petercj

Could one of you guys take a look at this scan please?

Its from the other disk on the same pc that has been looked at earlier. Each disk has its own different o/s but in the past if one is affected then so has the other.

Over the last couple of weeks this o/s has hardly been used but I guess something might have been sneaked in.

Many thanks....Peter

Logfile of HijackThis v1.98.2
Scan saved at 20:03:53, on 25/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\WINCLE~1\QHONSVC.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\WINCLE~1\MailSvr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QH Reminder] C:\PROGRA~1\WINCLE~1\qhremind.exe
O4 - HKLM\..\Run: [Quick Heal e-mail Protection] C:\PROGRA~1\WINCLE~1\MailSvr.exe
O4 - HKLM\..\Run: [QH Live Update Scheduler] C:\PROGRA~1\WINCLE~1\UPSCHD.EXE /FIRSTRUN
O4 - HKLM\..\Run: [QH Office 2K Check] C:\PROGRA~1\WINCLE~1\O2KCHECK.EXE /CHECK
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] C:\PROGRA~1\WINCLE~1\CATEYE.EXE
O4 - HKLM\..\Run: [Quick Heal Messenger] C:\PROGRA~1\WINCLE~1\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Activate] C:\PROGRA~1\WINCLE~1\ACTIVATE.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] C:\PROGRA~1\WINCLE~1\QHSTRT32.exe /loadrun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Resume Liveup] C:\PROGRA~1\WINCLE~1\Liveup.exe /resume
O4 - HKLM\..\RunOnce: [Quick Heal Startup Scan] C:\PROGRA~1\WINCLE~1\QHSTRT32.exe /check
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097156148390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

MicroBell

Safe for now...Log is clean

petercj

Could one of you guys take a look at this full scan please...I'm sure something has been well hidden...I have struggled to even upload this scan.

Many thanks...Peter
.......................................................................................................


StartDreck (build 2.1.5 public BETA) - 2004-11-26 @ 09:08:49
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)

»Registry
»Run Keys
»Current User
»Run
*CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe
*msnmsgr="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
*ILO_Office_Manager=IntEdReg.exe /OFFMAN
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
*ATICCC="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
»Local Machine
»Run
*SoundMan=SOUNDMAN.EXE
*SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
*Intense Registry Service=IntEdReg.exe /CHECK
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*ATICCC="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*McAfee Guardian="C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
*QH Reminder=C:\PROGRA~1\WINCLE~1\qhremind.exe
*Quick Heal e-mail Protection=C:\PROGRA~1\WINCLE~1\MailSvr.exe
*QH Live Update Scheduler=C:\PROGRA~1\WINCLE~1\UPSCHD.EXE /FIRSTRUN
*QH Office 2K Check=C:\PROGRA~1\WINCLE~1\O2KCHECK.EXE /CHECK
*Quick Heal On-Line Protection=C:\PROGRA~1\WINCLE~1\CATEYE.EXE
*Quick Heal Messenger=C:\PROGRA~1\WINCLE~1\QHM32.EXE
*Quick Heal Activate=C:\PROGRA~1\WINCLE~1\ACTIVATE.EXE
*Quick Heal Startup Scan=C:\PROGRA~1\WINCLE~1\QHSTRT32.exe /loadrun
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
*Resume Liveup=C:\PROGRA~1\WINCLE~1\Liveup.exe /resume
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
*Quick Heal Startup Scan=C:\PROGRA~1\WINCLE~1\QHSTRT32.exe /check
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
*.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
*Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
*Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
*Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
*Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
*Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
*NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
*Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
*Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
*Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
*Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
*Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
*Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Bar=http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
*Search Page=http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
»Default User
»Local Machine
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Dad\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`REM Windows MS-DOS Startup File
`REM
`REM CONFIG.SYS vs CONFIG.NT
`REM CONFIG.SYS is not used to initialize the MS-DOS environment.
`REM CONFIG.NT is used to initialize the MS-DOS environment unless a
`REM different startup file is specified in an application's PIF.
`REM
`REM ECHOCONFIG
`REM By default, no information is displayed when the MS-DOS environment
`REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
`REM the command echoconfig to CONFIG.NT or other startup file.
`REM
`REM NTCMDPROMPT
`REM When you return to the command prompt from a TSR or while running an
`REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
`REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
`REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
`REM other startup file.
`REM
`REM DOSONLY
`REM By default, you can start any type of application when running
`REM COMMAND.COM. If you start an application other than an MS-DOS-based
`REM application, any running TSR may be disrupted. To ensure that only
`REM MS-DOS-based applications can be started, add the command dosonly to
`REM CONFIG.NT or other startup file.
`REM
`REM EMM
`REM You can use EMM command line to configure EMM(Expanded Memory Manager).
`REM The syntax is:
`REM
`REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
`REM
`REM AltRegSets
`REM specifies the total Alternative Mapping Register Sets you
`REM want the system to support. 1 <= AltRegSets <= 255. The
`REM default value is 8.
`REM BaseSegment
`REM specifies the starting segment address in the Dos conventional
`REM memory you want the system to allocate for EMM page frames.
`REM The value must be given in Hexdecimal.
`REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
`REM 16KB boundary. The default value is 0x4000
`REM RAM
`REM specifies that the system should only allocate 64Kb address
`REM space from the Upper Memory Block(UMB) area for EMM page frames
`REM and leave the rests(if available) to be used by DOS to support
`REM loadhigh and devicehigh commands. The system, by default, would
`REM allocate all possible and available UMB for page frames.
`REM
`REM The EMM size is determined by pif file(either the one associated
`REM with your application or _default.pif). If the size from PIF file
`REM is zero, EMM will be disabled and the EMM line will be ignored.
`REM
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
`REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
`REM different startup file is specified in an application's PIF.
`REM Install CD ROM extensions
`lh %SystemRoot%\system32\mscdexnt.exe
`REM Install network redirector (load before dosx.exe)
`lh %SystemRoot%\system32\redir
`REM Install DPMI support
`lh %SystemRoot%\system32\dosx
`REM The following line enables Sound Blaster 2.0 support on NTVDM.
`REM The command for setting the BLASTER environment is as follows:
`REM SET BLASTER=A220 I5 D1 P330
`REM where:
`REM A specifies the sound blaster's base I/O port
`REM I specifies the interrupt request line
`REM D specifies the 8-bit DMA channel
`REM P specifies the MPU-401 base I/O port
`REM T specifies the type of sound blaster card
`REM 1 - Sound Blaster 1.5
`REM 2 - Sound Blaster Pro I
`REM 3 - Sound Blaster 2.0
`REM 4 - Sound Blaster Pro II
`REM 6 - SOund Blaster 16/AWE 32/32/64
`REM
`REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
`REM left unspecified, the default value will be used. (NOTE, since all the
`REM ports are virtualized, the information provided here does not have to
`REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
`REM The T switch must be set to 3, if specified.
`SET BLASTER=A220 I5 D1 P330 T3
`REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
`REM SB base I/O port address. For example:
`REM SET BLASTER=A0
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(1)partition(1)\WINDOW3G
`[operating systems]
`multi(0)disk(0)rdisk(1)partition(1)\WINDOW3G="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
»%PATH% Companion Files
*C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\notepad.exe
*C:\WINDOWS\system32\slrundll.exe
*C:\WINDOWS\slrundll.exe
*C:\WINDOWS\system32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
*C:\WINDOWS\system32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000004=<unkown>
*00000340=\SystemRoot\System32\smss.exe
*000003A0=<unkown>
*000003B8=\??\C:\WINDOWS\system32\winlogon.exe
*000003E4=C:\WINDOWS\system32\services.exe
*000003F0=C:\WINDOWS\system32\lsass.exe
*00000490=C:\WINDOWS\System32\Ati2evxx.exe
*0000049C=C:\WINDOWS\system32\svchost.exe
*00000530=<unkown>
*000005B0=C:\WINDOWS\System32\svchost.exe
*000005DC=<unkown>
*00000618=<unkown>
*00000798=C:\WINDOWS\system32\spoolsv.exe
*00000084=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
*000000B0=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
*0000015C=C:\PROGRA~1\WINCLE~1\QHONSVC.EXE
*000001E8=C:\WINDOWS\system32\wuauclt.exe
*000004D0=C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
*0000067C=<unkown>
*000006C0=C:\WINDOWS\system32\Ati2evxx.exe
*00000738=C:\WINDOWS\Explorer.EXE
*00000818=C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
*00000834=C:\WINDOWS\SOUNDMAN.EXE
*0000084C=C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
*00000864=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
*0000086C=C:\Program Files\iTunes\iTunesHelper.exe
*00000878=C:\Program Files\QuickTime\qttask.exe
*0000089C=C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
*000008A0=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
*000008B8=C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
*000008E0=C:\PROGRA~1\WINCLE~1\MailSvr.exe
*000008E8=C:\Program Files\iPod\bin\iPodService.exe
*00000948=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
*0000095C=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
*00000988=C:\WINDOWS\system32\ctfmon.exe
*00000998=C:\Program Files\Real\RealPlayer\RealPlay.exe
*000009B8=C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
*00000A0C=C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
*00000D7C=C:\WINDOWS\system32\wscntfy.exe
*00000940=A:\StartDreck\StartDreck.exe
*00000694=A:\StartDreck\StartDreck.exe
»NT Services
*Alerter Alerter - disabled
*Application Layer Gateway Service ALG running on demand
*Application Management AppMgmt - on demand
*ASP.NET State Service aspnet_state - on demand
*Ati HotKey Poller Ati HotKey Poller running auto
*ATI Smart ATI Smart - auto
*Windows Audio AudioSrv running auto
*AVG7 Alert Manager Server Avg7Alrt running auto
*AVG7 Update Service Avg7UpdSvc running auto
*Background Intelligent Transfer Service BITS running auto
*Computer Browser Browser running auto
*Indexing Service CiSvc - on demand
*ClipBook ClipSrv - disabled
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DCOM Server Process Launcher DcomLaunch running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*HTTP SSL HTTPFilter - on demand
*IMAPI CD-Burning COM Service ImapiService - on demand
*iPod Service iPodService running on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*McAfee Firewall McAfee Firewall running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - disabled
*Network DDE DSDM NetDDEdsdm - disabled
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent - auto
*Protected Storage ProtectedStorage running auto
*Quick Heal Online Protection Quick Heal Online Pr running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess running auto
*Remote Registry RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Windows Firewall/Internet Connection Sharing (I SharedAccess running auto
`CS)
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV - disabled
*Windows Image Acquisition (WIA) stisvc - on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Telnet TlntSvr - disabled
*Distributed Link Tracking Client TrkWks running auto
*Universal Plug and Play Device Host upnphost - disabled
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*Windows Management Instrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi - on demand
`sions
*WMI Performance Adapter WmiApSrv - on demand
*Security Center wscsvc running auto
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
*Network Provisioning Service xmlprov - on demand
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
*abp480n5 abp480n5 - disabled
*Microsoft ACPI Driver ACPI running boot
*ACPIEC ACPIEC - disabled
*adpu160m adpu160m - disabled
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
*AFD Networking Support Environment AFD running system
*Aha154x Aha154x - disabled
*aic78u2 aic78u2 - disabled
*aic78xx aic78xx - disabled
*Service for Avance AC97 Audio (WDM) ALCXWDM running on demand
*AliIde AliIde - disabled
*AMD K7 Processor Driver AmdK7 running system
*amsint amsint - disabled
*asc asc - disabled
*asc3350p asc3350p - disabled
*asc3550 asc3550 - disabled
*RAS Asynchronous Media Driver AsyncMac - on demand
*Standard IDE/ESDI Hard Disk Controller atapi running boot
*Atdisk Atdisk - disabled
*ati2mtag ati2mtag running on demand
*ATM ARP Client Protocol Atmarpc - on demand
*Audio Stub Driver audstub running on demand
*AVG7 Kernel Avg7Core running system
*AVG7 Wrap Driver Avg7RsW running system
*AVG7 Rezident Driver Avg7RsXP running system
*AVG Network Redirector AvgTdi running auto
*Beep Beep running system
*cbidf2k cbidf2k - disabled
*cd20xrnt cd20xrnt - disabled
*Cdaudio Cdaudio - system
*Cdfs Cdfs running disabled
*CD-ROM Driver Cdrom running system
*Changer Changer - system
*CmdIde CmdIde - disabled
*Binatone ADSL500 USB Modem Network Adapter Driv CnxTrLan - on demand
`er
*Binatone ADSL500 USB Modem Network Interface De CnxTrUsb - on demand
`vice Driver
*Cpqarray Cpqarray - disabled
*dac960nt dac960nt - disabled
*Disk Driver Disk running boot
*dmboot dmboot - disabled
*Logical Disk Manager Driver dmio running boot
*dmload dmload running boot
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
*dpti2o dpti2o - disabled
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
*Fastfat Fastfat running disabled
*Floppy Disk Controller Driver Fdc running on demand
*VIA Rhine Family Fast Ethernet Adapter Driver FETNDIS running on demand
*Fips Fips running system
*Floppy Disk Driver Flpydisk running on demand
*FltMgr FltMgr running boot
*Volume Manager Driver Ftdisk running boot
*GEAR CDRom Filter GEARAspiWDM running on demand
*GMSIPCI GMSIPCI - on demand
*Generic Packet Classifier Gpc running on demand
*hpn hpn - disabled
*HTTP HTTP - on demand
*i2omgmt i2omgmt - system
*i2omp i2omp - disabled
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system
*CD-Burning Filter Driver Imapi running system
*ini910u ini910u - disabled
*IntelIde IntelIde - disabled
*Intel(R) 536EP V.92 Modem Intels51 running on demand
*IPv6 Windows Firewall Driver ip6fw - on demand
*IP Traffic Filter Driver IpFilterDriver - on demand
*IP in IP Tunnel Driver IpInIp - on demand
*IP Network Address Translator IpNat running on demand
*IPSEC driver IPSec running system
*IR Enumerator Service IRENUM - on demand
*PnP ISA/EISA Bus Driver isapnp running boot
*Keyboard Class Driver Kbdclass running system
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
*KSecDD KSecDD running boot
*lbrtfdc lbrtfdc - system
*McAfee Firewall Network Filter Miniport McAfeePF running on demand
*mnmdd mnmdd running system
*Modem Modem running on demand
*Unimodem Streaming Filter Device MODEMCSA running on demand
*Mouse Class Driver Mouclass running system
*Mount Point Manager MountMgr running boot
*mraid35x mraid35x - disabled
*WebDav Client Redirector MRxDAV running on demand
*MRxSmb MRxSmb running system
*Msfs Msfs running system
*Microsoft Streaming Service Proxy MSKSSRV - on demand
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
*Microsoft System Management BIOS Driver mssmbios running on demand
*Mup Mup running boot
*NDIS System Driver NDIS running boot
*Remote Access NDIS TAPI Driver NdisTapi running on demand
*NDIS Usermode I/O Protocol Ndisuio running on demand
*Remote Access NDIS WAN Driver NdisWan running on demand
*NDIS Proxy NDProxy running on demand
*NetBIOS Interface NetBIOS running system
*NetBios over Tcpip NetBT running system
*Npfs Npfs running system
*NTACCESS NTACCESS - on demand
*Ntfs Ntfs running disabled
*Null Null running system
*IPX Traffic Filter Driver NwlnkFlt - on demand
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
*Parallel port driver Parport running on demand
*Partition Manager PartMgr running boot
*ParVdm ParVdm running auto
*PCI Bus Driver PCI running boot
*PCIDump PCIDump - system
*PCIIde PCIIde - disabled
*Pcmcia Pcmcia - disabled
*PDCOMP PDCOMP - on demand
*PDFRAME PDFRAME - on demand
*PDRELI PDRELI - on demand
*PDRFRAME PDRFRAME - on demand
*perc2 perc2 - disabled
*perc2hib perc2hib - disabled
*WAN Miniport (PPTP) PptpMiniport running on demand
*QoS Packet Scheduler PSched running on demand
*Direct Parallel Link Driver Ptilink running on demand
*QHONLINE QHONLINE running auto
*QHScreen QHScreen running boot
*ql1080 ql1080 - disabled
*Ql10wnt Ql10wnt - disabled
*ql12160 ql12160 - disabled
*ql1240 ql1240 - disabled
*ql1280 ql1280 - disabled
*Remote Access Auto Connection Driver RasAcd running system
*WAN Miniport (L2TP) Rasl2tp running on demand
*Remote Access PPPOE Driver RasPppoe running on demand
*Direct Parallel Raspti running on demand
*Rdbss Rdbss running system
*RDPCDD RDPCDD running system
*Terminal Server Device Redirector Driver rdpdr running on demand
*RDPWD RDPWD - on demand
*Digital CD Audio Playback Filter Driver redbook running system
*SANDRA SANDRA - on demand
*Secdrv Secdrv running auto
*Serenum Filter Driver serenum running on demand
*Serial port driver Serial running system
*SetupNTGLM7X SetupNTGLM7X - on demand
*Sfloppy Sfloppy - system
*Simbad Simbad - disabled
*Sparrow Sparrow - disabled
*Microsoft Kernel Audio Splitter splitter - on demand
*System Restore Filter Driver sr - disabled
*Srv Srv running on demand
*Software Bus Driver swenum running on demand
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
*symc810 symc810 - disabled
*symc8xx symc8xx - disabled
*sym_hi sym_hi - disabled
*sym_u3 sym_u3 - disabled
*Microsoft Kernel System Audio Device sysaudio running on demand
*TCP/IP Protocol Driver Tcpip running system
*TDPIPE TDPIPE - on demand
*TDTCP TDTCP - on demand
*Terminal Device Driver TermDD running system
*TosIde TosIde - disabled
*Udfs Udfs - disabled
*ultra ultra - disabled
*Microcode Update Driver Update running on demand
*Microsoft USB 2.0 Enhanced Host Controller Mini usbehci running on demand
`port Driver
*USB2 Enabled Hub usbhub running on demand
*Microsoft USB PRINTER Class usbprint running on demand
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
*VGA Display Controller. VgaSave running system
*VIA AGP Filter viaagp1 running boot
*ViaIde ViaIde running boot
*VolSnap VolSnap running boot
*Remote Access IP ARP Driver Wanarp running on demand
*WDICA WDICA - on demand
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
*Windows Socket 2.0 Non-IFS Service Provider Sup WS2IFSL running system
`port Environment
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine

MicroBell

I see nothing in this log also. Please descibe the problem you having? Popups? Redirects?...ect

I can take a look at your run reg keys...

Click on the link below and download the reglook.zip file.

http://www.bleepingcomputer.com/files/reglook.php

Unzip the file to it's own folder somewhere. Doubleclick on the runme.bat file inside to run it. Post the log it produces in your next reply here

petercj

Hi

The problems I am having are browser hanging and very slow transitions from page to page. My upload ability is almost nil and download speeds are about 25% of what they should be (I have a 512 Connection).

Over the last six weeks I have been targetted by a particularly nasty hacker and I believe thay are aware that I have received help from you guys and I think they have done something very covert knowing that it would be spotted if not well concealed.

Your colleauges had cleared out the hacker stuff and both o/s's: win xp home and win xp pro (two disks on same pc) were running great. Then I inadvertently left my pc connected to a message board (which is associated with the hacking) and after that both o/s had slowed right down as now. I had been getting port attack warnings earlier that day.

I think the hacker uses the bios port (not sure about that as I have very limited knowledge of hacking).

Really appreciate your help...thank you....Peter

........................................................................................................
A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 12:43(UTC) 22/10/2004)
[AppInit_DLLs] = "" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 5 subkeys and 33 value entries - last modified 09:30(UTC) 26/11/2004)
[Userinit] = "D:\WINDOW3G\system32\userinit.exe," (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 12:43(UTC) 22/10/2004)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)

petercj

Bump!

MicroBell

These entrys...

*Quick Heal On-Line Protection=C:\PROGRA~1\WINCLE~1\CATEYE.EXE
*Quick Heal Messenger=C:\PROGRA~1\WINCLE~1\QHM32.EXE
*Quick Heal Activate=C:\PROGRA~1\WINCLE~1\ACTIVATE.EXE
*Quick Heal Startup Scan=C:\PROGRA~1\WINCLE~1\QHSTRT32.exe /loadrun

Look like they deal with Quick Heal AntiVirus. Do you have that installed? Is so...why as your log shows 3 antivirus programs that may conflict..

Quick Heal
AVG
McAfee <--could be just the firewall

petercj

All the above mentioned have been on the machine prior to the problems and it ran ok. I did uninstall quick heal just to make sure, but it made no difference.