| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 44325 | 2004-04-15 22:00:00 | Kobesl.exe | sarahk (5347) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 229663 | 2004-04-15 22:00:00 | A friend has contacted me with a query. his PC was running slow so he loaded up "Process Explorer" which showed that kobesl.exe was running sometimes and that it was in c:\winnt\system32\ He can't find the file, nor can he find a file with "kobesl" as a string within it. Spybot, AdAware and HijackThis have failed to find anything. There is no " " before the name as happens with some bad processes (eg wowexe). A search on Google shows nothing, so has my friend got infected with something very new? Any ideas? |
sarahk (5347) | ||
| 229664 | 2004-04-15 23:28:00 | Interesting. I can't find it either. Has he searched the registry for it? I don't know if apps can "alias" their names in the task manager. Would be a major hassle if they can. robo. |
robo (205) | ||
| 229665 | 2004-04-15 23:54:00 | Yes, he's used regedit to search for it. | sarahk (5347) | ||
| 229666 | 2004-04-16 00:49:00 | try this see if any clues here run msconfig startup tab |
beama (111) | ||
| 229667 | 2004-04-23 08:13:00 | Hello all, My name is Dave, I'm the one who discovered the Kobesl.exe on my pc. (thank you Sarah for starting this thread) I've rebooted my pc on several occasions and each time I looked for Kobesl.* Out of 8 reboots, it came up only once. I instantly went to Process Explorer to see if I could get any new info (if you havent used Process Explorer, it allows you to double click a process to gain more info via a small pop up window). While I was getting the screen shots I suspended the process. I did screen prints of this data, but was rather perplexed when I didnt see the images I saved as kobesl_view1, kobesl_view2 ect., after doing it again and just naming the screen shots minus kobesl_. the images were there. So anything with kobesl in its name is not visible... that bothers me. I am running Norton Systemworks Professional 2004 and keep it updated on a daily basis. I also have SBC DSL with a LinkSys router. Norton has not detected anything, nor do I know what this process is. As Sarah mentioned earlier, nothing shows up in any search engine for kobesl.exe or kobesl. Since I am on Win2k, I had to download msconfig and run it. Nothing shows up with msconfig, nor in any of the HiJackThis logs. Ad Aware didnt detect it either, nor is it part of any COM or ActiveX IE helper components. If any of you wish to view the screen shots, shoot me an e-mail. I'd really like to get to the bottom of this. Thank you for your help. -Dave |
iacchus (5532) | ||
| 229668 | 2004-04-23 09:29:00 | have you turned the "hide knowen file types" and "hide system files" off ?? can you post the hijack log? |
tweak'e (174) | ||
| 229669 | 2004-04-23 19:59:00 | Yes, hidden files are visible. Here is the HiJackThis startup log. As you can see there are several instances of 'Kobe', but they are not visible at all. The registry showed nothing, nor are they in Services. I havent been able to find anything regarding Kobe* on my computer anywhere. Started from : C:\Program Files\HijackThis.EXE Detected: Windows 2000 SP4 (WinNT 5.00.2195) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\crypserv.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\WINNT\Mixer.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\Free Surfer\fs20.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EX E C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe D:\phpdev5\mysql\bin\mysqld-nt.exe C:\WINNT\system32\ntvdm.exe C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE C:\Program Files\Microsoft Office\Office\1033\msoffice.exe D:\phpdev5\gtkdev\php4\php.exe C:\Palm\AlarmApp.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe D:\phpdev5\ApacheMonitor.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Administrator.BIZFETCH-8122\Start Menu\Programs\Startup] Alarm Manager.LNK = C:\Palm\AlarmApp.exe HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE PowerReg Scheduler.exe PrcView.lnk = C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup] CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE mysql_NT.lnk = D:\phpdev5\mysql\bin\mynt_shortcut.bat Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE phpdev5.lnk = D:\phpdev5\spiny.bat Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Win logon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Win logon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synchronization Manager = mobsync.exe /logon C-Media Mixer = Mixer.exe /startup SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe AcctMgr = C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup freesurfer = C:\Program Files\Free Surfer\fs20.exe AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" CreateCD50 = C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EX E -r SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime NetMeter = C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c QD FastAndSafe = C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1 MailWasher = C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINNT\System32\mshta.exe "%1" %* -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.N T [{6A5110B5-E14B-4268-A065-EF89FF33C325}] * StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\System32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINNT\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=kobesa.dll,apitrap.dll -------------------------------------------------- Shell & screensaver key from C:\WINNT\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINNT\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINNT\Explorer\Explorer.exe: not present C:\WINNT\System\Explorer.exe: not present C:\WINNT\System32\Explorer.exe: not present C:\WINNT\Command\Explorer.exe: not present C:\WINNT\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINNT - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670} (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7} (no name) - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} (no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -------------------------------------------------- Enumerating Task Scheduler jobs: Full Scan.job Norton AntiVirus - Scan my computer.job Symantec Drmc.job Symantec NetDetect.job System Check.job Web Cleanup.job -------------------------------------------------- Enumerating Download Program Files: [DirectAnimation Java Classes] CODEBASE = file://C:\WINNT\Java\classes\dajava.cab OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd [Microsoft XML Parser for Java] CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd [ppctlcab] CODEBASE = www.pestscan.com [Yahoo! Pool 2] CODEBASE = download.games.yahoo.com OSD = C:\WINNT\Downloaded Program Files\Yahoo! Pool 2.osd [Microsoft Office Template and Media Control] InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL CODEBASE = office.microsoft.com [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = www.apple.com [Shockwave ActiveX Control] InProcServer32 = C:\WINNT\system32\macromed\Shockwave 10\Download.dll CODEBASE = download.macromedia.com [yucsetreg Class] InProcServer32 = C:\Program Files\Yahoo!\common\yucconfig.dll CODEBASE = C:\Program Files\Yahoo!\common\yucconfig.dll [MiniBugTransporterX Class] InProcServer32 = C:\WINNT\Downloaded Program Files\MiniBugTransporter.dll CODEBASE = download.weatherbug.com [{2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED}] CODEBASE = www.popmonster.com [{2FC9A21E-2069-4E47-8235-36318989DB13}] CODEBASE = www.pestscan.com [YInstStarter Class] InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll [Office Update Installation Engine] InProcServer32 = C:\WINNT\opuc.dll CODEBASE = office.microsoft.com [{4E888414-DB8F-11D1-9CD9-00C04F98436A}] CODEBASE = webresponse.one.microsoft.com [{556DDE35-E955-11D0-A707-000000521957}] CODEBASE = www.xblock.com [MSN Chat Control 4.2] InProcServer32 = C:\WINNT\Downloaded Program Files\MSNChat42.ocx CODEBASE = fdl.msn.com [Java Plug-in 1.4.2_03] InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll CODEBASE = java.sun.com [NMInstall Control] InProcServer32 = C:\WINNT\system32\NMINST~1.DLL CODEBASE = a14.g.akamai.net [MSN File Upload Control] InProcServer32 = C:\WINNT\DOWNLO~1\MsnUpld.dll CODEBASE = sc.groups.msn.com [Update Class] InProcServer32 = C:\WINNT\System32\iuctl.dll CODEBASE = v4.windowsupdate.microsoft.com [YahooYMailTo Class] InProcServer32 = C:\Program Files\Yahoo!\common\ymmapi.dll CODEBASE = download.yahoo.com [{A7E092C3-692A-11D0-A7E5-08002B322F3B}] CODEBASE = webresponse.one.microsoft.com [{C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}] CODEBASE = security.symantec.com [MSN Photo Upload Tool] InProcServer32 = C:\WINNT\Downloaded Program Files\MsnPUpld.dll CODEBASE = sc.groups.msn.com [Java Plug-in 1.4.2_03] InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll CODEBASE = java.sun.com [{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}] CODEBASE = www-secure.symantec.com [Shockwave Flash Object] InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx CODEBASE = download.macromedia.com [{E77C0D62-882A-456F-AD8F-7C6C9569B8C7}] CODEBASE = www-secure.symantec.com [{F00F4763-7355-4725-82F7-0DA94A256D46}] CODEBASE = www2.incredimail.com [MSN Chat Control 4.5] InProcServer32 = C:\WINNT\Downloaded Program Files\MSNChat45.ocx CODEBASE = chat.msn.com -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINNT\System32\rnr20.dll NameSpace #2: C:\WINNT\System32\winrnr.dll Protocol #1: C:\WINNT\system32\nmtracer.dll Protocol #2: C:\WINNT\system32\nmtracer.dll Protocol #3: C:\WINNT\system32\msafd.dll Protocol #4: C:\WINNT\system32\msafd.dll Protocol #5: C:\WINNT\system32\msafd.dll Protocol #6: C:\WINNT\system32\rsvpsp.dll Protocol #7: C:\WINNT\system32\rsvpsp.dll Protocol #8: C:\WINNT\system32\msafd.dll Protocol #9: C:\WINNT\system32\msafd.dll Protocol #10: C:\WINNT\system32\msafd.dll Protocol #11: C:\WINNT\system32\msafd.dll Protocol #12: C:\WINNT\system32\msafd.dll Protocol #13: C:\WINNT\system32\msafd.dll Protocol #14: C:\WINNT\system32\nmtracer.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Alerter: %SystemRoot%\System32\services.exe (manual start) ALI AGP Bus Filter: System32\drivers\aliagp.sys (system) Application Management: %SystemRoot%\system32\services.exe (manual start) ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\asp net_state.exe (manual start) RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start) Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start) Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start) Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k BITSgroup (autostart) Computer Browser: %SystemRoot%\System32\services.exe (autostart) Closed Caption Decoder: system32\drivers\ccdecode.sys (manual start) Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart) Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start) Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart) CD-ROM Driver: System32\DRIVERS\cdrom.sys (system) Indexing Service: C:\WINNT\System32\cisvc.exe (manual start) ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start) C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start) Crypkey License: crypserv.exe (autostart) dev5_ap1: "D:\phpdev5\apache\Apache.exe" --ntservice (autostart) DHCP Client: %SystemRoot%\System32\services.exe (autostart) Disk Driver: System32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Logical Disk Manager Driver: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart) Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\System32\services.exe (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start) Fax Service: %systemroot%\system32\faxsvc.exe (manual start) Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start) Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start) Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system) Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start) GhostStartService: C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE (autostart) GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system) Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start) i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system) IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start) IPSEC driver: System32\DRIVERS\ipsec.sys (manual start) IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start) PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system) Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Kobes Driver: \??\C:\WINNT\system32\kobes.sys (manual start) Kobes Service: C:\WINNT\system32\kobes.exe (autostart) Server: %SystemRoot%\System32\services.exe (autostart) Workstation: %SystemRoot%\System32\services.exe (autostart) TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart) Messenger: %SystemRoot%\System32\services.exe (autostart) NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start) Mouse Class Driver: System32\DRIVERS\mouclass.sys (system) BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start) Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start) Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start) NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start) Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" (autostart) NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2004042 1.035\NAVENG.Sys (manual start) NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2004042 1.035\NavEx15.Sys (manual start) Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start) NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start) Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: System32\DRIVERS\netbios.sys (system) NetBT: System32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (manual start) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start) NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start) Net Logon: %SystemRoot%\System32\lsass.exe (manual start) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) NetworkX: \SystemRoot\system32\ckldrv.sys (system) Norton Unerase Protection Driver: \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS (manual start) Norton Unerase Protection: C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (autostart) NT Apm/Legacy Interface Driver: System32\DRIVERS\NtApm.sys (manual start) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start) Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) nv4: system32\DRIVERS\nv4_mini.sys (manual start) IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start) Microsoft USB Open Host Controller Driver: System32\DRIVERS\openhci.sys (manual start) PalmUSBD: system32\drivers\PalmUSBD.sys (manual start) Parallel class driver: System32\DRIVERS\parallel.sys (manual start) Parallel port driver: System32\DRIVERS\parport.sys (system) PCI Bus Driver: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart) WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start) Protected Storage: %SystemRoot%\system32\services.exe (autostart) Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start) QDFSDRV: \??\C:\WINNT\system32\drivers\qdfsdrv.sys (manual start) Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Direct Parallel: System32\DRIVERS\raspti.sys (manual start) Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system) Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart) Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) SAVRT: \??\C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVRT.SYS (system) SAVRTPEL: \??\C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVRTPEL.SYS (system) SAVScan: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (autostart) ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart) Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart) SDdriver: \??\C:\WINNT\system32\Drivers\sddriver.sys (manual start) Secdrv: \??\C:\WINNT\system32\drivers\SECDRV.SYS (autostart) RunAs Service: %SystemRoot%\system32\services.exe (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start) Serial port driver: System32\DRIVERS\serial.sys (system) Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start) BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start) Speed Disk service: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) Srv: System32\DRIVERS\srv.sys (manual start) BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start) Software Bus Driver: System32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart) SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start) symlcbrd: \??\C:\WINNT\system32\drivers\symlcbrd.sys (autostart) SYMREDRV: \??\C:\WINNT\system32\Drivers\SYMREDRV.SYS (manual start) SYMTDI: \??\C:\WINNT\system32\Drivers\SYMTDI.SYS (autostart) Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system) Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled) Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart) Microcode Update Driver: System32\DRIVERS\update.sys (manual start) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start) Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start) Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) Visual Studio Analyzer RPC bridge: C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (manual start) Windows Time: %SystemRoot%\System32\services.exe (manual start) Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart) Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start) Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart) World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start) Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart) Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) IBM PC Camera: System32\DRIVERS\C-itnt.sys (manual start) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: *Registry value not found* -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll WebCheck: C:\WINNT\System32\webcheck.dll SysTray: stobject.dll |
iacchus (5532) | ||
| 229670 | 2004-04-24 01:05:00 | OK tweak'e, you asked for the Hijack log.... now go and sort through all that! :D LMAO Actually, that doesn't look like the HijackThis startup logs that I am familiar with.... have they changed them? ?:| |
Susan B (19) | ||
| 229671 | 2004-04-24 07:54:00 | That looks like a very old version of HiJackThis. Download and run the latest version (1.97.07 I think) |
godfather (25) | ||
| 229672 | 2004-04-24 11:09:00 | Log with new version of Hijackthis - StartupList report, 4/24/2004, 4:55:01 AM StartupList version: 1.52 Started from : C:\Program Files\HijackThis.EXE Detected: Windows 2000 SP4 (WinNT 5.00.2195) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\crypserv.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\WINNT\Mixer.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\Free Surfer\fs20.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EX E C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe C:\WINNT\system32\ntvdm.exe D:\phpdev5\mysql\bin\mysqld-nt.exe C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE C:\Program Files\Microsoft Office\Office\1033\msoffice.exe D:\phpdev5\gtkdev\php4\php.exe C:\Palm\AlarmApp.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe D:\phpdev5\ApacheMonitor.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Administrator.BIZFETCH-8122\Start Menu\Programs\Startup] Alarm Manager.LNK = C:\Palm\AlarmApp.exe HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE PowerReg Scheduler.exe PrcView.lnk = C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup] CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE mysql_NT.lnk = D:\phpdev5\mysql\bin\mynt_shortcut.bat Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE phpdev5.lnk = D:\phpdev5\spiny.bat Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Win logon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Win logon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synchronization Manager = mobsync.exe /logon C-Media Mixer = Mixer.exe /startup SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe AcctMgr = C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup freesurfer = C:\Program Files\Free Surfer\fs20.exe AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" CreateCD50 = C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EX E -r SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime NetMeter = C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c QD FastAndSafe = C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1 MailWasher = C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINNT\System32\mshta.exe "%1" %* -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.N T [{6A5110B5-E14B-4268-A065-EF89FF33C325}] * StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\System32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINNT\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=kobesa.dll,apitrap.dll -------------------------------------------------- Shell & screensaver key from C:\WINNT\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINNT\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINNT\Explorer\Explorer.exe: not present C:\WINNT\System\Explorer.exe: not present C:\WINNT\System32\Explorer.exe: not present C:\WINNT\Command\Explorer.exe: not present C:\WINNT\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINNT - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670} (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7} (no name) - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} (no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -------------------------------------------------- Enumerating Task Scheduler jobs: Full Scan.job Norton AntiVirus - Scan my computer.job Symantec Drmc.job Symantec NetDetect.job System Check.job Web Cleanup.job -------------------------------------------------- Enumerating Download Program Files: [DirectAnimation Java Classes] CODEBASE = file://C:\WINNT\Java\classes\dajava.cab OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd [Microsoft XML Parser for Java] CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd [ppctlcab] CODEBASE = www.pestscan.com [Yahoo! Pool 2] CODEBASE = download.games.yahoo.com OSD = C:\WINNT\Downloaded Program Files\Yahoo! Pool 2.osd [Microsoft Office Template and Media Control] InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL CODEBASE = office.microsoft.com [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = www.apple.com [Shockwave ActiveX Control] InProcServer32 = C:\WINNT\system32\macromed\Shockwave 10\Download.dll CODEBASE = download.macromedia.com [yucsetreg Class] InProcServer32 = C:\Program Files\Yahoo!\common\yucconfig.dll CODEBASE = C:\Program Files\Yahoo!\common\yucconfig.dll [MiniBugTransporterX Class] InProcServer32 = C:\WINNT\Downloaded Program Files\MiniBugTransporter.dll CODEBASE = download.weatherbug.com [{2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED}] CODEBASE = www.popmonster.com [{2FC9A21E-2069-4E47-8235-36318989DB13}] CODEBASE = www.pestscan.com [YInstStarter Class] InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll [Office Update Installation Engine] InProcServer32 = C:\WINNT\opuc.dll CODEBASE = office.microsoft.com [{4E888414-DB8F-11D1-9CD9-00C04F98436A}] CODEBASE = webresponse.one.microsoft.com [{556DDE35-E955-11D0-A707-000000521957}] CODEBASE = www.xblock.com [MSN Chat Control 4.2] InProcServer32 = C:\WINNT\Downloaded Program Files\MSNChat42.ocx CODEBASE = fdl.msn.com [Java Plug-in 1.4.2_03] InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll CODEBASE = java.sun.com [NMInstall Control] InProcServer32 = C:\WINNT\system32\NMINST~1.DLL CODEBASE = a14.g.akamai.net [MSN File Upload Control] InProcServer32 = C:\WINNT\DOWNLO~1\MsnUpld.dll CODEBASE = sc.groups.msn.com [Update Class] InProcServer32 = C:\WINNT\System32\iuctl.dll CODEBASE = v4.windowsupdate.microsoft.com [YahooYMailTo Class] InProcServer32 = C:\Program Files\Yahoo!\common\ymmapi.dll CODEBASE = download.yahoo.com [{A7E092C3-692A-11D0-A7E5-08002B322F3B}] CODEBASE = webresponse.one.microsoft.com [{C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}] CODEBASE = security.symantec.com [MSN Photo Upload Tool] InProcServer32 = C:\WINNT\Downloaded Program Files\MsnPUpld.dll CODEBASE = sc.groups.msn.com [Java Plug-in 1.4.2_03] InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll CODEBASE = java.sun.com [{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}] CODEBASE = www-secure.symantec.com [Shockwave Flash Object] InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx CODEBASE = download.macromedia.com [{E77C0D62-882A-456F-AD8F-7C6C9569B8C7}] CODEBASE = www-secure.symantec.com [{F00F4763-7355-4725-82F7-0DA94A256D46}] CODEBASE = www2.incredimail.com [MSN Chat Control 4.5] InProcServer32 = C:\WINNT\Downloaded Program Files\MSNChat45.ocx CODEBASE = chat.msn.com -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINNT\System32\rnr20.dll NameSpace #2: C:\WINNT\System32\winrnr.dll Protocol #1: C:\WINNT\system32\nmtracer.dll Protocol #2: C:\WINNT\system32\nmtracer.dll Protocol #3: C:\WINNT\system32\msafd.dll Protocol #4: C:\WINNT\system32\msafd.dll Protocol #5: C:\WINNT\system32\msafd.dll Protocol #6: C:\WINNT\system32\rsvpsp.dll Protocol #7: C:\WINNT\system32\rsvpsp.dll Protocol #8: C:\WINNT\system32\msafd.dll Protocol #9: C:\WINNT\system32\msafd.dll Protocol #10: C:\WINNT\system32\msafd.dll Protocol #11: C:\WINNT\system32\msafd.dll Protocol #12: C:\WINNT\system32\msafd.dll Protocol #13: C:\WINNT\system32\msafd.dll Protocol #14: C:\WINNT\system32\nmtracer.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Alerter: %SystemRoot%\System32\services.exe (manual start) ALI AGP Bus Filter: System32\drivers\aliagp.sys (system) Application Management: %SystemRoot%\system32\services.exe (manual start) ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\asp net_state.exe (manual start) RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start) Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start) Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start) Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k BITSgroup (autostart) Computer Browser: %SystemRoot%\System32\services.exe (autostart) Closed Caption Decoder: system32\drivers\ccdecode.sys (manual start) Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart) Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start) Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart) CD-ROM Driver: System32\DRIVERS\cdrom.sys (system) Indexing Service: C:\WINNT\System32\cisvc.exe (manual start) ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start) C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start) Crypkey License: crypserv.exe (autostart) dev5_ap1: "D:\phpdev5\apache\Apache.exe" --ntservice (autostart) DHCP Client: %SystemRoot%\System32\services.exe (autostart) Disk Driver: System32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Logical Disk Manager Driver: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart) Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\System32\services.exe (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start) Fax Service: %systemroot%\system32\faxsvc.exe (manual start) Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start) Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start) Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system) Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start) GhostStartService: C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE (autostart) GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system) Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start) i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system) IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start) IPSEC driver: System32\DRIVERS\ipsec.sys (manual start) IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start) PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system) Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Kobes Driver: \??\C:\WINNT\system32\kobes.sys (manual start) Kobes Service: C:\WINNT\system32\kobes.exe (autostart) Server: %SystemRoot%\System32\services.exe (autostart) Workstation: %SystemRoot%\System32\services.exe (autostart) TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart) Messenger: %SystemRoot%\System32\services.exe (autostart) NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start) Mouse Class Driver: System32\DRIVERS\mouclass.sys (system) BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start) Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start) Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start) NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start) Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" (autostart) NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2004042 1.035\NAVENG.Sys (manual start) NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2004042 1.035\NavEx15.Sys (manual start) Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start) NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start) Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: System32\DRIVERS\netbios.sys (system) NetBT: System32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (manual start) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start) NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start) Net Logon: %SystemRoot%\System32\lsass.exe (manual start) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) NetworkX: \SystemRoot\system32\ckldrv.sys (system) Norton Unerase Protection Driver: \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS (manual start) Norton Unerase Protection: C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (autostart) NT Apm/Legacy Interface Driver: System32\DRIVERS\NtApm.sys (manual start) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start) Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) nv4: system32\DRIVERS\nv4_mini.sys (manual start) IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start) Microsoft USB Open Host Controller Driver: System32\DRIVERS\openhci.sys (manual start) PalmUSBD: system32\drivers\PalmUSBD.sys (manual start) Parallel class driver: System32\DRIVERS\parallel.sys (manual start) Parallel port driver: System32\DRIVERS\parport.sys (system) PCI Bus Driver: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart) WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start) Protected Storage: %SystemRoot%\system32\services.exe (autostart) Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start) QDFSDRV: \??\C:\WINNT\system32\drivers\qdfsdrv.sys (manual start) Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Direct Parallel: System32\DRIVERS\raspti.sys (manual start) Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system) Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart) Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) SAVRT: \??\C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVRT.SYS (system) SAVRTPEL: \??\C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVRTPEL.SYS (system) SAVScan: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (autostart) ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart) Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart) SDdriver: \??\C:\WINNT\system32\Drivers\sddriver.sys (manual start) Secdrv: \??\C:\WINNT\system32\drivers\SECDRV.SYS (autostart) RunAs Service: %SystemRoot%\system32\services.exe (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start) Serial port driver: System32\DRIVERS\serial.sys (system) Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start) BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start) Speed Disk service: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) Srv: System32\DRIVERS\srv.sys (manual start) BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start) Software Bus Driver: System32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart) SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start) symlcbrd: \??\C:\WINNT\system32\drivers\symlcbrd.sys (autostart) SYMREDRV: \??\C:\WINNT\system32\Drivers\SYMREDRV.SYS (manual start) SYMTDI: \??\C:\WINNT\system32\Drivers\SYMTDI.SYS (autostart) Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system) Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled) Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart) Microcode Update Driver: System32\DRIVERS\update.sys (manual start) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start) Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start) Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) Visual Studio Analyzer RPC bridge: C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (manual start) Windows Time: %SystemRoot%\System32\services.exe (manual start) Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart) Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start) Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart) World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start) Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart) Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) IBM PC Camera: System32\DRIVERS\C-itnt.sys (manual start) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: *Registry value not found* -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll WebCheck: C:\WINNT\System32\webcheck.dll SysTray: stobject.dll -------------------------------------------------- End of report, 35,323 bytes Report generated in 0.561 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only |
iacchus (5532) | ||
| 1 2 | |||||