Strange services.exe file in C:\Windows

Discussion in 'adware, spyware & hijack cleaning' started by mav100, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    I'm wondering if anyone can help out on this. I seem to be having the same issue as posted in this thred: https://www.wilderssecurity.com/showthread.php?p=215772#post215772. There seems to be a certain Trojan listed at the end of the previous thread posted on this, called TrojanDownloader.Win32.Delf.cq. However, I cannot seem to find any information by searching Google on it. Therefore, to this point, I cannot remove it. The system it has infected is mission critical, and reinstalling Windows is the absolute last option. System Restore, in my case, has not been able to remove it, unlike in the other thread. However, the problem is exactly the same. Any thoughts?
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Post the scan log from HijackThis
    to this thread
    Unzip it somewhere to keep and run hijackthis.exe - press Scan - the Scan button changes to a Save Log button
    Save, and then copy and paste the entire log here.
    Dont' choose to fix anything yet - most entries will be harmless
     
  3. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    Heres a log from HijackThis I ran a little while ago. I also ran a Startup List log and there is no where on the startup list log that refers to C:\Windows\services.exe, so it is very unclear at this point how the process even starts on its own. As I said, this is the exact same issue as listed in the thread I listed above. Seems to be very tricky. Thanks for the assistance. Heres the log you requested:

    Logfile of HijackThis v1.98.0
    Scan saved at 5:35:50 PM, on 7/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\csrss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS.0\system32\LEXBCES.EXE
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\WINDOWS.0\system32\LEXPPS.EXE
    C:\WINDOWS.0\Explorer.EXE
    D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS.0\services.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\WINDOWS.0\System32\nvsvc32.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\System32\RUNDLL32.EXE
    C:\WINDOWS.0\System32\lxamsp32.exe
    C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\WINDOWS.0\System32\rundll32.exe
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Microsoft IntelliPoint\point32.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\Program Files\Microsoft IntelliType Pro\type32.exe
    D:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\Spybot\TeaTimer.exe
    D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    D:\Program Files\LexmarkX63\ACMonitor_X63.exe
    D:\Documents and Settings\Jeremy\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.0\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot\TeaTimer.exe
    O4 - Global Startup: AcBtnMgr_X63.exe.lnk = D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    O4 - Global Startup: ACMonitor_X63.exe.lnk = D:\Program Files\LexmarkX63\ACMonitor_X63.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10c690517420db825602/netzip/RdxIE601.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4375/mcfscan.cab


    Here is the Startup log as well if its helpful:

    StartupList report, 7/10/2004, 5:33:14 PM
    StartupList version: 1.52.2
    Started from : D:\Documents and Settings\Jeremy\Desktop\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\csrss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS.0\system32\LEXBCES.EXE
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\WINDOWS.0\system32\LEXPPS.EXE
    C:\WINDOWS.0\Explorer.EXE
    D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS.0\services.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\WINDOWS.0\System32\nvsvc32.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\System32\RUNDLL32.EXE
    C:\WINDOWS.0\System32\lxamsp32.exe
    C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\WINDOWS.0\System32\rundll32.exe
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Microsoft IntelliPoint\point32.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\Program Files\Microsoft IntelliType Pro\type32.exe
    D:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\Spybot\TeaTimer.exe
    D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    D:\Program Files\LexmarkX63\ACMonitor_X63.exe
    D:\Documents and Settings\Jeremy\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [D:\Documents and Settings\Jeremy\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [D:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    AcBtnMgr_X63.exe.lnk = D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    ACMonitor_X63.exe.lnk = D:\Program Files\LexmarkX63\ACMonitor_X63.exe

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS.0\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS.0\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS.0\System32\NvMcTray.dll,NvTaskbarInit
    lxamsp32.exe = lxamsp32.exe
    PrinTray = C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\printray.exe
    ccApp = "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    IntelliPoint = "D:\Program Files\Microsoft IntelliPoint\point32.exe"
    type32 = "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
    TkBellExe = "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Tweak-XP =
    SpybotSD TeaTimer = D:\Program Files\Spybot\TeaTimer.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS.0\System32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS.0\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44AE4113-C121-10CC-1F32-A0BC12E2014D}]
    StubPath = C:\WINDOWS.0\System32\msapplg.exe

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS.0\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS.0\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS.0\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS.0\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS.0\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS.0\Explorer\Explorer.exe: not present
    C:\WINDOWS.0\System\Explorer.exe: not present
    C:\WINDOWS.0\System32\Explorer.exe: not present
    C:\WINDOWS.0\Command\Explorer.exe: not present
    C:\WINDOWS.0\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS.0
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - D:\Program Files\Spybot\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer - Jeremy.job
    Norton SystemWorks One Button Checkup.job
    Symantec Drmc.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS.0\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS.0\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://software-dl.real.com/10c690517420db825602/netzip/RdxIE601.cab

    [XML DOM Document 4.0]
    InProcServer32 = %SystemRoot%\System32\msxml4.dll
    CODEBASE = file://D:\TempEI4\EI40_\msxml4.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS.0\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38175.8400115741

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS.0\System32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    [McFreeScan Class]
    InProcServer32 = C:\WINDOWS.0\McAfee.com\FreeScan\mcfscan.dll
    CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4375/mcfscan.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS.0\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS.0\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS.0\System32\mswsock.dll
    Protocol #1: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #2: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #3: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #4: C:\WINDOWS.0\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS.0\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #7: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #8: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #9: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #10: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #11: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #12: C:\WINDOWS.0\system32\mswsock.dll
    Protocol #13: C:\WINDOWS.0\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    aeaudio: system32\drivers\aeaudio.sys (manual start)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
    Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
    MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Symantec Event Manager: "D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
    Symantec Password Validation: "D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
    Symantec Settings Manager: "D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: C:\WINDOWS.0\System32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    COM+ System Application: C:\WINDOWS.0\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Diskeeper: D:\Program Files\Executive Software\DiskeeperLite\DKService.exe (autostart)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS.0\System32\svchost.exe -k netsvcs (manual start)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS.0\System32\imapi.exe (manual start)
    Intel(R) Active Monitor: D:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe (autostart)
    IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start)
    IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    LexBce Server: C:\WINDOWS.0\system32\LEXBCES.EXE (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    MidiSyn: system32\drivers\MidiSyn.sys (manual start)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS.0\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS.0\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS.0\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" (autostart)
    NAVENG: \??\D:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040707.008\NAVENG.Sys (manual start)
    NAVEX15: \??\D:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040707.008\NavEx15.Sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBT: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
    Office Source Engine: D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (system)
    Low level access layer for CD devices: System32\Drivers\Pcouffin.sys (manual start)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Microsoft IntelliPoint Filter Driver: System32\DRIVERS\point32.sys (manual start)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS.0\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    SAVRT: \??\C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVRT.SYS (system)
    SAVRTPEL: \??\C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVRTPEL.SYS (system)
    SAVScan: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (autostart)
    ScriptBlocking Service: D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    SFI Service: system32\drivers\sf.sys (system)
    Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SIODRV: \??\C:\WINDOWS.0\System32\drivers\SIODRV.SYS (autostart)
    Intel (R) System Management BIOS Service: System32\DRIVERS\SMBios.sys (manual start)
    Intel(R) SMBus 2.0 Driver: System32\DRIVERS\smb.sys (manual start)
    smwdm: system32\drivers\smwdm.sys (manual start)
    SoundMAX Agent Service: D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS.0\System32\dllhost.exe /Processid:{2B7ACAEA-5CD1-4503-9678-B4CA79F23AB9} (manual start)
    Symantec Core LC: D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
    SymEvent: \??\D:\Program Files\Symantec\SYMEVENT.SYS (manual start)
    symlcbrd: \??\C:\WINDOWS.0\System32\drivers\symlcbrd.sys (autostart)
    SYMREDRV: \??\C:\WINDOWS.0\System32\Drivers\SYMREDRV.SYS (manual start)
    SYMTDI: \??\C:\WINDOWS.0\System32\Drivers\SYMTDI.SYS (autostart)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS.0\System32\tlntsvr.exe (manual start)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
    USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS.0\System32\wbem\wmiapsrv.exe (manual start)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    zremote: system32\drivers\zremote.sys (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS.0\system32\SHELL32.dll
    CDBurn: C:\WINDOWS.0\system32\SHELL32.dll
    WebCheck: C:\WINDOWS.0\System32\webcheck.dll
    SysTray: C:\WINDOWS.0\System32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 33,478 bytes
    Report generated in 0.328 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Finally, this is the information that Security Task Manager was able to read from the application:

    The instruction at 0x70d4431e referenced memory at 0x11fd0200. The memory could not be written.
    Click on OK to terminate the program.
    Software\Microsoft\RAS Autodial\Control
    SOFTWARE\Microsoft\Active Setup\Installed Components\44AE4113C12110CC1F32A0BC12E2014D
    Service Pack 1
    abl2P Soft,wa
    ----------------
    kernel32.dll
    GetCurrentThreadId
    ExitProcess
    CreateThread
    UnhandledExceptionFilter
    RtlUnwind
    RaiseException
    GetCommandLineA
    TlsSetValue
    TlsGetValue
    LocalAlloc
    GetModuleHandleA
    GetModuleFileNameA
    FreeLibrary
    HeapFree
    HeapReAlloc
    HeapAlloc
    GetProcessHeap
    CharNextA
    advapi32.dll
    RegSetValueExA
    RegOpenKeyExA
    RegDeleteKeyA
    RegCreateKeyExA
    RegCloseKey
    kernel32.dll
    lstrcmpiA
    WinExec
    SuspendThread
    Sleep
    SetFileTime
    SetFileAttributesA
    LoadLibraryA
    GetWindowsDirectoryA
    GetVersionExA
    GetSystemDirectoryA
    GetProcAddress
    GetLastError
    GetFileTime
    GetCurrentProcessId
    FreeLibrary
    CreateMutexA
    CreateFileA
    CopyFileA
    CloseHandle
    TranslateMessage
    MessageBoxA
    GetMessageA
    DispatchMessageA
    wininet.dll
    InternetReadFile
    InternetOpenUrlA
    InternetOpenA
    InternetCloseHandle
    puModul
    Valu
    pyfdr_8Mlu
    DspachMe
    vRadFiaw
    IntersClosOHad
    UType
    WinIe
    H,msal
    ExplXors.
    vMiaB_aqUcxxo
    RASdxudialCf0Gnp/w
    Sesl
    1culRnyFb
    /Theinstuc
    plicatonEr
    OTc1hek
    LoadLibraryA2
    GetProcAddress
    kernel32.dll
    UTypes
    KWindows
    SysInit
    System
    WinInet
    wwCwiCw
    wK/w.wa
    C\WINDOWS.0\System32
    a_dick
    StubPath
    msapplg.exe
    services.exe
    Explorer.exe
    RegisterServiceProcess
    http//badmental3.netfirms.com/bad.gif
    http//ww.microsoft.com/
    LoginSessionDisable
    Application Error
    .decode
    .data
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Before you try anything
    Download Process Explorer
    Unzip the package to a location where you will keep it for future use.
    Run the extracted procexp.exe file from that location and then right click on the following tasks and choose Kill.
    C:\WINDOWS.0\services.exe
    If the process is successfully terminated - it will vanish from the task list (much like using Ctrl-Alt-Delete and choosing End Task)
    Killing a task in this fashion does not delete any files or registry items - it just gets the task out of the way so that the files we wish to delete are not in use.

    This will let you distinguish the one running from windows from the ones running from windows\system32

    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Delete the file if you can

    I think it's an older form of CWS - the hope is that AdAware gets it but you can do the folloiwng as well to see what happens
    Download and run CWShredder by Merijn Bellekom
    Run it, press 'Fix', and allow it to fix all it finds.


    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
     
  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Additionally - I don't recognize ""zremote.sys""

    ------- edit = hold on
    I've just glanced through it again and seen this
    Network Security Service: C:\WINDOWS\system32\atlvt32.exe /s (autostart)

    It's a relatively new CWS variant along the lines of
    https://www.wilderssecurity.com/showthread.php?t=28658&page=2&pp=25
    ---------

    Download FindnFix http://downloads.subratam.org/FINDnFIX.exe

    Double Click on the FindnFix.exe you downloaded earlier and it will install into its own folder.
    That folder should be C:\FINDnFIX
    Browse to the folder
    Close all other open windows.
    Run (double click on) the !LOG!.bat file

    Have a coffee

    When it's done:
    From the FindnFix folder.
    - Post (paste) the contents of Log.txt in this thread.
     
    Last edited: Jul 10, 2004
  6. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    Actually, I have already tried Ad-Aware, as well as SpyBot. Neither detected any adware/spyware/malware. I have also run Norton Anti-Virus, McAfee Free Scan, McAfee Stinger, and used KillBox to try to rid the machine of this nasty. So far, all efforts have failed miserably. The file reappears as soon as the machine is rebooted. I have also deleted all Temp and Temporary Internet files from the machine, then deleted the file, and rebooted the machine while offline to verify that this file isn't automatically being downloaded from the internet on startup (I've seen some other adware do this), and that also did not help. So far, I can't get rid of it. I've searched the entire registry for any trace of this file, and nothing is there. My thought is that some other process the begins on startup is calling it, but which one I cannot figure out....

    zremote.sys - This is for a legitmate piece of hardware on the machine (Streamzap remote control).
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    I edited the above
    It's along the lines of the one at http://computercops.biz/postp211843.html

    You'll want to terminate the "Network Security Service" using Start > Run and running services.msc
    If you can stop the service - set it's startup type to disabled
     
  8. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    Here is the log from FindNFix. I've also noticed that there is no "Network Security" service listed in services.msc.


    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
    »»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
    Due to errors on various message boards I made some changes.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    If you make a mistake or use the wrong guidance, it is completely
    your responsibility and the helper that assists you.
    If you are not sure about the nature of the file or how
    to proceed, I suggest you research it first before attempting
    to remove any *unknown file on your own.
    *For Helpers and/or users that are not familiar with any of the
    items on the scan results- I recommend using an alternative, once
    you know what to look for!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    --The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
    and is the destination for the file to be moved..
    -*Previous directions will no longer work...
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q837009-Q832894-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Sat 07/10/2004
    7:32pm up 0 days, 0:01

    »»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/:cool:»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»»»(*5*)»»»»»
    **File C:\WINDOWS.0\SYSTEM32\DLLXXX.TXT

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    No matches found.

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs =
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group DESKTOP\None.
    User is a member of group \Everyone.
    User is a member of group DESKTOP\Debugger Users.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS.0\
    notepad.exe Thu Aug 23 2001 3:00:00p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS.0\SYSTEM32\
    notepad.exe Thu Aug 23 2001 3:00:00p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS.0\SYSTEM32\DLLCACHE\
    notepad.exe Thu Aug 23 2001 3:00:00p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000


    »»»»»»Backups created...»»»»»»
    7:33pm up 0 days, 0:02
    Sat 07/10/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-10-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-10-2004 winkey.reg

    C:\FINDNFIX\
    JUNKXXX Sat Jul 10 2004 7:32:06p .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: ?
    00001190: vk f AppInit_
    000011D0:DLLs G vk UDeviceNotSelectedTimeout
    00001210: 1 5 ( W 9 0 ! vk ' zGDIProce
    00001250:ssHandleQuota" vk Spooler2 y e s
    00001290: 0 ` vk =pswapdisk vk
    000012D0: R TransmissionRetryTimeout 0 `
    00001310: vk ' USERProcessHandleQuota
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæG
    --------------
    --------------
    No strings found.

    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : ""
    0000 00 00 | ..
    
     
  9. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Have a look again for it or as an alternate name such as __NS_Service_2 or similar
    Wee could try guessing that frying these 3 files might resolve this ?
    It's a rather new one on me


    Some of this I'm not very sure of - so don't delete the junkxxx folder right away
    DLLXXX.TXT

    1.)
    *Get ready to restart your computer.
    - Open the FINDnFIX\Keys1< Subfolder And
    DoubleClick on the "FIX.bat" file.
    -You will get a prompt preparing for auto-restart in 15 seconds.
    -Let it restart!
    --------------------------------------------------------------------------
    2.)
    On restart, Go to Start/Search, and find these 3: (don't include the path when looking)
    C:\WINDOWS\system32\atlvt32.exe
    C:\WINDOWS.0\SYSTEM32\DLLXXX.TXT
    C:\WINDOWS.0\services.exe
    -When found, select the file (as it should be visible)
    And use the folder's top menu:
    edit>......move to folder>... (From the search results)
    Scroll and Select the following path as destination:
    -> C:\ -> FINDnFIX... -> Click once to expand, and select the
    ->...junkxxx Subfolder as final destination, and move
    the "CTL.DLL" into that Subfolder.(C:\FINDnFIX\junkxxx)
    (you might get a prompt about 'read-only' file -Simply 'ok' it!)
    --------------------------------------------------------------
    3.)
    When done, Open the C:\FINDnFIX folder and
    Run the "RESTORE.bat" file ,
    It should run and generate new log (log1.txt)
    Post it here.
    ===================================================
    *Note:
    Do not change/move around or
    tamper with any of the file(s) folder(s) and path
    included in the 'FINDnFIX' folder.


    ------
    If this fails

    Do you know how to use the recovery console?
     
  10. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    I've checked services.msc again, and found no strange services running at all. Also, of the files you've listed to remove, only the one I mentioned, services.exe exist. The other files are not present on the machine. I've noticed that when I leave the services.exe process running, I see the Norton A/V window pop up saying that "services.exe is waiting for a scan of miniup[1].zip. I'm running TDS-3 at the moment and it came up with TrojanDownloader.Win32.Adi and TrojanDownloader.Win32.INService.h. I haven't found too much info on these yet, and the TDS-3 scan is still going, so I'll see what else pops up.
     
  11. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    If this fails then
    ------
    Download about:Buster from either of the following locations.

    http://www.atribune.org/downloads/AboutBuster.zip
    or
    http://tools.zerosrealm.com/AboutBuster.zip


    Close ALL Internet Explorer windows, and disconnect from the internet!!
    This is a very important step!!

    Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

    Reboot and post a new HijackThis log along with the two reports from about:Buster.
     
  12. free@tlast

    free@tlast Spyware Expert

    Joined:
    Jun 15, 2004
    Posts:
    32
    I like to stop here and point out the facts, in
    defense of my fav good bud IMM :cool:

    You don't have any cws related problems, and don't
    need to follow any of the pointed steps above!

    C:\WINDOWS\system32\atlvt32.exe <doesn't exist and random anyway ;)
    C:\WINDOWS.0\SYSTEM32\DLLXXX.TXT< is created by me as part of the enumeration process and gets deleted ...
    C:\WINDOWS.0\services.exe< is the problem.

    First, delete the entire FINDnFIX folder from C:
    As it can't help at all, restart computer in safe mode, find and delete:
    C:\WINDOWS.0\services.exe< file!

    Download couple of Anti/trojan tools suggested on this board and scan internally.
    You will find more details about your
    WORM_NETSKY here:

    http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_NETSKY.A
    Post back details...
     
  13. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Me stupid = not around for a day or 2 and I'm a 1R :oops:

    Listen to FAL - she knows what she's talking about
    Here's another possible link
    http://www.sophos.com/virusinfo/analyses/trojagentza.html

    Can you please email me the C:\WINDOWS.0\System32\msapplg.exe file
    Send it to jack_macaulay @ telus.net
    (remove the spaces around the @ sign from that email)
     
    Last edited: Jul 10, 2004
  14. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    I can tell you guys this - its not Netsky unless its an entirely new varient. I've already scanned it (in safe mode) with numerous virus scanners and nothing malicious was found. Also - I'm running TDS-3 now to search for trojans (taking a while to complete the scan though). It has noted the Trojans listed about, and some NTFS Alternate Data Streams on a few .mpg and .ram files on the system, but I suspect these streams are legit based on the info in the TDS-3 forum on Alternate Data Streams. They range from 120 to about 180 bytes in size. So it seems so far we are still on the wrong track. Doing a search on Google for either of the Trojans found by TDS-3 yield no results. Also, I believe I said above that I have deleted services.exe numerous times manually and also tried it with KillBox. I have previously attempted to do this in safe mode. When the machine restarts the services.exe file pops right back up.
     
  15. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Can you forward that file I asked for - or is it not found?
     
  16. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    I'll forward that file right now. I just looked at it and it is the exact same size as the services.exe file I'm trying to kill. Coincidence?
     
  17. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Whatever it is - It'll take me a while to sort out - it's encrypted and has a bad DOS header (if it's a real exe ? )

    If you can get it off the machine and out to a floppy - I'd certainly try that

    -kill \windows\services.exe first and get rid of both at the same time
     
  18. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    I've killed it, and removed both files from the machine and the references to the msapplg.exe file from the registry. Upon restart of the machine, the suspicious services.exe file did not restart, and neither it nor the msapplg.exe file have reappeared. Hopefully that takes care of it. Thanks so much for your help!
     
  19. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    I'll see if I can figure out what it was
    let me know if it comes back
     
  20. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    You got it. Again, thanks so much for your help!
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again!
    did your TDS scan tell you about the suspicious finds and were those the same files you just deleted?
    You could zip and submit them to submit@diamondcs.com.au so Gavin can look deeper for you too. (or do it from the console itself, but they might get lost in the mailbox scanners, not sure)
    Fortunately the TDS alerts give the full pathnames, to enable your searching.
    Somehow above you enabled already to see all files and extensions.
    Now waiting also for IMM's further finds.
    Could help to save the alerts to text and paste in the next posting.
    Think we were at this same point in your thread in the TDS forum.
     
  22. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    The alert for the TrojanDownloader.Win32.Adi did not appear if i ran a scan after I killed the bad services.exe process, or once I was finally able to permanently delete the file from the computer. My assuption is that this was the file causing the detection. TDS always found it during an memory scan, when it was loaded into memory. I'll be sure to send a copy of it in for you, however, it does appear that it is already being detected. Thanks again!
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Think you'er right! I forgot it was also a TDS detection!
    Some alerts say "suspicious" or "possible" this or that, and those are the files we submit, only not suspicious because of double extensions.
    You sound as if the system is really clean!
    Nice! Congratulations!
     
  24. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thank you, Gavin might be very happy with it and surely will find out what it is. If i don't find filenames with google i consider them suspicious these days.
     
Thread Status:
Not open for further replies.