coolblue
2008-07-15, 16:27
This past Sunday I was updating only the definitions (no software update) of Ad-Aware 2007, and suddenly a Norton AV "Virus Alert" warning window popped open and stated that a file "C:\WINNT\system32\clbdll.dll" was infected with "Hacktool.Rootkit" and was automatically deleted.
I immediately stopped Ad-Aware and any other open programs, and proceeded to research the term Rootkit via Google. I ended up on a page that suggested running the Microsoft Malicious Software Removal Tool KB890830, which I downloaded and ran. It also detected one infection and requested a reboot in order to remove the infection. The report stated that "TrojanDroper:Win32/Cutwail.Y" was found.
Restarted the PC and after the desktop reappeared I was greeted with a "Flashplayer upgrade reminder pop up window "An update to your Adobe Flash player is available". It looked legit, but I didn't take any chances at this point so I canceled (Don't Install button).
BTW, I've got screen shots of all the scan results and pop up screens I mention on this post, in case it might be of any help.
Then according to the page I visited, I also ran a BitDefender online scan, which detected just another infected file:
C:\WINNT\system32\dplayx32.dll Infected with: Trojan.BHO.WebPrefix.A
but both Disinfection and Deletion failed. I also went to examine the file at the Jotti page, and sure enough 18 out of the 20 scans came back positive, although the name given to the specific infection was not always the same. Some of the names reported on this single file are: ADSPY/Bho.aa.1 Adware.Bho.Aa Win32:Trojano-3384 Collected.11.AD Trojan.BHO.Webprefix.A Adware.BHO-2 Malware.W32.BHO.aa Adware.Bho W32/Downloader.MNI Adware/KeenValue and others. The F-Prot scan strangely reported (but still in red): not-a-virus:Adware.Win32.BHO.aa (4, 1, 400).
I went into the directory where this "dplayx32.dll" is located, and sure enough it would not let me delete it. So I went into safe mode and then was able to delete it manually (but thankfully I made a backup of this file first). Anyway after this when I tried to go back in normal mode, the Win2000 startup failed, and reported this:
"MISSING: WINNT\SYSTEM32\CONFIG\SYSTEMced"
I tried to repair the file with the Win2000 startup floppies and CD, but would always end up at a "blue screen of death" that stated:
***STOP: 0x0000001E (0xC0000006, 0xBFFFBBBE, 0x00000000, 0x48592816)
KMODE_EXCEPTION_NOT_HANDLED
*** ADDRESS BFFBBBBE BASE AT BFFA2000, DATESTAMP 38441c2a - setupdd.sys
Not sure if this error was happening just because I deleted the dplayx32.dll file, or a combination of this and other files that might have been removed by some of the programs I ran.
Then I went into a separate win2000 system, looked up the setupdd.sys file which I found is located at the c:\winnt\servicepackfiles\i386 directory, and also searched for any files in the c:\winnt\system32\config\ directory that was being mentioned on the win2000 startup error screen, and see if I could locate a file with a similar name as the reported one "SYSTEMced" as missing. There was of course none with exactly that neme, so I just temporarily copied all the files in the config directory.
With these files and under DOS, I went into the problem win2000 machine (yes, it has Fat32 partition) that would not start, and copied all all the files into the corresponding system32/config directory, and then copied the setupdd.sys into it's corresponding i386 directory. And of course I also copied the infected dplayx32.dll back into it's original location
Now the machine will once again start win2000, and that is how I got here. Problem is the infected file is still there, and I wonder what else can and needs to be done in order to clean up this system.
I've read the initial steps needed to request help, so I followed the instructions and I'm posting my HJT log bellow. Of course unfortunately I'm a bit late to comply with the not run any fixes before being instructed to do so. Still I hope my previous description of everything I've done so far will be of use, and enable someone here to help me. Thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:20 AM, on 7/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Moon\moon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Eudora\Eudora.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ACDSee32\ACDSee32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: MoonPhase.lnk = C:\Program Files\Moon\moon.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\Program Files\ms-office95\Office\FASTBOOT.EXE
O4 - Global Startup: Eudora.lnk = C:\Program Files\Eudora\Eudora.exe
O4 - Global Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\MightyFax NT\MFNTCTL.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\system32\ZipToA.exe (file missing)
--
End of file - 6462 bytes
I immediately stopped Ad-Aware and any other open programs, and proceeded to research the term Rootkit via Google. I ended up on a page that suggested running the Microsoft Malicious Software Removal Tool KB890830, which I downloaded and ran. It also detected one infection and requested a reboot in order to remove the infection. The report stated that "TrojanDroper:Win32/Cutwail.Y" was found.
Restarted the PC and after the desktop reappeared I was greeted with a "Flashplayer upgrade reminder pop up window "An update to your Adobe Flash player is available". It looked legit, but I didn't take any chances at this point so I canceled (Don't Install button).
BTW, I've got screen shots of all the scan results and pop up screens I mention on this post, in case it might be of any help.
Then according to the page I visited, I also ran a BitDefender online scan, which detected just another infected file:
C:\WINNT\system32\dplayx32.dll Infected with: Trojan.BHO.WebPrefix.A
but both Disinfection and Deletion failed. I also went to examine the file at the Jotti page, and sure enough 18 out of the 20 scans came back positive, although the name given to the specific infection was not always the same. Some of the names reported on this single file are: ADSPY/Bho.aa.1 Adware.Bho.Aa Win32:Trojano-3384 Collected.11.AD Trojan.BHO.Webprefix.A Adware.BHO-2 Malware.W32.BHO.aa Adware.Bho W32/Downloader.MNI Adware/KeenValue and others. The F-Prot scan strangely reported (but still in red): not-a-virus:Adware.Win32.BHO.aa (4, 1, 400).
I went into the directory where this "dplayx32.dll" is located, and sure enough it would not let me delete it. So I went into safe mode and then was able to delete it manually (but thankfully I made a backup of this file first). Anyway after this when I tried to go back in normal mode, the Win2000 startup failed, and reported this:
"MISSING: WINNT\SYSTEM32\CONFIG\SYSTEMced"
I tried to repair the file with the Win2000 startup floppies and CD, but would always end up at a "blue screen of death" that stated:
***STOP: 0x0000001E (0xC0000006, 0xBFFFBBBE, 0x00000000, 0x48592816)
KMODE_EXCEPTION_NOT_HANDLED
*** ADDRESS BFFBBBBE BASE AT BFFA2000, DATESTAMP 38441c2a - setupdd.sys
Not sure if this error was happening just because I deleted the dplayx32.dll file, or a combination of this and other files that might have been removed by some of the programs I ran.
Then I went into a separate win2000 system, looked up the setupdd.sys file which I found is located at the c:\winnt\servicepackfiles\i386 directory, and also searched for any files in the c:\winnt\system32\config\ directory that was being mentioned on the win2000 startup error screen, and see if I could locate a file with a similar name as the reported one "SYSTEMced" as missing. There was of course none with exactly that neme, so I just temporarily copied all the files in the config directory.
With these files and under DOS, I went into the problem win2000 machine (yes, it has Fat32 partition) that would not start, and copied all all the files into the corresponding system32/config directory, and then copied the setupdd.sys into it's corresponding i386 directory. And of course I also copied the infected dplayx32.dll back into it's original location
Now the machine will once again start win2000, and that is how I got here. Problem is the infected file is still there, and I wonder what else can and needs to be done in order to clean up this system.
I've read the initial steps needed to request help, so I followed the instructions and I'm posting my HJT log bellow. Of course unfortunately I'm a bit late to comply with the not run any fixes before being instructed to do so. Still I hope my previous description of everything I've done so far will be of use, and enable someone here to help me. Thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:20 AM, on 7/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Moon\moon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Eudora\Eudora.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ACDSee32\ACDSee32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: MoonPhase.lnk = C:\Program Files\Moon\moon.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\Program Files\ms-office95\Office\FASTBOOT.EXE
O4 - Global Startup: Eudora.lnk = C:\Program Files\Eudora\Eudora.exe
O4 - Global Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\MightyFax NT\MFNTCTL.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\system32\ZipToA.exe (file missing)
--
End of file - 6462 bytes