Tech Support Guy banner
Not open for further replies.
1 - 7 of 7 Posts

· Registered
4 Posts
Discussion Starter · #1 ·
This forum has been a great deal of support. We have five children with varying levels of computer skills. Started having strange problems. I have now been done Adaware, Spybot and here is the Hijack file. Please take a look and see if there is anything alarming, and let me know if there is anything else i need to do. Thanks in advance, Dusty

Logfile of HijackThis v1.97.7
Scan saved at 2:11:28 AM, on 4/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\Program Files\ZoneAlarm\zapro.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: ZoneAlarm Pro.lnk = F:\Program Files\ZoneAlarm\zapro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

· Registered
46,025 Posts
Once you have selected Scan, then save the Scanlog. Open that and select Edit > Select All, Edit > Copy. Then you can right click on a mesage box here and select "Paste". The entire log text should appear. Verify that what you see is what you get.

To double check, would you also open the Task Manager (ctrl-alt-del) and verify that all the processes shown there are also listed as "Running Processes" in HijackThis.

· Registered
46,025 Posts
Extremely weird, but let's try another method. Run HijackThis, instead of selecting Scan, select:

Config > Misc Tools, put a check in "also list minor sections" then select "Generate Startuplist". Copy/paste that here instead. It won't show some things the scanlog shows, but it might show what is missing.

· Registered
4 Posts
Discussion Starter · #7 ·
StartupList report, 4/16/2004, 10:45:23 PM
StartupList version: 1.52
Started from : C:\Installs\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections

Running processes:

F:\program files\Quicktime\qttask.exe
F:\Program Files\ZoneAlarm\zapro.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE


Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm Pro.lnk = F:\Program Files\ZoneAlarm\zapro.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,


Autorun entries from Registry:

Synchronization Manager = mobsync.exe /logon
QuickTime Task = "F:\program files\Quicktime\qttask.exe" -atboottime


Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl


Shell & screensaver key from C:\winnt\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Checking for EXPLORER.EXE instances:

C:\winnt\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\winnt\Explorer\Explorer.exe: not present
C:\winnt\System\Explorer.exe: not present
C:\winnt\System32\Explorer.exe: not present
C:\winnt\Command\Explorer.exe: not present
C:\winnt\Fonts\Explorer.exe: not present


Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden


Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\winnt\system32\iuctl.dll

[Shockwave Flash Object]
InProcServer32 = C:\winnt\system32\macromed\flash\Flash.ocx


Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AVSync Manager: "C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
vsdatant: \??\C:\WINNT\system32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINNT\system32\ZoneLabs\vsmon.exe -service (autostart)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)


Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\winnt\System32\webcheck.dll
SysTray: stobject.dll

End of report, 7,450 bytes
Report generated in 0.391 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
1 - 7 of 7 Posts
Not open for further replies.