manual Start][/B]
[B] <"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"><Cisco Systems, Inc.>[/B]
[B][Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start][/B]
[B] <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>[/B]
[B][Google Updater Service / gusvc][Stopped/Manual Start][/B]
[B] <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>[/B]
[B][Shiva VPN Client / ICService][Running/Auto Start][/B]
[B] <C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe><N/A>[/B]
[B][iPod Service / iPodService][Stopped/Manual Start][/B]
[B] <C:\Program Files\iPod\bin\iPodService.exe><Apple Computer, Inc.>[/B]
[B][McAfee Framework Service / McAfeeFramework][Running/Auto Start][/B]
[B] <"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart><McAfee, Inc.>[/B]
[B][McAfee McShield / McShield][Running/Auto Start][/B]
[B] <"C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe"><McAfee, Inc.>[/B]
[B][McAfee Task Manager / McTaskManager][Running/Auto Start][/B]
[B] <"C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe"><McAfee, Inc.>[/B]
[B][Norton SpeedDisk / Norton SpeedDisk][Running/Auto Start][/B]
[B] <C:\PROGRA~1\NORTON~1\System\SDSRV.EXE><>[/B]
[B][TrcBoot / TrcBoot][Running/Auto Start][/B]
[B] <C:\WINNT\System32\drivers\trcboot.exe><N/A>[/B]
[B][TrueVector Internet Monitor / vsmon][Running/Auto Start][/B]
[B] <C:\WINNT\system32\ZoneLabs\vsmon.exe -service><Zone Labs, LLC>[/B]
[B][WMDM PMSP Service / WMDM PMSP Service][Running/Auto Start][/B]
[B] <C:\WINNT\System32\mspmspsv.exe><Microsoft Corporation>[/B]
[B]==================================[/B]
[B]Drivers[/B]
[B][Diamond S100 Audio Driver (WDM) / allegro][Running/Manual Start][/B]
[B] <system32\drivers\es198x.sys><Diamond S100>[/B]
[B][Avance Wave Audio Miniport Driver (WDM) / als4k][Stopped/Manual Start][/B]
[B] <system32\drivers\als4000.sys><Avance Logic Inc.>[/B]
[B][Gameport for ALS4000 (WDM) / alsgame][Stopped/Manual Start][/B]
[B] <system32\drivers\alsgame.sys><>[/B]
[B][ati2mtaa / ati2mtaa][Running/Manual Start][/B]
[B] <System32\DRIVERS\ati2mtaa.sys><ATI Technologies Inc.>[/B]
[B][ATI WDM RageTheater Video Capture / atinrvxx][Running/Manual Start][/B]
[B] <System32\DRIVERS\atinrvxx.sys><>[/B]
[B][WebGear Wireless PCMCIA Network Adapter Driver / AviatorPro][Stopped/Manual Start][/B]
[B] <System32\DRIVERS\webdrv2.sys><WebGear Inc.>[/B]
[B][Software Cinemaster NT4.0 Driver / CINEMSUP][Running/Auto Start][/B]
[B] <\SystemRoot\SYSTEM32\DRIVERS\CINEMSUP.SYS><Divicore Inc.>[/B]
[B][Cisco Systems VPN Adapter / CVirtA][Stopped/Manual Start][/B]
[B] <system32\DRIVERS\CVirtA.sys><Cisco Systems, Inc.>[/B]
[B][Cisco Systems IPsec Driver / CVPNDRVA][Running/Auto Start][/B]
[B] <\??\C:\WINNT\system32\Drivers\CVPNDRVA.sys><Cisco Systems, Inc.>[/B]
[B][dmboot / dmboot][Stopped/Disabled][/B]
[B] <System32\drivers\dmboot.sys><VERITAS Software Corp.>[/B]
[B][Logical Disk Manager Driver / dmio][Running/Boot Start][/B]
[B] <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>[/B]
[B][dmload / dmload][Running/Boot Start][/B]
[B] <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>[/B]
[B][Deterministic Network Enhancer Miniport / DNE][Running/Manual Start][/B]
[B] <system32\DRIVERS\dne2000.sys><Deterministic Networks, Inc.>[/B]
[B][GEAR CDRom Filter / GEARAspiWDM][Running/Manual Start][/B]
[B] <SYSTEM32\DRIVERS\GEARAspiWDM.sys><GEAR Software Inc.>[/B]
[B][GlidePoint Mouseclass Service / glidesvc][Running/Manual Start][/B]
[B] <System32\DRIVERS\glidesvc.sys><Cirque Corp.>[/B]
[B][GlidePoint PS2 Touchpad Service / gpmoups2][Running/Manual Start][/B]
[B] <System32\DRIVERS\gpmoups2.sys><Cirque Corp.>[/B]
[B][GlidePoint Serial Touchpad Service / gpmouser][Stopped/Manual Start][/B]
[B] <System32\DRIVERS\gpmouser.sys><Cirque Corp.>[/B]
[B][VPN Client Protocol / ICsrvr][Running/System Start][/B]
[B] <System32\DRIVERS\ICsrvr.sys><>[/B]
[B][VPN Client TDI Driver / ICtdi][Running/System Start][/B]
[B] <System32\DRIVERS\ictdi.sys><>[/B]
[B][VPN Client Virtual Adapter / ICvnic][Running/Manual Start][/B]
[B] <System32\DRIVERS\ICvnic.sys><>[/B]
[B][KLOGNT / KLOGNT][Running/Manual Start][/B]
[B] <\SystemRoot\System32\drivers\klognt.sys><N/A>[/B]
[B][McAfee Inc. / mfeapfk][Running/Manual Start][/B]
[B] <system32\drivers\mfeapfk.sys><McAfee, Inc.>[/B]
[B][McAfee Inc. / mfeavfk][Running/Manual Start][/B]
[B] <system32\drivers\mfeavfk.sys><McAfee, Inc.>[/B]
[B][McAfee Inc. / mfebopk][Running/Manual Start][/B]
[B] <system32\drivers\mfebopk.sys><McAfee, Inc.>[/B]
[B][McAfee Inc. / mfehidk][Running/Manual Start][/B]
[B] <system32\drivers\mfehidk.sys><McAfee, Inc.>[/B]
[B][VSCore mferkdk / mferkdk][Running/System Start][/B]
[B] <\??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys><McAfee, Inc.>[/B]
[B][McAfee Inc. / mfetdik][Running/System Start][/B]
[B] <system32\drivers\mfetdik.sys><McAfee, Inc.>[/B]
[B][NsTrcNT / NsTrcNT][Running/Auto Start][/B]
[B] <\SystemRoot\System32\drivers\nstrcnt.sys><N/A>[/B]
[B][3270 Coax Driver / pcscoax][Running/Auto Start][/B]
[B] <\SystemRoot\System32\drivers\pcscoax.sys><N/A>[/B]
[B][Direct Parallel Link Driver / Ptilink][Running/Manual Start][/B]
[B] <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>[/B]
[B][PxHelp20 / PxHelp20][Running/Boot Start][/B]
[B] <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>[/B]
[B][Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start][/B]
[B] <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>[/B]
[B][SASDIFSV / SASDIFSV][Running/System Start][/B]
[B] <\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS><SUPERAdBlocker.com and SUPERAntiSpyware.com>[/B]
[B][SASENUM / SASENUM][Running/Manual Start][/B]
[B] <\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS><SuperAdBlocker, Inc.>[/B]
[B][SASKUTIL / SASKUTIL][Running/System Start][/B]
[B] <\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys><SUPERAdBlocker.com and SUPERAntiSpyware.com>[/B]
[B][srescan / srescan][Running/Boot Start][/B]
[B] <\SystemRoot\system32\ZoneLabs\srescan.sys><Zone Labs, LLC>[/B]
[B][vsdatant / vsdatant][Running/System Start][/B]
[B] <System32\vsdatant.sys><Zone Labs, LLC>[/B]
[B]==================================[/B]
[B]Browser Add-ons[/B]
[B][SSVHelper Class][/B]
[B] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll, Sun Microsystems, Inc.>[/B]
[B][scriptproxy][/B]
[B] {7DB2D5A0-7241-4E79-B68D-6309F01C5231} <C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll, McAfee, Inc.>[/B]
[B][Google Toolbar Helper][/B]
[B] {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, Google Inc.>[/B]
[B][AcroIEToolbarHelper Class][/B]
[B] {AE7CD045-E861-484f-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>[/B]
[B][Java Plug-in 1.6.0_07][/B]
[B] {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll, Sun Microsystems, Inc.>[/B]
[B][&Research][/B]
[B] {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>[/B]
[B][PartyPoker.com][/B]
[B] {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} <, N/A>[/B]
[B][Adobe PDF][/B]
[B] {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>[/B]
[B][&Radio][/B]
[B] {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, >[/B]
[B][&Google][/B]
[B] {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>[/B]
[B][OnlineScanner Control][/B]
[B] {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} <C:\WINNT\system32\ONLINE~1.OCX, Eset>[/B]
[B][Java Plug-in 1.6.0_07][/B]
[B] {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll, Sun Microsystems, Inc.>[/B]
[B][Java Plug-in 1.6.0_07][/B]
[B] {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll, Sun Microsystems, Inc.>[/B]
[B][Java Plug-in 1.6.0_07][/B]
[B] {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll, Sun Microsystems, Inc.>[/B]
[B][E&xport to Microsoft Excel][/B]
[B] <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>[/B]
[B]==================================[/B]
[B]Running Processes[/B]
[B][PID: 152][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601][/B]
[B][PID: 176][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601][/B]
[B][PID: 172][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6997][/B]
[B]   [C:\Program Files\SUPERAntiSpyware\SASWINLO.dll]  [SUPERAntiSpyware.com, 1, 0, 0, 1046][/B]
[B][PID: 224][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2195.7035][/B]
[B]   [C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3][/B]
[B][PID: 236][C:\WINNT\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.7011][/B]
[B][PID: 384][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1][/B]
[B][PID: 536][C:\WINNT\system32\spoolsv.exe]  [Microsoft Corporation, 5.00.2195.7059][/B]
[B]   [C:\WINNT\system32\E_SL2003.DLL]  [SEIKO EPSON CORPORATION, 2, 0, 0, 0][/B]
[B]   [C:\WINNT\system32\hplocmon.dll]  [Hewlett-Packard, 03.42.00][/B]
[B]   [C:\WINNT\system32\HPCOLA.dll]  [Hewlett-Packard, 03.42.00][/B]
[B]   [C:\WINNT\system32\HPNWSHIM.dll]  [Hewlett-Packard, 03.42.00][/B]
[B]   [C:\WINNT\system32\HPNWPSRV.dll]  [Hewlett-Packard, 03.42.00][/B]
[B][PID: 588][C:\WINNT\System32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1][/B]
[B][PID: 612][C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe]  [N/A, ][/B]
[B][PID: 640][C:\Program Files\McAfee\Common Framework\FrameworkService.exe]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\nailog.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naXML71.dll]  [N/A, ][/B]
[B]   [C:\Program Files\McAfee\Common Framework\NaiSign.DLL]  [N/A, ][/B]
[B]   [C:\WINNT\system32\epoPGPSDK.dll]  [PGP Corporation, 3.5.3][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naCmnLib71.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\applib.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\0409\AgentRes.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\Logging.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\InternetManager.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naInet.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\UserSpace.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\SecureFrameworkFactory.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\Management.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\cmalib.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naPolicyManager.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\ScriptSubSys.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\UpdateSubSys.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\Scheduler.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\TCSubSys.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\GenEvtInf.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B][PID: 756][C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\LockDown.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mytilus.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mytilus2.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\RES0900\McShield.dll]  [McAfee, Inc., VSCORE.13.3.1.100][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\FTL.Dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\naiann.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\VsEvntUI.dll]  [N/A, ][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\NAEvent.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\shutil.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\wmain.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\Common Framework\GenEvtInf.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4][/B]
[B]   [C:\Program Files\McAfee\Common Framework\SecureFrameworkFactory.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\scriptsv.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mfebopa.dll]  [McAfee, Inc., SYSCORE.13.3.0.116.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mfehida.dll]  [McAfee, Inc., SYSCORE.13.3.0.116.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mfeapfa.dll]  [McAfee, Inc., SYSCORE.13.3.0.116.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mfeavfa.dll]  [McAfee, Inc., SYSCORE.13.3.0.116.x86][/B]
[B]   [C:\Program Files\Common Files\McAfee\Engine\mcscan32.dll]  [McAfee, Inc., 5.2.00][/B]
[B][PID: 788][C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\LockDown.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mytilus2.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mytilus.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\shutil.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\wmain.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\condl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\RES0900\McShield.dll]  [McAfee, Inc., VSCORE.13.3.1.100][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\MIDUtil.Dll]  [McAfee, Inc., 8.5.0.148][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\BBCpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\coptcpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\EmCfgCpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\nvpcpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\ftcfg.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\OASCpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\QuarCpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\vsodscpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\VsEvntUI.dll]  [N/A, ][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\NAEvent.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\ftl.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\vsupdcpl.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B][PID: 848][C:\PROGRA~1\NORTON~1\System\SDSRV.EXE]  [, 1, 0, 0, 1][/B]
[B]   [C:\PROGRA~1\NORTON~1\System\MFCEXT.DLL]  [, 1, 0, 0, 1][/B]
[B]   [C:\PROGRA~1\NORTON~1\System\SDDATA.DLL]  [, 1, 0, 0, 1][/B]
[B]   [C:\PROGRA~1\NORTON~1\System\SDOBJS.DLL]  [, 1, 0, 0, 1][/B]
[B]   [C:\PROGRA~1\NORTON~1\System\SRVEXT.DLL]  [, 1, 0, 0, 1][/B]
[B][PID: 868][C:\Program Files\McAfee\Common Framework\naPrdMgr.exe]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\NaiSign.DLL]  [N/A, ][/B]
[B]   [C:\WINNT\system32\epoPGPSDK.dll]  [PGP Corporation, 3.5.3][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naXML71.dll]  [N/A, ][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0][/B]
[B]   [C:\Program Files\McAfee\Common Framework\nailog.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naCmnLib71.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\applib.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\0409\AgentRes.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\VsPlugin.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B][PID: 972][C:\WINNT\system32\regsvc.exe]  [Microsoft Corporation, 5.00.2195.6701][/B]
[B][PID: 1004][C:\WINNT\system32\stisvc.exe]  [Microsoft Corporation, 5.00.2195.6656][/B]
[B][PID: 1032][C:\WINNT\System32\drivers\trcboot.exe]  [N/A, ][/B]
[B][PID: 1064][C:\WINNT\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100][/B]
[B][PID: 1080][C:\WINNT\System32\mspmspsv.exe]  [Microsoft Corporation, 7.00.00.1956][/B]
[B][PID: 1092][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1][/B]
[B][PID: 1132][C:\Program Files\Personal Communications\PCS_AGNT.EXE]  [IBM Corporation, 4.3][/B]
[B]   [C:\Program Files\Personal Communications\DEFSECUR.DLL]  [N/A, ][/B]
[B]   [C:\Program Files\Personal Communications\MILLUTIL.DLL]  [IBM Corporation, 4.3][/B]
[B]   [C:\Program Files\Personal Communications\PCSW32X.dll]  [N/A, ][/B]
[B]   [C:\Program Files\Personal Communications\PCSWLIB.dll]  [N/A, ][/B]
[B]   [C:\Program Files\Personal Communications\PCSWLIBI.dll]  [N/A, ][/B]
[B]   [C:\Program Files\Personal Communications\NODEINIT.DLL]  [IBM Corporation, 4.3][/B]
[B]   [C:\WINNT\system32\NSTRC.dll]  [IBM Corporation, 2.0.0.0][/B]
[B]   [C:\Program Files\Personal Communications\SPELLING.DLL]  [IBM Corporation, 4.3][/B]
[B]   [C:\WINNT\system32\FMT_UTIL.dll]  [IBM Corporation, 2.0.0.0][/B]
[B]   [C:\Program Files\Personal Communications\PCSCAPI.dll]  [IBM Corporation, 1.0][/B]
[B]   [C:\Program Files\Personal Communications\OOCSVCS2.dll]  [N/A, ][/B]
[B]   [C:\Program Files\Personal Communications\MESSAGE.DLL]  [IBM Corporation, 1.0][/B]
[B]   [C:\Program Files\Personal Communications\MSGIO.dll]  [IBM Corporation, 1.0][/B]
[B][PID: 340][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690][/B]
[B]   [C:\WINNT\system32\msimtf.dll]  [Microsoft Corporation, 1.00.2409.7 built by: Lab06_N][/B]
[B]   [C:\WINNT\system32\MSCTF.dll]  [Microsoft Corporation, 1.00.2409.7 built by: Lab06_N][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B]   [C:\Program Files\McAfee\Common Framework\JrMac.dll]  [McAfee, Inc., 1.0.0.125][/B]
[B]   [C:\Program Files\SUPERAntiSpyware\SASSEH.DLL]  [SuperAdBlocker.com, 1, 0, 0, 1012][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B][PID: 1540][C:\WINNT\system32\atiptaxx.exe]  [ATI Technologies, Inc., 4.12.2461][/B]
[B]   [c:\winnt\system32\atrptaxx.enu]  [ATI Technologies, Inc., 4.12.2461][/B]
[B]   [C:\WINNT\system32\atipdsxx.dll]  [ATI Technologies, Inc., 4.12.2461][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1548][C:\Program Files\Touchpad\Gesture.exe]  [Cirque Corp., 2.00][/B]
[B]   [C:\Program Files\Touchpad\TOUCHPAD.dll]  [Cirque Corporation, 2, 0, 0, 0][/B]
[B]   [C:\Program Files\Touchpad\ARTRECSM.dll]  [N/A, ][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1556][C:\WINNT\system32\glidew32.exe]  [Cirque Corp, 2.0.0][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1576][C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\LockDown.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\ftcfg.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mytilus2.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\mytilus.dll]  [McAfee, Inc., VSCORE.13.3.1.100.x86][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\wmain.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\shutil.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\RES0900\McShield.dll]  [McAfee, Inc., VSCORE.13.3.1.100][/B]
[B]   [C:\Program Files\McAfee\VirusScan Enterprise\Graphics.dll]  [McAfee, Inc., 8.5.0.781][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1592][C:\Program Files\McAfee\Common Framework\UdaterUI.exe]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\nailog.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naCmnLib71.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\naXML71.dll]  [N/A, ][/B]
[B]   [C:\Program Files\McAfee\Common Framework\NaiSign.DLL]  [N/A, ][/B]
[B]   [C:\WINNT\system32\epoPGPSDK.dll]  [PGP Corporation, 3.5.3][/B]
[B]   [C:\Program Files\McAfee\Common Framework\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0][/B]
[B]   [C:\Program Files\McAfee\Common Framework\applib.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\cmalib.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\0409\UpdRes.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\Program Files\McAfee\Common Framework\0409\AgentRes.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B]   [C:\Program Files\McAfee\Common Framework\SecureFrameworkFactory.dll]  [McAfee, Inc., 3.6.0.453][/B]
[B][PID: 1620][C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe]  [Sun Microsystems, Inc., 6.0.70.6][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 892][C:\Program Files\McAfee\Common Framework\McTray.exe]  [McAfee, Inc., 1.0.0.125][/B]
[B]   [C:\Program Files\McAfee\Common Framework\JrMac.dll]  [McAfee, Inc., 1.0.0.125][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 816][C:\WINNT\system32\internat.exe]  [Microsoft Corporation, 5.00.2920.0000][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1688][C:\WINNT\system32\HPJETDSC.EXE]  [Hewlett-Packard, 03.42.00][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1564][C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe]  [Scansoft Inc., 6.5][/B]
[B]   [C:\PROGRA~1\ScanSoft\PAPERP~1\Ppwebcph.dll]  [Scansoft Inc., 6.5][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1680][C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe]  [SUPERAntiSpyware.com, 4, 15, 0, 1000][/B]
[B]   [C:\Program Files\SUPERAntiSpyware\deupx.dll]  [SuperAntiSpyware.com, 1, 0, 0, 2][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B]   [C:\WINNT\system32\msimtf.dll]  [Microsoft Corporation, 1.00.2409.7 built by: Lab06_N][/B]
[B]   [C:\WINNT\system32\MSCTF.dll]  [Microsoft Corporation, 1.00.2409.7 built by: Lab06_N][/B]
[B]   [C:\Program Files\SUPERAntiSpyware\SASSEH.DLL]  [SuperAdBlocker.com, 1, 0, 0, 1012][/B]
[B][PID: 1720][C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe]  [Adobe Systems Inc., 6.0.0.2003051500][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 1728][C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe]  [OLYMPUS CORPORATION, 4, 2, 0, 0][/B]
[B]   [C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\olyuictl.dll]  [OLYMPUS CORPORATION, 4, 2, 0, 5][/B]
[B]   [C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\olylwapi.dll]  [OLYMPUS CORPORATION, 4, 2, 0, 5][/B]
[B]   [C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\OlyGloss.dll]  [OLYMPUS CORPORATION, 4, 2, 0, 5][/B]
[B]   [C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\MFC42.DLL]  [Microsoft Corporation, 6.00.8665.0][/B]
[B]   [C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\olyuidrw.dll]  [OLYMPUS CORPORATION, 4, 2, 0, 5][/B]
[B]   [C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\Plugins\Olcamapi.dll]  [OLYMPUS OPTICAL CO.,LTD. , 2, 0, 0, 0][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B][PID: 884][C:\Documents and Settings\Administrator\Desktop\SREngLdr.EXE]  [Smallfrogs Studio, 2.6.11.992][/B]
[B][PID: 1304][C:\Documents and Settings\Administrator\Desktop\SRE12f5299.EXE]  [Smallfrogs Studio, 2.6.11.992][/B]
[B]   [C:\WINNT\system32\GLIDEAPI.dll]  [Cirque Corporation, 2.00][/B]
[B]   [C:\Documents and Settings\Administrator\Desktop\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15][/B]
[B]==================================[/B]
[B]File Associations[/B]
[B].TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1][/B]
[B].EXE  OK. ["%1" %*][/B]
[B].COM  OK. ["%1" %*][/B]
[B].PIF  OK. ["%1" %*][/B]
[B].REG  OK. [regedit.exe "%1"][/B]
[B].BAT  OK. ["%1" %*][/B]
[B].SCR  OK. ["%1" /S][/B]
[B].CHM  OK. ["C:\WINNT\hh.exe" %1][/B]
[B].HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1][/B]
[B].INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1][/B]
[B].INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1][/B]
[B].VBS  Error. [C:\WINNT\System32\WScript.exe "%1" %*][/B]
[B].JS   Error. [C:\WINNT\System32\WScript.exe "%1" %*][/B]
[B].LNK  OK. [{00021401-0000-0000-C000-000000000046}][/B]
[B]==================================[/B]
[B]Winsock Provider[/B]
[B]N/A[/B]
[B]==================================[/B]
[B]Autorun.Inf[/B]
[B]N/A[/B]
[B]==================================[/B]
[B]HOSTS File[/B]
[B]127.0.0.1 localhost[/B]
[B]==================================[/B]
[B]Process Privileges Scan[/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 612, C:\PROGRAM FILES\SHIVA\SHIVA VPN CLIENT\ICSRV.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 848, C:\PROGRA~1\NORTON~1\SYSTEM\SDSRV.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1032, C:\WINNT\SYSTEM32\DRIVERS\TRCBOOT.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1080, C:\WINNT\SYSTEM32\MSPMSPSV.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1132, C:\PROGRAM FILES\PERSONAL COMMUNICATIONS\PCS_AGNT.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1548, C:\PROGRAM FILES\TOUCHPAD\GESTURE.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1556, C:\WINNT\SYSTEM32\GLIDEW32.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 892, C:\PROGRAM FILES\MCAFEE\COMMON FRAMEWORK\MCTRAY.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1688, C:\WINNT\SYSTEM32\HPJETDSC.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1564, C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWEBCAP.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1720, C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\DISTILLR\ACROTRAY.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1728, C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE][/B]
[B]Special Privileges Enabled: SeLoadDriverPrivilege [PID = 884, C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\SRENGLDR.EXE][/B]
[B]==================================[/B]
[B]API HOOK[/B]
[B]N/A[/B]
[B]==================================[/B]
[B]Hidden Process[/B]
[B]N/A[/B]
[B]==================================[/B]
 

-- pgmigg

pgmigg

And finaly,

3. GMER log:

[/FONT]
[FONT=Arial][/FONT] 
[FONT=Arial]GMER 1.0.14.14536 - http://www.gmer.net[/FONT]
[FONT=Arial]Rootkit scan 2008-07-14 23:14:26[/FONT]
[FONT=Arial]Windows 5.0.2195 Service Pack 4[/FONT]
 
 
[FONT=Arial]---- System - GMER 1.0.14 ----[/FONT]
 
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xBDC07040][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xBDC03930][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xBDC0EA80][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xBDC07510][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xBDC0D870][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xBDC10FD0][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xBDC07600][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xBDC03F20][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xBDC0F6E0][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xBDC0F440][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xBDC0D580][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xBDC0F8B0][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xBDC03D70][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xBDC0D350][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xBDC0D150][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xBDC0FCB0][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xBDC06C00][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xBDC10080][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xBDC07220][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xBDC04120][/FONT]
[FONT=Arial]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xBDC0F140][/FONT]
[FONT=Arial]SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xBDB1BF20][/FONT]
 
[FONT=Arial]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBAFC82C7][/FONT]
 
[FONT=Arial]---- Kernel code sections - GMER 1.0.14 ----[/FONT]
 
[FONT=Arial]PAGE ntoskrnl.exe!ZwOpenKey 805133F2 5 Bytes JMP BAFC82CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)[/FONT]
[FONT=Arial]? srescan.sys The system cannot find the file specified. ![/FONT]
 
[FONT=Arial]---- Kernel IAT/EAT - GMER 1.0.14 ----[/FONT]
 
[FONT=Arial]IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BDC0BCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BDC0BE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BDC0C1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BDC0C320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BDC0BCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BDC0C1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BDC0C320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BDC0BE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BDC0BCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BDC0C320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BDC0C1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisCloseAdapter] [BDC0C320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisOpenAdapter] [BDC0C1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisDeregisterProtocol] [BDC0BE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisRegisterProtocol] [BDC0BCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [BDC19330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [BDC04670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [BDC045C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [BDC04770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
[FONT=Arial]IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [BDC042D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
 
[FONT=Arial]---- User IAT/EAT - GMER 1.0.14 ----[/FONT]
 
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\netapi32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\netapi32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
[FONT=Arial]IAT C:\WINNT\Explorer.EXE[340] @ C:\WINNT\system32\netapi32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)[/FONT]
 
[FONT=Arial]---- Devices - GMER 1.0.14 ----[/FONT]
 
[FONT=Arial]AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)[/FONT]
 
[FONT=Arial]Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
 
[FONT=Arial]AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)[/FONT]
 
[FONT=Arial]Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
 
[FONT=Arial]AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)[/FONT]
 
[FONT=Arial]Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
 
[FONT=Arial]AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)[/FONT]
 
[FONT=Arial]Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
 
[FONT=Arial]AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)[/FONT]
 
[FONT=Arial]Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)[/FONT]
 
[FONT=Arial]AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)[/FONT]
 
[FONT=Arial]---- EOF - GMER 1.0.14 ----[/FONT]
[FONT=Arial][/FONT] 
[FONT=Arial]

-- pgmigg

Katana

Well, all looks well there.
Are there any symptoms now ?

Please post a fresh HJT log in your reply

pgmigg

Thank you, Katana!

There is my final HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:55 AM, on 7/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\NORTON~1\System\SDSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINNT\system32\glidew32.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL]http://www.bbcnews.com/[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL]http://go.microsoft.com/fwlink/?LinkId=69157[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL]http://go.microsoft.com/fwlink/?LinkId=54896[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL]http://go.microsoft.com/fwlink/?LinkId=54896[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINNT\system32\shdocvw.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - [URL]http://www.eset.eu/OnlineScanner.cab[/URL]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [URL]http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{89F6D34A-793E-4EE6-950E-31FB2C0FA477}: NameServer = 167.206.112.4,167.206.112.138
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Norton SpeedDisk - Unknown owner - C:\PROGRA~1\NORTON~1\System\SDSRV.EXE
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 7243 bytes

Sincerely,
pgmigg

Katana

That looks fine, let's give it a couple of days and make sure nothing returns

pgmigg

Thank you!

Thank you!

Thank you!