refined
asked on
HijackThis and Spybot log analysis
I need some expert analysis on this HiJack log and startup list log. I've also included a copy of Spybot's LSP report. The only thing that I've noticed that doesn't look right is the presence of Shop At Home agent (sahagent) from Spybot's LSP report. Please tell me if there's anything else that looks suspicious.
Thank you,
Refined
~~~~
HiJack Log
=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-
Logfile of HijackThis v1.98.2
Scan saved at 4:29:12 PM, on 8/24/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\spoolss. exe
C:\WINNT\system32\RpcSs.ex e
C:\WINNT\System32\nddeagnt .exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\loadwc.e xe
C:\WINNT\System32\msdtc.ex e
C:\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\server\pbeserver.e xe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\SYSTEM32\CPQRCMC. EXE
C:\ExecSoft\Diskeep\DKSERV ICE.EXE
C:\ExecSoft\Diskeep\Contro l.exe
d:\FAIRCOM\ctsrvr.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\System32\llssrv.e xe
c:\winnt\system32\pstores. exe
C:\WINNT\System32\LOCATOR. EXE
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\snmp.exe
C:\Compaq\Survey\Surveyor. EXE
C:\WINNT\System32\sysdown. exe
C:\ExecSoft\Undelete\UdSer ve.exe
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\tcpsvcs. exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\cpqnimgt \CPQNIMGT. EXE
C:\WINNT\system32\cpqmgmt\ CqMgServ\C qMgServ.EX E
C:\WINNT\system32\cpqmgmt\ CqMgStor\C qMgStor.EX E
C:\WINNT\system32\cpqmgmt\ CqMgHost\C qMgHost.ex e
C:\WINNT\system32\cpqmgmt\ CPQWMGMT.E XE
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\shsta t.exe
C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exe
C:\PROGRA~1\MOZILL~1\firef ox.exe
C:\WINNT\regedit.exe
C:\TEMP\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit,nddeagnt .exe
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2 A3C64AE693 9} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1 AA7A44296D A} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce. exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1 \Plugins\N PDocBox.dl l
O13 - WWW. Prefix: http://
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D 6F6C1CAF7E 1} (CSND_AX.ctlCSND_AX) - http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {82774781-8F4E-11D1-AB1C-0 000F8773BF 0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O17 - HKLM\System\CS1\Services\T cpip\Param eters: NameServer = 192.168.0.7 67.98.11.130 67.98.11.131
O17 - HKLM\System\CCS\Services\T cpip\Param eters: NameServer = 192.168.0.7 67.98.11.130 67.98.11.131
=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-
Spybot-S&D winsock LSP report, 8/24/04 4:36:07 PM
NS Provider ( 1) TCP/IP ({22059D40-7E9E-11CF-AE5A- 00AA00A711 2B})
NS Provider ( 2) NWLink IPX/SPX Compatible Transport Protocol ({E02DAAF0-7E9F-11CF-AE5A- 00AA00A711 2B})
Protocol ( 1) SAHagent MSAFD Tcpip [TCP/IP] ({D8C3E667-9814-4D11-8C51- C43450AA6D 60})
Protocol ( 2) SAHagent MSAFD Tcpip [UDP/IP] ({EFE85258-AC8E-4BF5-B2E9- 65CA261A63 CC})
Protocol ( 3) SAHagent MSAFD Tcpip [RAW/IP] ({24F1DE55-EDA0-4859-9BB4- 9CFB056D1D 2E})
Protocol ( 4) SAHagent MSAFD NwlnkIpx [IPX] ({90B81905-B99C-47BF-9EC6- 18F57D715C 13})
Protocol ( 5) SAHagent MSAFD NwlnkSpx [SPX] ({0F5CCA8D-9909-42FD-9395- 6D278ED0C9 27})
Protocol ( 6) SAHagent MSAFD NwlnkSpx [SPX] [Pseudo Stream] ({29DAE256-AFB4-4793-B28C- FEBCEBE147 73})
Protocol ( 7) SAHagent MSAFD NwlnkSpx [SPX II] ({6D944389-3DFC-4BA4-BB4C- 7347346954 44})
Protocol ( 8) SAHagent MSAFD NwlnkSpx [SPX II] [Pseudo Stream] ({218532B6-FBE9-4827-BDA0- 80BBB1A74D 0C})
Protocol ( 9) SAHagent MSAFD NetBIOS [\Device\NetBT_CpqNF31] SEQPACKET 0 ({20F9C36A-E80B-4B57-A283- CD0C8BB45D 12})
Protocol (10) SAHagent MSAFD NetBIOS [\Device\NetBT_CpqNF31] DATAGRAM 0 ({52A3D2D2-07F1-4E22-98A1- 62CB2FF0B9 C6})
Protocol (11) SAHagent MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 1 ({F69E9106-74EC-4D09-94DD- FEB668E73F E4})
Protocol (12) SAHagent MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 1 ({8CE9D8E8-C5D3-43C7-9C58- 865467B3AB 4B})
Protocol (13) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3- 00805F48A1 92})
Protocol (14) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3- 00805F48A1 92})
Protocol (15) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3- 00805F48A1 92})
Protocol (16) MSAFD NwlnkIpx [IPX] ({11058240-BE47-11CF-95C8- 00805F48A1 92})
Protocol (17) MSAFD NwlnkSpx [SPX] ({11058241-BE47-11CF-95C8- 00805F48A1 92})
Protocol (18) MSAFD NwlnkSpx [SPX] [Pseudo Stream] ({11058241-BE47-11CF-95C8- 00805F48A1 92})
Protocol (19) MSAFD NwlnkSpx [SPX II] ({11058241-BE47-11CF-95C8- 00805F48A1 92})
Protocol (20) MSAFD NwlnkSpx [SPX II] [Pseudo Stream] ({11058241-BE47-11CF-95C8- 00805F48A1 92})
Protocol (21) MSAFD NetBIOS [\Device\NetBT_CpqNF31] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8- 00805F48A1 92})
Protocol (22) MSAFD NetBIOS [\Device\NetBT_CpqNF31] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8- 00805F48A1 92})
Protocol (23) MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8- 00805F48A1 92})
Protocol (24) MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8- 00805F48A1 92})
Protocol (25) SAHagent ({5A21F160-DF30-11CF-8927- 00AA00539F 1C})
=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-
StartupList report, 8/24/04, 4:08:53 PM
StartupList version: 1.52.2
Started from : C:\TEMP\HijackThis.EXE
Detected: Windows NT 4 SP6 (WinNT 4.00.1381)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
========================== ========== ========== ====
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\spoolss. exe
C:\WINNT\system32\RpcSs.ex e
C:\WINNT\System32\nddeagnt .exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\loadwc.e xe
C:\WINNT\System32\msdtc.ex e
C:\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\server\pbeserver.e xe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\SYSTEM32\CPQRCMC. EXE
C:\ExecSoft\Diskeep\DKSERV ICE.EXE
C:\ExecSoft\Diskeep\Contro l.exe
d:\FAIRCOM\ctsrvr.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\System32\llssrv.e xe
c:\winnt\system32\pstores. exe
C:\WINNT\System32\LOCATOR. EXE
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\snmp.exe
C:\Compaq\Survey\Surveyor. EXE
C:\WINNT\System32\sysdown. exe
C:\ExecSoft\Undelete\UdSer ve.exe
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\tcpsvcs. exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\cpqnimgt \CPQNIMGT. EXE
C:\WINNT\system32\cpqmgmt\ CqMgServ\C qMgServ.EX E
C:\WINNT\system32\cpqmgmt\ CqMgStor\C qMgStor.EX E
C:\WINNT\system32\cpqmgmt\ CqMgHost\C qMgHost.ex e
C:\WINNT\system32\cpqmgmt\ CPQWMGMT.E XE
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\shsta t.exe
C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exe
C:\PROGRA~1\WinZip\winzip3 2.exe
C:\TEMP\HijackThis.exe
-------------------------- ---------- ---------- ----
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W indows NT\CurrentVersion\Winlogon ]
UserInit = userinit,nddeagnt.exe
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run
SystemTray = SysTray.Exe
BrowserWebCheck = loadwc.exe
mdac_runonce = C:\WINNT\System32\runonce. exe
SchedulingAgent = mstinit.exe /logon
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
-------------------------- ---------- ---------- ----
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry key not found*
-------------------------- ---------- ---------- ----
Enumerating Browser Helper Objects:
(no name) - (no file) - {000006B1-19B5-414A-849F-2 A3C64AE693 9}
(no name) - (no file) - {00000EF1-0786-4633-87C6-1 AA7A44296D A}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3}
-------------------------- ---------- ---------- ----
Enumerating Download Program Files:
[CSND_AX.ctlCSND_AX]
InProcServer32 = C:\WINNT\Downloaded Program Files\CSND_AX.ocx
CODEBASE = http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB
[DLC Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\grTransferCtrl.dll
CODEBASE = http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.d ll
CODEBASE = http://windowsupdate.microsoft.com/R1150/V31Controls/x86/nt4/en/actsetup.cab
-------------------------- ---------- ---------- ----
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperation s: C:\WINNT\Installer\InstMsi 0\cabinet. dll||C:\WI NNT\Instal ler\InstMs i0\imagehl p.dll||C:\ WINNT\Inst aller\Inst Msi0\instm si.msi||C: \WINNT\Ins taller\Ins tMsi0\msii nst.exe||C :\WINNT\In staller\In stMsi0\msi main.sdb|| C:\WINNT\I nstaller\I nstMsi0\ms ls31.dll|| C:\WINNT\I nstaller\I nstMsi0\ri ched20.dll ||C:\WINNT \Installer \InstMsi0\ sdbapiU.dl l||C:\WINN T\Installe r\InstMsi0 \shfolder. dll||C:\WI NNT\Instal ler\InstMs i0\usp10.d ll||C:\WIN NT\Install er\InstMsi 0||C:\WINN T\cle10D.t mp\cleanup .exe||C:\W INNT\cle10 D.tmp||C:\ WINNT\cle1 12.tmp\cle anup.exe|| C:\WINNT\c le112.tmp| |C:\WINNT\ cle113.tmp \cleanup.e xe||C:\WIN NT\cle113. tmp||C:\WI NNT\cle1F0 .tmp\clean up.exe||C: \WINNT\cle 1F0.tmp
-------------------------- ---------- ---------- ----
Enumerating ShellServiceObjectDelayLoa d items:
WebCheck: C:\WINNT\System32\webcheck .dll
-------------------------- ---------- ---------- ----
End of report, 6,042 bytes
Report generated in 0.090 seconds
Thank you,
Refined
~~~~
HiJack Log
=-=-=-=-=-=-=-=-=-=-=-=-=-
Logfile of HijackThis v1.98.2
Scan saved at 4:29:12 PM, on 8/24/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\spoolss.
C:\WINNT\system32\RpcSs.ex
C:\WINNT\System32\nddeagnt
C:\WINNT\Explorer.EXE
C:\WINNT\System32\loadwc.e
C:\WINNT\System32\msdtc.ex
C:\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\server\pbeserver.e
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\SYSTEM32\CPQRCMC.
C:\ExecSoft\Diskeep\DKSERV
C:\ExecSoft\Diskeep\Contro
d:\FAIRCOM\ctsrvr.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\System32\llssrv.e
c:\winnt\system32\pstores.
C:\WINNT\System32\LOCATOR.
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\snmp.exe
C:\Compaq\Survey\Surveyor.
C:\WINNT\System32\sysdown.
C:\ExecSoft\Undelete\UdSer
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\tcpsvcs.
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\cpqnimgt
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\cpqmgmt\
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\shsta
C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exe
C:\PROGRA~1\MOZILL~1\firef
C:\WINNT\regedit.exe
C:\TEMP\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit,nddeagnt
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1
O13 - WWW. Prefix: http://
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D
O16 - DPF: {82774781-8F4E-11D1-AB1C-0
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CCS\Services\T
=-=-=-=-=-=-=-=-=-=-=-=-=-
Spybot-S&D winsock LSP report, 8/24/04 4:36:07 PM
NS Provider ( 1) TCP/IP ({22059D40-7E9E-11CF-AE5A-
NS Provider ( 2) NWLink IPX/SPX Compatible Transport Protocol ({E02DAAF0-7E9F-11CF-AE5A-
Protocol ( 1) SAHagent MSAFD Tcpip [TCP/IP] ({D8C3E667-9814-4D11-8C51-
Protocol ( 2) SAHagent MSAFD Tcpip [UDP/IP] ({EFE85258-AC8E-4BF5-B2E9-
Protocol ( 3) SAHagent MSAFD Tcpip [RAW/IP] ({24F1DE55-EDA0-4859-9BB4-
Protocol ( 4) SAHagent MSAFD NwlnkIpx [IPX] ({90B81905-B99C-47BF-9EC6-
Protocol ( 5) SAHagent MSAFD NwlnkSpx [SPX] ({0F5CCA8D-9909-42FD-9395-
Protocol ( 6) SAHagent MSAFD NwlnkSpx [SPX] [Pseudo Stream] ({29DAE256-AFB4-4793-B28C-
Protocol ( 7) SAHagent MSAFD NwlnkSpx [SPX II] ({6D944389-3DFC-4BA4-BB4C-
Protocol ( 8) SAHagent MSAFD NwlnkSpx [SPX II] [Pseudo Stream] ({218532B6-FBE9-4827-BDA0-
Protocol ( 9) SAHagent MSAFD NetBIOS [\Device\NetBT_CpqNF31] SEQPACKET 0 ({20F9C36A-E80B-4B57-A283-
Protocol (10) SAHagent MSAFD NetBIOS [\Device\NetBT_CpqNF31] DATAGRAM 0 ({52A3D2D2-07F1-4E22-98A1-
Protocol (11) SAHagent MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 1 ({F69E9106-74EC-4D09-94DD-
Protocol (12) SAHagent MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 1 ({8CE9D8E8-C5D3-43C7-9C58-
Protocol (13) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-
Protocol (14) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-
Protocol (15) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-
Protocol (16) MSAFD NwlnkIpx [IPX] ({11058240-BE47-11CF-95C8-
Protocol (17) MSAFD NwlnkSpx [SPX] ({11058241-BE47-11CF-95C8-
Protocol (18) MSAFD NwlnkSpx [SPX] [Pseudo Stream] ({11058241-BE47-11CF-95C8-
Protocol (19) MSAFD NwlnkSpx [SPX II] ({11058241-BE47-11CF-95C8-
Protocol (20) MSAFD NwlnkSpx [SPX II] [Pseudo Stream] ({11058241-BE47-11CF-95C8-
Protocol (21) MSAFD NetBIOS [\Device\NetBT_CpqNF31] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-
Protocol (22) MSAFD NetBIOS [\Device\NetBT_CpqNF31] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-
Protocol (23) MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-
Protocol (24) MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-
Protocol (25) SAHagent ({5A21F160-DF30-11CF-8927-
=-=-=-=-=-=-=-=-=-=-=-=-=-
StartupList report, 8/24/04, 4:08:53 PM
StartupList version: 1.52.2
Started from : C:\TEMP\HijackThis.EXE
Detected: Windows NT 4 SP6 (WinNT 4.00.1381)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==========================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\spoolss.
C:\WINNT\system32\RpcSs.ex
C:\WINNT\System32\nddeagnt
C:\WINNT\Explorer.EXE
C:\WINNT\System32\loadwc.e
C:\WINNT\System32\msdtc.ex
C:\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\server\pbeserver.e
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\SYSTEM32\CPQRCMC.
C:\ExecSoft\Diskeep\DKSERV
C:\ExecSoft\Diskeep\Contro
d:\FAIRCOM\ctsrvr.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\System32\llssrv.e
c:\winnt\system32\pstores.
C:\WINNT\System32\LOCATOR.
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\snmp.exe
C:\Compaq\Survey\Surveyor.
C:\WINNT\System32\sysdown.
C:\ExecSoft\Undelete\UdSer
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\tcpsvcs.
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\cpqnimgt
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\cpqmgmt\
C:\WINNT\system32\cpqmgmt\
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\shsta
C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exe
C:\PROGRA~1\WinZip\winzip3
C:\TEMP\HijackThis.exe
--------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W
UserInit = userinit,nddeagnt.exe
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
SystemTray = SysTray.Exe
BrowserWebCheck = loadwc.exe
mdac_runonce = C:\WINNT\System32\runonce.
SchedulingAgent = mstinit.exe /logon
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTA
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
--------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry key not found*
--------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - {000006B1-19B5-414A-849F-2
(no name) - (no file) - {00000EF1-0786-4633-87C6-1
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH
--------------------------
Enumerating Download Program Files:
[CSND_AX.ctlCSND_AX]
InProcServer32 = C:\WINNT\Downloaded Program Files\CSND_AX.ocx
CODEBASE = http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB
[DLC Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\grTransferCtrl.dll
CODEBASE = http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.d
CODEBASE = http://windowsupdate.microsoft.com/R1150/V31Controls/x86/nt4/en/actsetup.cab
--------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperation
--------------------------
Enumerating ShellServiceObjectDelayLoa
WebCheck: C:\WINNT\System32\webcheck
--------------------------
End of report, 6,042 bytes
Report generated in 0.090 seconds
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Terrific! Thanks for finalizing this.
Thank you,
Asta