|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
Computer wicked laggy, could someone peruse my HJ This log?
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Next
|
| View previous topic :: View next topic |
| Author |
Message |
girlcreeture
Sergeant
Joined: Feb 08, 2004
Posts: 82
Location: USA
|
 Posted: Thu Mar 11, 2004 11:05 pm Post subject: Computer wicked laggy, could someone peruse my HJ This log? |
|
|
Howdy all, I was recently assisted with cleaning up my Mum's computer here and now it seems it's my computer's turn.
My comp is just wicked slow recently, I've run Spybot and AdAware, but it's just so sloooow, if someone could peek at my Hijack This log and offer some advice that'd be great!
Logfile of HijackThis v1.97.7
Scan saved at 11:04:01 PM, on 3/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\winlogon.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\svchost.exe
C:\winnt\system32\catroot\csrss.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\Fonts\explorer.exe
C:\WINNT\SOUNDMAN.EXE
C:\Downloads & Apps\Spyware Removal & Cleanups\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/girlcreeture/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet32] C:\WINNT\System32\printers\svchost.exe
O4 - HKLM\..\Run: [Microsoft Harddisk] C:\winnt\system32\catroot\svhosthelp.exe
O4 - HKLM\..\Run: [ethernet32] C:\WINNT\System32\ie128\svchost.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/198a8c1b4603b075b2...xIE601.cab
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_9.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...8609837963
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://so.bugs.co.kr/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
Thanks a lot!
GC |
|
| Back to top |
|
 |
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Fri Mar 12, 2004 5:53 pm Post subject: |
|
|
You have some processes running from a place they shouldn't be. That leads me to believe they are either viral or Trojan in nature. The catroot folder should contain very little.
These:
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\winlogon.exe
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\csrss.exe
-----------------------
Fix these items using HijackThis:
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Internet32] C:\WINNT\System32\printers\svchost.exe
O4 - HKLM\..\Run: [Microsoft Harddisk] C:\winnt\system32\catroot\svhosthelp.exe
O4 - HKLM\..\Run: [ethernet32] C:\WINNT\System32\ie128\svchost.exe
Restart and delete these files:
C:\WINNT\Fonts\rundll32.exe
C:\WINNT\Fonts\explorer.exe
C:\WINNT\System32\printers\svchost.exe
C:\winnt\system32\catroot\svhosthelp.exe
C:\WINNT\System32\ie128\svchost.exe
------------------
Go for free online Virus scans here:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
Allow them to clean
Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
http://www.wilders.org/anti_trojans.htm
Go offline and Scan with the anti Trojan and let it clean.
---------------------------------------
Empty your Temporary Internet Files and history in Internet Options. And clean out your
%Userprofile%\Local Settings\Temp
folder. It's a good idea to do that regularly.
Also check to see if these files are still there:
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\winlogon.exe
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\csrss.exe
If they are, also list what else is in that folder please and then remove the 3 files I listed from the catroot folder.
Run HijackThis again and post the new log in your next reply in this same topic.
I don't see a Firewall running. Are you using a Hardware Firewall? If not you have to run something to protect you from intruders.
Zone Alarm offers a free firewall .
http://www.zonelabs.com/store/content/c...wnload.jsp |
|
| Back to top |
|
|
girlcreeture
Sergeant
Joined: Feb 08, 2004
Posts: 82
Location: USA
|
| Posted: Fri Mar 12, 2004 11:26 pm Post subject: |
|
|
| Mosaic1 wrote: |
-----------------------
Fix these items using HijackThis:
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Internet32] C:\WINNT\System32\printers\svchost.exe
O4 - HKLM\..\Run: [Microsoft Harddisk] C:\winnt\system32\catroot\svhosthelp.exe
O4 - HKLM\..\Run: [ethernet32] C:\WINNT\System32\ie128\svchost.exe
Restart and delete these files:
C:\WINNT\Fonts\rundll32.exe
C:\WINNT\Fonts\explorer.exe
C:\WINNT\System32\printers\svchost.exe
C:\winnt\system32\catroot\svhosthelp.exe
C:\WINNT\System32\ie128\svchost.exe
------------------
|
Hello! Thanks for your help, here is what I did so far. The above, I fixed the files you listed via HJ This and restarted.
I could not find the 5 files above...I looked directly in the folders and ran a search...
C:\WINNT\Fonts\rundll32.exe:the closest I found was this:
C\WINNT\system32 OR C\WINNT\system32\ie128
C:\WINNT\Fonts\explorer.exe:the closest I found was this:
C\WINNT, C\WINNT\$ntservicepackuninstall$, C\WINNT\servicepackfiles\i386
C:\WINNT\System32\printers\svchost.exe: the closest I found was this:
C\WINNT\system32
C:\winnt\system32\catroot\svhosthelp.exe: I didn't even see a "catroot" folder on this path...I hope this ins't bad (oh dear  )...I have the settings set to show all files...
C:\WINNT\System32\ie128\svchost.exe: I found nothing
So I am guessing either the HJ This fix killed those...? Or I am doing something wrong? I am no expert but I do know how to navigate my comp pretty well...where is that catroot folder? Urg... I will await your reply...thanks again
Oh and BTW, I do have a hardware firewall, dunno if that helps...
|
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Fri Mar 12, 2004 11:40 pm Post subject: |
|
|
First do this so you can see hidden files and folders.
Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
Because XP will not always show you hidden files by default.
Then try again to be sure.
Did you run the Online Virus Scans and then use the anti Trojan program? It is urgent that you do that.
Hijackthis would not have removed those items. |
|
| Back to top |
|
|
girlcreeture
Sergeant
Joined: Feb 08, 2004
Posts: 82
Location: USA
|
| Posted: Sat Mar 13, 2004 12:20 am Post subject: |
|
|
Hallo,
I just fixed the settings, I am running Housecall now so I will wait til that finishes to go back and do the search as you instructed, this is stinky, thanks for all your help thus far... and actually, I am using Win2000 Pro... |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Sat Mar 13, 2004 12:30 am Post subject: |
|
|
Sorry.
Get directions to show all files from this site :
Go here and follow the directions to show all files:
http://service1.symantec.com/SUPPORT/ts...2715262339 |
|
| Back to top |
|
|
girlcreeture
Sergeant
Joined: Feb 08, 2004
Posts: 82
Location: USA
|
| Posted: Sat Mar 13, 2004 12:37 am Post subject: |
|
|
| No apologies necessary, you're helping me I am grateful. Housecall is still running... |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Sat Mar 13, 2004 12:51 am Post subject: |
|
|
Keep at it and do both the scans. Then get the Anti Trojan and scan.
Post the results.
I'll probably look at it tomorrow. It's late here. Good luck. |
|
| Back to top |
|
|
girlcreeture
Sergeant
Joined: Feb 08, 2004
Posts: 82
Location: USA
|
| Posted: Sat Mar 13, 2004 7:20 pm Post subject: |
|
|
Hello again,
I finished scanning with the two online programs you linked to and they cleaned up a bit, I also ran "The Cleaner" and Tauscan for trojans and they also did some cleaning, I've rebooted and here's the log:
Logfile of HijackThis v1.97.7
Scan saved at 7:22:24 PM, on 3/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\svchost.exe
C:\winnt\system32\catroot\csrss.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads & Apps\Spyware Removal & Cleanups\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/girlcreeture/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/198a8c1b4603b075b2...xIE601.cab
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_9.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...8609837963
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://so.bugs.co.kr/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
Thanks again! |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Sat Mar 13, 2004 7:29 pm Post subject: |
|
|
You still look a bit dirty. I want to see where two of these are starting from.
Post a startuplist please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes under the Generate StartupList log and then click the generate startuplist log button.
Paste the contents into your next reply here.
These files:
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\csrss.exe
Later you may boot to Safe mode and delete these two. But I want to see if they are starting as services first. |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Sat Mar 13, 2004 7:32 pm Post subject: |
|
|
| If they cannot bve deleted in Safe Mode, I'll write you a script to kill them and then delete. Right now I have to leave for a while. |
|
| Back to top |
|
|
girlcreeture
Sergeant
Joined: Feb 08, 2004
Posts: 82
Location: USA
|
| Posted: Sat Mar 13, 2004 7:47 pm Post subject: |
|
|
Don't wanna be dirty! Heh, sorry that just made me snark a little...>ahem<
Here is the startup log from HJ This
StartupList report, 3/13/2004, 7:50:44 PM
StartupList version: 1.52
Started from : C:\Downloads & Apps\Spyware Removal & Cleanups\Hijack This\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\winnt\system32\catroot\lsass.exe
C:\WINNT\system32\svchost.exe
C:\winnt\system32\catroot\csrss.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads & Apps\Spyware Removal & Cleanups\Hijack This\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
IgfxTray = C:\WINNT\System32\igfxtray.exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
vptray = C:\Program Files\NavNT\vptray.exe
OneTouch Monitor = C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
REGSHAVE = C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
SoundMan = SOUNDMAN.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroCheck = C:\WINNT\System32\NeroCheck.exe
tcactive = C:\Program Files\The Cleaner\tca.exe
tcmonitor = C:\Program Files\The Cleaner\tcm.exe
Tau Monitor = C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINNT\System32\mshta.exe "%1" %*
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe
[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINNT\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINNT\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd
[{00000075-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/voxacm.CAB
[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shoc.../swdir.cab
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/200...taller.exe
[RdxIE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/198a8c1b4603b075b2...xIE601.cab
[BugsMediaPlayer Control]
InProcServer32 = C:\WINNT\system32\BUGSOG~1\BUGSME~1.OCX
CODEBASE = http://so.bugs.co.kr/BugsOggPlay_9.CAB
[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003...scan53.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab
[Update Class]
InProcServer32 = C:\WINNT\system32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/C...8609837963
[SetGlb Control]
InProcServer32 = C:\WINNT\system32\setglb.ocx
CODEBASE = http://so.bugs.co.kr/SetGlb.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shoc...wflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
NameSpace #3: C:\WINNT\System32\nwprovau.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll
Protocol #20: C:\WINNT\system32\msafd.dll
Protocol #21: C:\WINNT\system32\msafd.dll
Protocol #22: C:\WINNT\system32\msafd.dll
Protocol #23: C:\WINNT\system32\msafd.dll
Protocol #24: C:\WINNT\system32\msafd.dll
Protocol #25: C:\WINNT\system32\msafd.dll
Protocol #26: C:\WINNT\system32\msafd.dll
Protocol #27: C:\WINNT\system32\msafd.dll
Protocol #28: C:\WINNT\system32\msafd.dll
Protocol #29: C:\WINNT\system32\msafd.dll
Protocol #30: C:\WINNT\system32\msafd.dll
Protocol #31: C:\WINNT\system32\msafd.dll
Protocol #32: C:\WINNT\system32\msafd.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
basic2: System32\DRIVERS\basic2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Cnxtdiag: System32\DRIVERS\cnxtdiag.sys (autostart)
DefWatch: C:\Program Files\NavNT\defwatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fallback: System32\DRIVERS\fallback.sys (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Fsks: System32\DRIVERS\fsksnt.sys (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
Service for AC'97 Driver (WDM): system32\drivers\ichaud.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
K56: System32\DRIVERS\k56nt.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NAVAP: \??\C:\Program Files\NavNT\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\NavNT\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040310.005\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040310.005\NAVEX15.sys (manual start)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton AntiVirus Client: C:\Program Files\NavNT\rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Visioneer USB Kernel: System32\DRIVERS\usbscan.sys (manual start)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Rksample: System32\DRIVERS\rksample.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft LAN DataServer: C:\winnt\system32\catroot\lsass.exe -s (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SoftFax: System32\DRIVERS\faxnt.sys (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMIDSCO: \??\C:\WINNT\System32\Drivers\SYMIDSCO.SYS (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Tones: System32\DRIVERS\tonesnt.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB 2.0 Root Hub Support: System32\DRIVERS\usbhub20.sys (manual start)
%USBSTOR.SvcDesc%: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
V124: System32\DRIVERS\v124nt.sys (autostart)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Internet Connection Manager: C:\winnt\system32\catroot\lsass.exe -s (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
--------------------------------------------------
End of report, 30,441 bytes
Report generated in 0.390 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Sat Mar 13, 2004 9:37 pm Post subject: |
|
|
You have been hacked. Please go to System32\catroot and zip the two files in question and email them to me for analysis.
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\csrss.exe
Send to me as an attachment.
MY email is
Katie_3232 @hotmail.com
I have added an extra space to the address. Remove it and the email will work. Thanks. This is extremely important.
---------------------
Are you on a Network? If so, disconnect from it.
Go to Start>Run and type
services.msc press enter.
Find this entry on the list and double click on it:
Microsoft LAN DataServer
Click the recovery Tab and be sure all are set to
Take No Action.
Click the General Tab.
On this page, click the Stop Button.
Then set the service to disabled.
Immediately restart the computer.
I am not sure how
C:\winnt\system32\catroot\csrss.exe is starting yet. The other file may start it or there may be another startup location.
Run HijackThis and look at the running processes list.
Do you see either of these entries there?
C:\winnt\system32\catroot\lsass.exe
C:\winnt\system32\catroot\csrss.exe
Post back ASAP. |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4792
Location: USA
|
| Posted: Sat Mar 13, 2004 9:41 pm Post subject: |
|
|
If you prefer, you can format and reinstall. There is going to be a bit of worked involved in clearing this out. Registry editing and file searches. I'll hekp as best I can form a distance, and I have tools to help. But in the end it will be up to you.
If you have any sensitive information on the hard drive. passwords bacnking infomration etc, that all has to be changed . |
|
| Back to top |
|
|
girlcreeture
Sergeant
Joined: Feb 08, 2004
Posts: 82
Location: USA
|
| Posted: Sat Mar 13, 2004 10:37 pm Post subject: |
|
|
Hiya, this is craptacular news.
I just emailed you and performed the steps above except restarting, I'm doing that now... |
|
| Back to top |
|
|
|
|
   |
Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! |
All times are GMT - 5 Hours
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Next |
| Page 1 of 10 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
