I've been hacked, need help fast

Not in source code form it's not. I don't have the executable. I only downloaded the source to examine.
I suspect that particular exploit wasn't used on me. I suspect it was either the direcx buffer overflow, or the dcom/rpc exploit.

Yes, it appears down, but then it always appears to be down for me. It seems it's trying to remain fairly invisible.

My DNS entries are as they should be (verified from an external source). Oh, and there's an easier way to check than in the registry: winipcfg
No O13 entry. Here's my latest log:

Code:

Logfile of HijackThis v1.96.0
Scan saved at 7:14:53 , on 8/16/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\TCLOCK\TCLOCK.EXE
C:\PROGRAM FILES\MAXMEM\MAXMEM.EXE
C:\WINDOWS\INTEGRATOR.EXE
C:\PROGRAM FILES\MSIE\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSIE\IEXPLORE.EXE
C:\PROGRAM FILES\FRHED\FRHED.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/web/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F0 - system.ini: Shell=c:\windows\Explorer.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: TClock.exe.lnk = C:\TClock\TClock.exe
O4 - Startup: Hare.exe.lnk = C:\Program Files\Hare\Hare.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: MaxMem.lnk = C:\Program Files\MaxMem\maxmem.exe
O4 - User Startup: TClock.exe.lnk = C:\TClock\TClock.exe
O4 - User Startup: Hare.exe.lnk = C:\Program Files\Hare\Hare.exe
O4 - User Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - User Startup: MaxMem.lnk = C:\Program Files\MaxMem\maxmem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.9787847222
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav021210.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O16 - DPF: HushEncryptionEngine - https://mailserver2.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

OK, this much is clear. My traffic is being routed through s0h.cc whether I like it or not. I want to know how to rectify that situation. I suspect it may be a trojaned driver or LSP, since the connection is invisible to my firewall, and programs like netstat and port explorer. Only a driver or LSP would be under the firewall to intercept connections before the firewall or anything else. Note to firewall companies, all firewalls should have low level driver hooks! LSPs aren't good enough.

OK, I'm considering reinstalling my modem drivers (again) and seeing if that fixes it. If not, it may be an LSP. In which case... the next step will be a pain in the ass I think. :/

 

Hi,

Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review. This gives us a different view than HJT and I believe is more complete as regards startup locations.

Thanks,

Dan

 

http://www.cexx.org/lspfix.zip
As you thought you could have issues with LSP and PE you might like to check that with this little tool.

 

Thanks everyone for your efforts, but I believe I've found the solution. And it was something stupid, I simply overlooked it. My LSPs are fine, and I installed a new modem driver to be safe.
It seems I overlooked a setting in Internet Options. I had the s0h.cc server's IP (62.4.71.36) under LAN settings as the proxy server. This is strange since, as it says right there: "These settings do not apply do dial-up connections."
And again next to where you enter the LAN proxy address: "These settings do not apply do dial-up or VPN connections."
Well apparently that's wrong, but that's the reason I overlooked it. The reason I found it was because I had to go around fixing various settings after installing a new modem driver, and just started clicking on every setting.

BTW, someone mentioned that s0h.cc was down, but it was not. If you use the IP instead, it works fine. (Note the IP has a bogus reverse DNS, but it is the correct IP).

I've also reconfigured my firewall, but I still have 3 adapter entries instead of one, which is strange. A blank, the adapter, and another blank one. That's the main thing left I can't figure out.

 

Good for the proxy part, so that is now over.
I was sure it was not down as you had still your connections all time.

For the adaptors, if you look with PE, is there traffic on them and connected to special ports? No dialers on your system?
You might like to look another time in the network settings and your DUN is that is installed really one time and correctly. Maybe something wrong there from an old install?
That AutostartViewer log as asked above might give some ideas about that problem too!
You see, we try to help you out till the bottom of things and all running fine and safe!

 

Someone mentioned that the server was down, yet I seemed to be connected through it.

The only place the adapter entries appear is in my firewall.

I'm not sure. Everything appears fine, except in my firewall. It's strange. I think I'll check out tech support for my firewall.

It looks OK to me, but I appreciate the help. Here you go, maybe one of you will see something I don't.

Code:

c:\autoexec.bat
   SET TEMP=C:\TEMP
   SET TMP=C:\TEMP
c:\config.sys
   C:\WINDOWS\HIMEM.SYS
   C:\WINDOWS\EMM386.EXE NOEMS
   C:\WINDOWS\COMMAND\ANSI.SYS
   C:\WINDOWS\COMMAND\DRVSPACE.SYS /MOVE
c:\windows\system.ini [boot]\shell
   c:\windows\Explorer.exe
HKCR\htafile\shell\open\command\
   C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry
   C:\WINDOWS\scanregw.exe /autorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMonitor
   C:\WINDOWS\taskmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
   C:\WINDOWS\system\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadPowerProfile
   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SmcService
   C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\NoLogon
   RUNDLL32 shell32,SHExitWindowsEx 0
C:\WINDOWS\Profiles\[Username]\Start Menu\Programs\StartUp\TClock.exe.lnk
   C:\TClock\TClock.exe
C:\WINDOWS\Profiles\[Username]\Start Menu\Programs\StartUp\Hare.exe.lnk
   C:\Program Files\Hare\Hare.exe
C:\WINDOWS\Profiles\[Username]\Start Menu\Programs\StartUp\AntiCrash.lnk
   C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
C:\WINDOWS\Profiles\[Username]\Start Menu\Programs\StartUp\MaxMem.lnk
   C:\Program Files\MaxMem\maxmem.exe
C:\WINDOWS\system\iosubsys\
   C:\WINDOWS\system\iosubsys\BIGMEM.DRV
   C:\WINDOWS\system\iosubsys\ESDI_506.PDR
   C:\WINDOWS\system\iosubsys\HSFLOP.PDR
   C:\WINDOWS\system\iosubsys\RMM.PDR
   C:\WINDOWS\system\iosubsys\SCSIPORT.PDR
   C:\WINDOWS\system\iosubsys\APIX.VXD
   C:\WINDOWS\system\iosubsys\ATAPCHNG.VXD
   C:\WINDOWS\system\iosubsys\CDFS.VXD
   C:\WINDOWS\system\iosubsys\CDTSD.VXD
   C:\WINDOWS\system\iosubsys\CDVSD.VXD
   C:\WINDOWS\system\iosubsys\DISKTSD.VXD
   C:\WINDOWS\system\iosubsys\DISKVSD.VXD
   C:\WINDOWS\system\iosubsys\DRVSPACX.VXD
   C:\WINDOWS\system\iosubsys\NECATAPI.VXD
   C:\WINDOWS\system\iosubsys\SCSI1HLP.VXD
   C:\WINDOWS\system\iosubsys\TORISAN3.VXD
   C:\WINDOWS\system\iosubsys\VOLTRACK.VXD
C:\WINDOWS\system32\vmm32\
   C:\WINDOWS\system\vmm32\ifsmgr.vxd
   C:\WINDOWS\system\vmm32\configmg.vxd
   C:\WINDOWS\system\vmm32\ntkern.vxd
   C:\WINDOWS\system\vmm32\vcomm.vxd
   C:\WINDOWS\system\vmm32\vdd.vxd
   C:\WINDOWS\system\vmm32\vdmad.vxd
   C:\WINDOWS\system\vmm32\ios.vxd
   C:\WINDOWS\system\vmm32\mrci2.vxd
   C:\WINDOWS\system\vmm32\vflatd.vxd
   C:\WINDOWS\system\vmm32\vmouse.vxd
   C:\WINDOWS\system\vmm32\qemmfix.vxd
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
   C:\WINDOWS\SYSTEM\DCSWS2.DLL
   C:\WINDOWS\SYSTEM\mswsosp.dll
   C:\WINDOWS\SYSTEM\msafd.dll
   C:\WINDOWS\SYSTEM\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\SetupcPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\AppletsPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\FontsPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_ICW_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
   rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
   RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4395}\
   rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
   RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo2\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMmsysPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownAvivideoPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
   rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMPlayPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Base\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\ShellPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Shell2PerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winbase_Links\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winapps_Links\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_LinkBar_URLs\
   C:\WINDOWS\COMMAND\sulfnbk.exe /L
HKLM\Software\Microsoft\Active Setup\Installed Components\TapiPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}\
   rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUserOldLinks\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptRegisterPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsMsnPerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Paint_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Calc_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_dxxspace_Links\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CVT_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Vol\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_MSWordPad_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_RNA_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Dialer_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CDPlayer_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Shell3PerUser\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
   C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
   rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Wingames_Inis\
   rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf
HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
   C:\WINDOWS\system\vnetsup.vxd
HKLM\System\CurrentControlSet\Services\VxD\NDIS\
   ndis.vxd,ndis2sup.vxd
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
   C:\WINDOWS\system\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\VxD\VRTWD\
   C:\WINDOWS\SYSTEM\vrtwd.386
HKLM\System\CurrentControlSet\Services\VxD\VFIXD\
   C:\WINDOWS\SYSTEM\vfixd.vxd
HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
   C:\WINDOWS\system\vnetbios.vxd
HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
   C:\WINDOWS\system\vredir.vxd
HKLM\System\CurrentControlSet\Services\VxD\DFS\
   C:\WINDOWS\system\dfs.vxd
HKLM\System\CurrentControlSet\Services\VxD\SYMEVNT\
   C:\PROGRA~1\SYMANTEC\SYMEVNT.386
HKLM\System\CurrentControlSet\Services\VxD\wpsdrv9x\
   C:\WINDOWS\SYSTEM\wpsdrv9x.vxd
HKLM\System\CurrentControlSet\Services\VxD\Teefer\
   C:\WINDOWS\SYSTEM\Teefer.vxd

Another odd thing is that recently spool32.exe started appearing in my process list. It keeps showing up every time I reboot, and it shouldn't be since I don't have a printer. It never used to start before, so I'm not sure why it's starting up now. It doesn't appear in the autostart list either. It's being started by msgsrv32.exe.

I also have a hunch about the 3 NICs showing up I'm gonna check on.

 

Regarding the phantom NICs, are you seeing these in Device Manager as well or just in ipconfig /all?

If in Device Manager, do the phantom NICs have any problem indicators on their respective icons (you know, the yellow or red marks on the icons)?

Are all three NICs properly identified as regards make and model or are one or both the phantom nics showing something like "Other NIC"?

I've seen numerous instances of phantom devices and the best solution is to go to safe mode and remove all instances (even the operative one) of the redundant entries and then on the reboot go into the system BIOS and toggle the Clear Extended CMOS area (different BIOSs will have different terms for this) and then bring it back up in normal mode and it will redetect and load (or prompt to load) the right driver.

Obviously, you will need to have beforehand the drivers and config settings for the NIC.

HTH,

Dan

 

The only place they appear is in my firewall. They don't appear in the device manager, or in ipconfig /all.
I'm thinking maybe it's a problem with the firewall, because nothing else indicates the existance of these "phantom NICs".
There never seems to be any traffic on them, because I've set my firewall to log block and log any traffic on them, but the logs are still empty.

 

What version of Sygate are you using, if I may ask? (I'm sorry if you mentioned this earlier but I couldn't find it.)

 

I think I was using 5.0. No matter, I've uninstalled it and installed the latest version (5.1), reconfigured it (for about the 10th time), and everything seems to be working fine. No more phantom adapters, and the rules seem to be working properly as well.
Thanks again everyone.

 

Are all your problems really solved with all this? That sounds really great!
And wouldn't this be a very nice time to register as a member on this forum too? You might get into a next contest we hope there will be in future!

 

It's the AntiCrash/Zoom/Hare thing.

http://dachshundsoftware.com

They have 4 programs that run in the systray, so they have one program (INTEGRATOR.EXE) and one icon (instead of 4) in the systray.

-Q

PS. After I killed ZOOM 2000P stopped InLoEing on shutdown!