I've been having some trouble with internet related performance on another PC. Below is a log from Hijackthis Beta version 2; I used this one because I am running Windows Vista on the subject PC. No online scans were tried because whenever I get on the internet I experience some strange things, i.e. a refusal of my PC to return from the screen saver mode. A scan with Spybot S&D, AVG free antivirus, and Windows Defender don't turn up anything. However, a-squared free finds the same three entries every time:
Riskware.RemoteAdmin.Win32.NetCat
Riskware.RiskTool.Win32.PsExec.13
Riskware.RiskTool.Win32.HideWindows
Any attempts to quarantine or delete these appear to work, but they're always right back next time I scan. Same results when done in safe mode. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:01:01 AM, on 6/1/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Antispyware\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (file missing)
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

--
End of file - 7350 bytes

Hello and sorry for the delay. For people waiting who have not resolved their problem, we have a sticky topic:
If you have waited FOUR days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

However if members waiting do not post in that thread, their topic is archived after seven days.

hi bpb21,

those 3 are flagged as "riskware" because they can be part of legit software on your computer. they might also be part of malware. your hjt log looks ok as far as malware goes. you can post your add/remove entries list like this:

start hjt, click on open misc tools section
click on open uninstall manager
click on save list
save the .txt file somewhere and post it in next reply

we will attempt to id anything that might use those 3 files.

you might also look in >>system32 dir for>>> nc.exe
dont delete it though.

shelf life

Ok, here's the uninstall list from HJT:

µTorrent
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
a-squared Free 3.0
AVG 7.5
AVIcodec (remove only)
AWAKEN 1.4
CCleaner (remove only)
Fallout Tactics
ffdshow [rev 1193] [2007-05-22]
HijackThis 2.0.0
HP Driver Diagnostics
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Virtual PC 2007
MSXML 4.0 SP2 (KB927978)
Nero 7 Premium
neroxml
NVIDIA Drivers
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0001]
Sierra Wireless 3G Watcher
Spybot - Search & Destroy 1.4
Starcraft
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
VMware Workstation
WinRAR archiver

Also, I didn't notice any nc.* file in the system32 directory. I think Nero may be responsible for two of the riskware entries, possibly VMware as well but I thought I uninstalled VMware (wrong version for Vista).

hi bpb21,

thanks for the info. dont see anything in that list that looks like it would be part of those 3 "riskware files" you said you scanned with spybot, avg and defender? and they all came up clean?

shelf life

I re-ran a scan with a-squared free and none of the 3 entries turned up (a deep scan). Spybot, AVG, and Defender never turned up anything. So I'm going to say that those entries were only "riskware" and nothing serious. Next time I bring that machine online I may try Kaspersky online scan to see what turns up. Thanks for the help.

hi bpb21,

ok good. could have been a false positive also. all the "scanners" are capable of false positives. a online scan is always good for another opinion.
I like your location!
read my tips about prevention. not alot of reading either, lots of pictures.

happy safe surfing.

shelf life

Now that I think I've gotten the virii straightened out, I got back online and did an online scan with Kaspersky just in case. The scan results are below - I've removed the non-pertinent entries:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 13, 2007 9:43:44 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/06/2007
Kaspersky Anti-Virus database records: 345974
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
B:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 78859
Number of viruses found: 3
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 01:49:22

Infected Object Name / Virus Name / Last Action
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\26d71b169ebe46f9476aee50027c6516.a2q/Windows/System32/drivers/etc/nero/spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\26d71b169ebe46f9476aee50027c6516.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\60f8cfd81490e8351e047bb140e3e147.a2q/Windows/System32/drivers/etc/nero/spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\60f8cfd81490e8351e047bb140e3e147.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\62ee8d2ab659a101ad8f1395ac34c961.a2q/Windows/System32/drivers/etc/nero/spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\62ee8d2ab659a101ad8f1395ac34c961.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\65af2fcb2a4458e1aaf7bebdf412ccf4.a2q/Windows/System32/drivers/etc/nero/pnc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\65af2fcb2a4458e1aaf7bebdf412ccf4.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8b4f245d35297ffc901cda22116093ba.a2q/Windows/System32/drivers/etc/nero/pnc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8b4f245d35297ffc901cda22116093ba.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8b7a10792c34e4648f69cd139d60b756.a2q/Windows/System32/drivers/etc/nero/winhelper.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8b7a10792c34e4648f69cd139d60b756.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8b8faa4ba86152325ce1b11cd2f4069c.a2q/Windows/System32/drivers/etc/nero/winhelper.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8b8faa4ba86152325ce1b11cd2f4069c.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8dad53246f55e7aebd0b7dd916e8e2d4.a2q/Windows/System32/drivers/etc/nero/winhelper.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\8dad53246f55e7aebd0b7dd916e8e2d4.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\a84d983109643ad31510598a14b250ce.a2q/Windows/System32/drivers/etc/nero/winhelper.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\a84d983109643ad31510598a14b250ce.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\ab0344692c4ce1c6f3384587fbf7f31c.a2q/Windows/System32/drivers/etc/nero/winhelper.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\ab0344692c4ce1c6f3384587fbf7f31c.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\d571480c148606394517d719a2b294b8.a2q/Windows/System32/drivers/etc/nero/pnc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\d571480c148606394517d719a2b294b8.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\d7ecb4fb9c075917d234741ed1cbb25a.a2q/Windows/System32/drivers/etc/nero/spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\d7ecb4fb9c075917d234741ed1cbb25a.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\e18e7ac0946c27afd6abbe26d3260dea.a2q/Windows/System32/drivers/etc/nero/pnc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\e18e7ac0946c27afd6abbe26d3260dea.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\e8d1b4831ee34b2ee96bdcf1cb98c965.a2q/Windows/System32/drivers/etc/nero/pnc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\e8d1b4831ee34b2ee96bdcf1cb98c965.a2q ZIP: infected - 1 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\ed3ff5a32da5ecd32b0618b5c49af4fa.a2q/Windows/System32/drivers/etc/nero/spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\Users\BPB\AppData\Local\VirtualStore\Program Files\a-squared Free\Quarantine\ed3ff5a32da5ecd32b0618b5c49af4fa.a2q ZIP: infected - 1 skipped

These are the entries that were triggering a-squared. I ran a-squared several times and selected "Quarantine" on the 3 files it would tag as riskware. About 10 times sounds right, hence the 30 infected files in the quarantine folder. They seem to be related to Nero Burning Rom. What do you make of this? False positives, or is there something malicious that's attached itself to Nero?

hi bpb21,

i wouldnt worry about that file in nero. loads of people use nero, i use nero though its getting more and more like bloatware.
that is a legit copy of nero you have correct? and not something you got off p2p/warez etc
alot of cracked software can have malware in it, although you would probably have much more malware on your computer by now.

shelf life