HijackThis and AutoStartViewer Logs

Discussion in 'adware, spyware & hijack cleaning' started by Little Mike, Mar 7, 2004.

Thread Status:
Not open for further replies.
  1. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Below are the HijackThis and AutostartViewer logs from today; these are associated with my post:

    http://www.wilderssecurity.com/showthread.php?t=23801

    Logfile of HijackThis v1.97.7
    Scan saved at 8:27:11 PM, on 3/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    x:\Program Files\Executive Software\Diskeeper\DkService.exe
    x:\Program Files\DriveCrypt\DcrServ.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    X:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    X:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    X:\Program Files\ProcessGuard\pg_msgprot.exe
    X:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atiptaxx.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
    X:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    X:\PROGRA~1\VISION~1\ONETOU~2.EXE
    X:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
    X:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    X:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    X:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    X:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    X:\program files\regprotect\regprot.exe
    X:\Program Files\Port Explorer\PortExplorer.exe
    C:\WINDOWS\System32\ctfmon.exe
    X:\PROGRA~1\SMARTD~2\SDPhotoBar.exe
    X:\Program Files\Microsoft Money\System\mnyexpr.exe
    X:\Program Files\DriveCrypt\DriveCrypt.exe
    C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    X:\Program Files\SmartWhois\sw.exe
    X:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    X:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    X:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    X:\Program Files\Microsoft Office\Office\OSA.EXE
    X:\Program Files\Network Associates\PGPNT\PGPTray.exe
    X:\Program Files\PKWARE\PKZIPO\PKTray.exe
    X:\Program Files\ProcessGuard\procguard.exe
    X:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
    C:\WINDOWS\system32\mmc.exe
    X:\Program Files\winbond\Hardware Doctor\Hwdoctor.exe
    X:\Program Files\SpywareGuard\sgmain.exe
    X:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\dllhost.exe
    X:\Program Files\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dno2k3ta/html/ODC_OFXML_in_Office2003_jrd.asp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = <my company>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - x:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
    O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - x:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - X:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - x:\Program Files\ReGetDx\iebar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - X:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
    O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [SpyCop ScanCheck] x:\Program Files\SpyCop\setup.exe /LASTSCAN
    O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
    O4 - HKLM\..\Run: [PaperPort PTD] x:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] x:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] X:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [Omnipage] x:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
    O4 - HKLM\..\Run: [IntelliPoint] "x:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] X:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [CookiePatrol] X:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [PPMemCheck] X:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] X:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [KeyPatrol] X:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [RegProt] x:\program files\regprotect\regprot.exe /start
    O4 - HKLM\..\Run: [Port Explorer] "X:\Program Files\Port Explorer\PortExplorer.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SDPhotoBar.exe] X:\PROGRA~1\SMARTD~2\SDPhotoBar.exe
    O4 - HKCU\..\Run: [MoneyAgent] "x:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [WOPR 2003 Auto-Updater] X:\Program Files\WOPR 2003\Updater.exe /c
    O4 - HKCU\..\Run: [DriveCrypt Startup] x:\Program Files\DriveCrypt\DriveCrypt.exe /WS
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    O4 - HKCU\..\Run: [SmartWhois] X:\Program Files\SmartWhois\sw.exe
    O4 - Startup: Process Guard.lnk = X:\Program Files\ProcessGuard\procguard.exe
    O4 - Startup: QuickShelf 2000.lnk = X:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
    O4 - Startup: Shortcut to <my computer> Performance.msc.lnk = C:\WINDOWS\system32\<my computer> Performance.msc
    O4 - Startup: Shortcut to Hwdoctor.lnk = X:\Program Files\winbond\Hardware Doctor\Hwdoctor.exe
    O4 - Startup: SpywareGuard.lnk = X:\Program Files\SpywareGuard\sgmain.exe
    O4 - User Startup: Process Guard.lnk = X:\Program Files\ProcessGuard\procguard.exe
    O4 - User Startup: QuickShelf 2000.lnk = X:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
    O4 - User Startup: Shortcut to <my computer> Performance.msc.lnk = C:\WINDOWS\system32\<my computer> Performance.msc
    O4 - User Startup: Shortcut to Hwdoctor.lnk = X:\Program Files\winbond\Hardware Doctor\Hwdoctor.exe
    O4 - User Startup: SpywareGuard.lnk = X:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Acrobat Assistant.lnk = X:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = X:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = X:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Office Startup.lnk = X:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: PGPtray.lnk = X:\Program Files\Network Associates\PGPNT\PGPTray.exe
    O4 - Global Startup: PKZIP Attachments Status.lnk = X:\Program Files\PKWARE\PKZIPO\PKTray.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: World Time.lnk = X:\Program Files\World Time\WorldTime.exe
    O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
    O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://x:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
    O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
    O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
    O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
    O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
    O9 - Extra button: Print Using ClickBook (HKLM)
    O9 - Extra button: Save As Scholar's Aid WebNote (HKLM)
    O9 - Extra 'Tools' menuitem: Save As Scholar's Aid WebNote (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: Edit with XML Spy (HKCU)
    O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38011.7906828704
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
    O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab




    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for <administrator>@<my computer>, 03-07-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    X:\PROGRA~1\SMARTD~2\SMARTD~1.SCR
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    X:\PROGRA~1\SMARTD~2\SMARTD~1.SCR
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AtiPTA
    C:\WINDOWS\system32\atiptaxx.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPDJ Taskbar Utility
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpyCop ScanCheck
    x:\Program Files\SpyCop\setup.exe /LASTSCAN
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\B'sCLiP
    C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PaperPort PTD
    x:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IndexSearch
    x:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OneTouch Monitor
    X:\PROGRA~1\VISION~1\ONETOU~2.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Omnipage
    x:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IntelliPoint
    x:\Program Files\Microsoft IntelliPoint\point32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
    C:\WINDOWS\system32\dumprep 0 -k
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan
    C:\WINDOWS\SOUNDMAN.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Component Manager
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DeviceDiscovery
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\URLLSTCK.exe
    X:\Program Files\Norton Internet Security\UrlLstCk.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CookiePatrol
    X:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PPMemCheck
    X:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PestPatrol Control Center
    X:\PROGRA~1\PESTPA~1\PPControl.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KeyPatrol
    X:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ad-watch
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegProt
    x:\program files\regprotect\regprot.exe /start
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Port Explorer
    X:\Program Files\Port Explorer\PortExplorer.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
    C:\WINDOWS\System32\ctfmon.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SDPhotoBar.exe
    X:\PROGRA~1\SMARTD~2\SDPhotoBar.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MoneyAgent
    x:\Program Files\Microsoft Money\System\mnyexpr.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WOPR 2003 Auto-Updater
    X:\Program Files\WOPR 2003\Updater.exe /c
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DriveCrypt Startup
    x:\Program Files\DriveCrypt\DriveCrypt.exe /WS
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
    C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SmartWhois
    X:\Program Files\SmartWhois\sw.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\ALUAlert
    C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Daily Incremental User Backup.job
    C:\WINDOWS\system32\ntbackup.exe
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    X:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
    C:\WINDOWS\Tasks\PestPatrolCL.job
    X:\Program Files\PestPatrol\PestPatrolCL.exe
    C:\WINDOWS\Tasks\SpyCop.job
    C:\Program Files\Common Files\Microsoft Shared\Perl.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\WINDOWS\Tasks\System_State_Backup_1.job
    C:\WINDOWS\system32\ntbackup.exe
    C:\WINDOWS\Tasks\System_State_Backup_2.job
    C:\WINDOWS\system32\ntbackup.exe
    C:\WINDOWS\Tasks\Weekly Full User Backup.job
    C:\WINDOWS\system32\ntbackup.exe
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Process Guard.lnk
    X:\Program Files\ProcessGuard\procguard.exe
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\QuickShelf 2000.lnk
    X:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to <my computer> Performance.msc.lnk
    C:\WINDOWS\system32\<my computer> Performance.msc
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to Hwdoctor.lnk
    X:\Program Files\winbond\Hardware Doctor\Hwdoctor.exe
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\SpywareGuard.lnk
    X:\Program Files\SpywareGuard\sgmain.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    X:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
    C:\Program Files\Quicken\billmind.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
    X:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
    X:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
    X:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PGPtray.lnk
    X:\Program Files\Network Associates\PGPNT\PGPTray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
    X:\Program Files\PKWARE\PKZIPO\PKTray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    C:\Program Files\Quicken\bagent.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
    C:\Program Files\Quicken\QWDLLS.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\World Time.lnk
    X:\Program Files\World Time\WorldTime.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    sprestrt
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Alerter\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
    C:\WINDOWS\System32\Ati2evxx.exe
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ccEvtMgr\
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    HKLM\System\CurrentControlSet\Services\ccExtractorService\
    C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
    HKLM\System\CurrentControlSet\Services\ccProxy\
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    HKLM\System\CurrentControlSet\Services\ccSetMgr\
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Diskeeper\
    x:\Program Files\Executive Software\Diskeeper\DkService.exe
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\DriveCryptService\
    x:\Program Files\DriveCrypt\DcrServ.exe
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\GhostStartService\
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\MDM\
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\MSSQL$MICROSOFTBCM\
    X:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM
    HKLM\System\CurrentControlSet\Services\navapsvc\
    X:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    HKLM\System\CurrentControlSet\Services\ONSIO\
    \??\C:\WINDOWS\System32\drivers\ONSIO.SYS
    HKLM\System\CurrentControlSet\Services\ousbehci\
    C:\WINDOWS\System32\Drivers\ousbehci.sys
    HKLM\System\CurrentControlSet\Services\PGMsgProt\
    X:\Program Files\ProcessGuard\pg_msgprot.exe
    HKLM\System\CurrentControlSet\Services\PGPmemlock\
    \??\C:\WINDOWS\System32\drivers\PGPmemlock.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\procguard\
    \??\C:\WINDOWS\System32\drivers\procguard.sys
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINDOWS\system32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SAVScan\
    X:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    HKLM\System\CurrentControlSet\Services\SBKUPNT\
    \??\C:\WINDOWS\System32\drivers\SBKUPNT.SYS
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SNDSrvc\
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Symantec Core LC\
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    HKLM\System\CurrentControlSet\Services\symlcbrd\
    \??\C:\WINDOWS\System32\drivers\symlcbrd.sys
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Does anything raise red flags?

    Little Mike
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Little Mike,

    Welcome to Wilder's!!!

    Your HJT log looks clean to me but I am no expert. Please post as to what kind of problems you are experiencing. In the meanwhile, I am sure an expert will be along shortly to help you.

    Someone else will be along to check your AutoStartViewer log also.

    Regards,
    Kent
     
  3. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Hi puff-m-d,

    I've been trying to track down certain inbound connection attempts, most of which occur during bootup with "No User". I described these at:
    http://www.wilderssecurity.com/showthread.php?t=23801

    This appears to be a case of certain XP Pro processes trying to make inbound connections on the same machine XP is running on. XP may be designed to do this, but with the NIS 2004 firewall calling out alert, I presumed the worst, until I can figure out why. (I'm a novice; but with all of the intrusion attempts recently, I've been trying to lock down the firewall.)

    Anyway, thank you for looking at the HijackThis log.

    Best regards,
    Little Mike
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Little Mike,

    You are welcome. I apologize to not noticing the link to your original post concerning your problem. As I said, I am no expert but I do not see any problems with your log. Since no expert has jumped in, I would assume your log is OK. I do not know much about the ASV log and would feel better if someone else could analyze it.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.