Analog_Kid
asked on
System running VERY slow - Urgent need help!
The computer is a Dell something or other pre-loaded with Win 2k pro.
The system is operating VERY slowly and the HD is constantly active.
I need to get it working properly again by the end of the day.
In an effort to resolve the trouble I have done the following and still have the same problem:
Defrag and scan disk - no help
Spyboy S&D scan w/updated definitions – found some items and removed but still no help
Norton A/V w/updated definitions – negative results
Turned off sharing of C: - upon re-boot the drive was again set to shared. (the PC is stand-alne not networked)
Turned off indexing service – this did seem to help, but the next day, the machine was running slow again.
I Did a repair of the OS using the install CD – still have the same problem.
The system will not allow me to shut down any running process thru task manager, but I can boot into safe mode with no problems.
I am not familiar with Win 2k pro and I need advice.
All suggestions are greatly appreciated – this has become an urgent matter.
Thanks in advance.
The system is operating VERY slowly and the HD is constantly active.
I need to get it working properly again by the end of the day.
In an effort to resolve the trouble I have done the following and still have the same problem:
Defrag and scan disk - no help
Spyboy S&D scan w/updated definitions – found some items and removed but still no help
Norton A/V w/updated definitions – negative results
Turned off sharing of C: - upon re-boot the drive was again set to shared. (the PC is stand-alne not networked)
Turned off indexing service – this did seem to help, but the next day, the machine was running slow again.
I Did a repair of the OS using the install CD – still have the same problem.
The system will not allow me to shut down any running process thru task manager, but I can boot into safe mode with no problems.
I am not familiar with Win 2k pro and I need advice.
All suggestions are greatly appreciated – this has become an urgent matter.
Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it is the PC in general or network operation - or is it just pants generally?
ASKER
Duh! Stupid me, I posted in the wrong area. I've aske that the question be moved.
Anyway, the machine is not connected to a network of any kind. What do you mean by pants?
Thanks for your help.
Anyway, the machine is not connected to a network of any kind. What do you mean by pants?
Thanks for your help.
ASKER
Oh, it does have AOL for connecting to the Internet.
Please post a list of the running processes from the task manager.
J
J
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi
Hi first download this and click scan - don't fix anything first, just post the logfile here,
http://tools.radiosplace.com/HijackThis.exe
Deb :))
Hi first download this and click scan - don't fix anything first, just post the logfile here,
http://tools.radiosplace.com/HijackThis.exe
Deb :))
ASKER
>>post a list of the running processes
I don't have access to it at this very moment, so I cant say. But it is a huge list. Is there a way to thin that out to the absolute bare minimum?
>>How much space does your hard drive have left?
Its nearly completly empty - only 10% or so used.
>>Are there any processes using up a lot of system resources?
I dont know. How do I find that info?
>>...If you added virus software after the system was infected...
I dont think that is the case. The machine is a friends, but I am aware that he has had Norton A/V installed ever since he bought the machine and this problem is recent.
I don't have access to it at this very moment, so I cant say. But it is a huge list. Is there a way to thin that out to the absolute bare minimum?
>>How much space does your hard drive have left?
Its nearly completly empty - only 10% or so used.
>>Are there any processes using up a lot of system resources?
I dont know. How do I find that info?
>>...If you added virus software after the system was infected...
I dont think that is the case. The machine is a friends, but I am aware that he has had Norton A/V installed ever since he bought the machine and this problem is recent.
It's probably best to rule out any nasties before trying any further system fixes or repairs, particularly given the fact that you've already found some. Unfortunately Norton is missing stacks of Trojans as of late, hence try a scan with the following
Trend Online Scanner
http://housecall.trendmicro.com/
Panda
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Let us know what you find,
Deb :))
Trend Online Scanner
http://housecall.trendmicro.com/
Panda
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Let us know what you find,
Deb :))
To post running processes - In hijackthis click config ->Misc Tools -> Open process manager. Then check the "show dll's" on the right of the screen, click refresh, then click the little floppy disk icon which will allow you to save the process list to a text file. Post that text file here too...
Deb :))
Deb :))
I would recommend running the utilities that Debsyl99 has listed.
To check processes, you can use Task Manager. You said that the list is huge, how many processes are currently running?
When you boot into 'safe mode with no problems', do you mean that the computer doesn't run slow in safe mode?
To check processes, you can use Task Manager. You said that the list is huge, how many processes are currently running?
When you boot into 'safe mode with no problems', do you mean that the computer doesn't run slow in safe mode?
ASKER
Correct. In safe mode, all seems to be in order.
I see you need more info than I can provide, so I will d/l those and post here later. This could take a while as the machine is 10 miles from my location. I'll do my best to get you the info you need asap.
Meanwhile, if there is any other information that would be helpful, or if you have an idea of what else I can look at while I'm there, I'd be grateful.
I see you need more info than I can provide, so I will d/l those and post here later. This could take a while as the machine is 10 miles from my location. I'll do my best to get you the info you need asap.
Meanwhile, if there is any other information that would be helpful, or if you have an idea of what else I can look at while I'm there, I'd be grateful.
Is this a XEON 32bit or Itanium 64 bit. The XEON uses Extended Memory 64, this is an extension and is not a 64 bit processor. The processor is as IA-32, which is a 32 bit processor. Unless your workstation is running with more than 4 GB ram and you have applications that can utilize pages larger than 2GB, you should not be running the x64 version of WIndows 2003. So unless you have applications that are specifically written to take advantage or the Extended Memory 64, and more than 4 GB of ram in the workstations, you should go back to Windows XP Professional. The OS should run faster on your machine than Server 2003(64) on the XEON.
J
J
Sorry I posted to the wrong thread!? ;)
J
J
To get the process list, just go to a DOS prompt and type TASKLIST. Paste the info here. If you want to save it out to a text file, you can run this TASKLIST > c:\tasklist.txt
To post processes just follow the instructions in my posts - easier and makes sure dll's are posted too.
Deb :))
P.S Good one JD ;-)
Deb :))
P.S Good one JD ;-)
Deb, not going to argue, but that requires the installation of software...
I don't think TASKLIST is an .exe that comes with Windows by default. I don't have it on my system.
Oops. It's for WinXP. My bad.
It is an XP tool, and a great one... If you are running XP, it is a very easy thing to do. Rob has a good point, as it can be run in about 10 seconds and posted. Might as well do both.
J
J
It's not really like I'm asking for an fresh install of office!!! (sighs - has had a long day..)
It requires the installation of hijackthis which let's face it is pretty small (183k) and takes up minimal system resources (about 5k - cmd takes about 2.5k). It will also enable us to have a good look at what's running on the system and will show dll's which tasklist won't show and their authors and versions. We'll also get to have a look at various areas of the registry notorious for targeting by spyware and enable us to fix it where necessary - so it will kill a lot of birds with one stone, and if for whatever reason it doesn't lead to a direct fix, it will at least enable us to rule things out.
But if Analog Kid doesn't want to use it, it's his choice ;-)) Better than manually posting various areas of the registry, because if we do identify running processes that are malware related we're going to have to kill them properly (ie via the execs and reg entries) which again you can do with hijackthis. Why don't you check it out? It's quite useful,
Deb :))
It requires the installation of hijackthis which let's face it is pretty small (183k) and takes up minimal system resources (about 5k - cmd takes about 2.5k). It will also enable us to have a good look at what's running on the system and will show dll's which tasklist won't show and their authors and versions. We'll also get to have a look at various areas of the registry notorious for targeting by spyware and enable us to fix it where necessary - so it will kill a lot of birds with one stone, and if for whatever reason it doesn't lead to a direct fix, it will at least enable us to rule things out.
But if Analog Kid doesn't want to use it, it's his choice ;-)) Better than manually posting various areas of the registry, because if we do identify running processes that are malware related we're going to have to kill them properly (ie via the execs and reg entries) which again you can do with hijackthis. Why don't you check it out? It's quite useful,
Deb :))
Do em both, do em both!!! Run tasklist post the results.... 20 seconds max, while it is being reviewed by "the experts", run hijack This!!!!...
J
:)
J
:)
ASKER
I could not work out how to get a list of running processes but I did manage to get HijackThis.exe running which included a list. Here are the results:
processlist.txt:
Process list saved on 6:47:22 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
[full path to filename] [file version] [company name]
C:\WINNT\System32\smss.exe 5.0.2195.6601 Microsoft Corporation
C:\WINNT\system32\winlogon .exe 5.0.2195.6714 Microsoft Corporation
C:\WINNT\system32\services .exe 5.0.2195.6700 Microsoft Corporation
C:\WINNT\system32\lsass.ex e 5.0.2195.6695 Microsoft Corporation
C:\WINNT\system32\svchost. exe 5.0.2134.1 Microsoft Corporation
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 1.0.3.4 Symantec Corporation
C:\WINNT\system32\spoolsv. exe 5.0.2195.6659 Microsoft Corporation
C:\WINNT\System32\svchost. exe 5.0.2134.1 Microsoft Corporation
C:\Program Files\Norton AntiVirus\navapsvc.exe 9.0.5.1015 Symantec Corporation
C:\WINNT\system32\regsvc.e xe 5.0.2195.6701 Microsoft Corporation
C:\WINNT\system32\MSTask.e xe 4.71.2195.6704 Microsoft Corporation
C:\WINNT\system32\stisvc.e xe 5.0.2195.6656 Microsoft Corporation
C:\WINNT\wanmpsvc.exe 7.0.0.2 America Online, Inc.
C:\WINNT\Explorer.EXE 5.0.3700.6690 Microsoft Corporation
C:\Program Files\Common Files\Symantec Shared\ccApp.exe 1.0.3.15 Symantec Corporation
C:\WINNT\system32\ntvdm.ex e 5.0.2195.6689 Microsoft Corporation
C:\WINNT\system32\taskmgr. exe 5.0.2195.6620 Microsoft Corporation
C:\Documents and Settings\ian1\Desktop\Hija ckThis.exe 1.98.0.2 Soeperman Enterprises Ltd.
DLLs loaded by process C:\WINNT\System32\smss.exe :
[full path to filename] [file version] [company name]
C:\WINNT\system32\ntdll.dl l 5.0.2195.6685 Microsoft Corporation
C:\WINNT\System32\sfcfiles .dll 5.0.2195.6717 Microsoft Corporation
startuplist.txt:
StartupList report, 9/7/2004, 6:48:37 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ian1\Desktop\Hija ckThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
========================== ========== ========== ====
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\System32\svchost. exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\stisvc.e xe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.ex e
C:\WINNT\system32\taskmgr. exe
C:\Documents and Settings\ian1\Desktop\Hija ckThis.exe
-------------------------- ---------- ---------- ----
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\ian1\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
-------------------------- ---------- ---------- ----
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W indows NT\CurrentVersion\Winlogon ]
UserInit = C:\WINNT\system32\userinit .exe,
[HKLM\Software\Microsoft\W indows\Cur rentVersio n\Winlogon ]
*Registry key not found*
[HKCU\Software\Microsoft\W indows NT\CurrentVersion\Winlogon ]
*Registry value not found*
[HKCU\Software\Microsoft\W indows\Cur rentVersio n\Winlogon ]
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run
Synchronization Manager = mobsync.exe /logon
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Run
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run
[OptionalComponents]
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Run
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\ shell\open \command
(Default) = "%1" /S
-------------------------- ---------- ---------- ----
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\ shell\open \command
(Default) = C:\WINNT\System32\mshta.ex e "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\ shell\open \command
(Default) = %SystemRoot%\system32\NOTE PAD.EXE %1
-------------------------- ---------- ---------- ----
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Ac tive Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab -0080c74c7 e95}] *
StubPath = C:\WINNT\system32\setup\wm pocm.exe /HideWMP
[>{26923b43-4d38-484f-9b9e -de4607462 76c}]
StubPath = "C:\WINNT\System32\shmgrat e.exe" OCInstallUserConfigIE
[>{86EEAFA8-6F38-4657-B4F7 -ED1033D2E A1C}S04947 ] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061 -f3f88e8be 88a}]
StubPath = "C:\WINNT\System32\shmgrat e.exe" OCInstallUserConfigOE
[{44BBA840-CC51-11CF-AAFA- 00AA00B601 5C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA- 00AA00B601 5B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSecti on C:\WINNT\INF\msnetmtg.inf, NetMtg.Ins tall.PerUs er.NT
[{6A5110B5-E14B-4268-A065- EF89FF33C3 25}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
[{6BF52A52-394A-11d3-B153- 00C04F79FA A6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSecti on C:\WINNT\INF\wmp.inf,PerUs erStub
[{7790769C-0471-11d2-AF11- 00C04FA35D 02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85- 00AA005B43 40}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85- 00AA005B43 83}] *
StubPath = %SystemRoot%\System32\ie4u init.exe
[{9EF0045A-CDD9-438e-95E6- 02B9AFEC8E 11}] *
StubPath = %SystemRoot%\System32\updc rl.exe -e -u %SystemRoot%\System32\veri signpub1.c rl
-------------------------- ---------- ---------- ----
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\IC Q\Agent\Ap ps
*Registry key not found*
-------------------------- ---------- ---------- ----
Load/Run keys from C:\WINNT\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon : load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon : run=*Registry value not found*
HKLM\..\Windows\CurrentVer sion\WinLo gon: load=*Registry key not found*
HKLM\..\Windows\CurrentVer sion\WinLo gon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon : load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon : run=*Registry value not found*
HKCU\..\Windows\CurrentVer sion\WinLo gon: load=*Registry key not found*
HKCU\..\Windows\CurrentVer sion\WinLo gon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
-------------------------- ---------- ---------- ----
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
-------------------------- ---------- ---------- ----
Checking for EXPLORER.EXE instances:
C:\WINNT\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer .exe: not present
C:\WINNT\System\Explorer.e xe: not present
C:\WINNT\System32\Explorer .exe: not present
C:\WINNT\Command\Explorer. exe: not present
C:\WINNT\Fonts\Explorer.ex e: not present
-------------------------- ---------- ---------- ----
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
-------------------------- ---------- ---------- ----
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
-------------------------- ---------- ---------- ----
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-F ADC6B08487 2}
-------------------------- ---------- ---------- ----
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
-------------------------- ---------- ---------- ----
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\class es\dajava. cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\class es\xmldso. cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd
[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINNT\DOWNLO~1\yacscom. dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
[Yahoo! Audio UI1]
InProcServer32 = C:\WINNT\Downloaded Program Files\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dl l
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37848.7365972222
[QDiagHUpdateObj Class]
InProcServer32 = C:\WINNT\system32\qdiagh.o cx
CODEBASE = http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
-------------------------- ---------- ---------- ----
Enumerating Winsock LSP files:
NameSpace #1: C:\WINNT\System32\rnr20.dl l
NameSpace #2: C:\WINNT\System32\winrnr.d ll
NameSpace #3: C:\WINNT\System32\nwprovau .dll
Protocol #1: C:\WINNT\system32\msafd.dl l
Protocol #2: C:\WINNT\system32\msafd.dl l
Protocol #3: C:\WINNT\system32\msafd.dl l
Protocol #4: C:\WINNT\system32\rsvpsp.d ll
Protocol #5: C:\WINNT\system32\rsvpsp.d ll
Protocol #6: C:\WINNT\system32\msafd.dl l
Protocol #7: C:\WINNT\system32\msafd.dl l
Protocol #8: C:\WINNT\system32\msafd.dl l
Protocol #9: C:\WINNT\system32\msafd.dl l
Protocol #10: C:\WINNT\system32\msafd.dl l
Protocol #11: C:\WINNT\system32\msafd.dl l
Protocol #12: C:\WINNT\system32\msafd.dl l
Protocol #13: C:\WINNT\system32\msafd.dl l
Protocol #14: C:\WINNT\system32\msafd.dl l
Protocol #15: C:\WINNT\system32\msafd.dl l
Protocol #16: C:\WINNT\system32\msafd.dl l
Protocol #17: C:\WINNT\system32\msafd.dl l
Protocol #18: C:\WINNT\system32\msafd.dl l
Protocol #19: C:\WINNT\system32\msafd.dl l
Protocol #20: C:\WINNT\system32\msafd.dl l
Protocol #21: C:\WINNT\system32\msafd.dl l
Protocol #22: C:\WINNT\system32\msafd.dl l
Protocol #23: C:\WINNT\system32\msafd.dl l
Protocol #24: C:\WINNT\system32\msafd.dl l
Protocol #25: C:\WINNT\system32\msafd.dl l
Protocol #26: C:\WINNT\system32\msafd.dl l
Protocol #27: C:\WINNT\system32\msafd.dl l
Protocol #28: C:\WINNT\system32\msafd.dl l
Protocol #29: C:\WINNT\system32\msafd.dl l
Protocol #30: C:\WINNT\system32\msafd.dl l
Protocol #31: C:\WINNT\system32\msafd.dl l
Protocol #32: C:\WINNT\system32\msafd.dl l
Protocol #33: C:\WINNT\system32\msafd.dl l
Protocol #34: C:\WINNT\system32\msafd.dl l
Protocol #35: C:\WINNT\system32\msafd.dl l
Protocol #36: C:\WINNT\system32\msafd.dl l
-------------------------- ---------- ---------- ----
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drive rs\afd.sys (autostart)
Alerter: %SystemRoot%\System32\serv ices.exe (manual start)
Application Management: %SystemRoot%\system32\serv ices.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac. sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.s ys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.s ys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svch ost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\serv ices.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE. sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\system32\cisvc.ex e (disabled)
ClipBook: %SystemRoot%\system32\clip srv.exe (manual start)
DHCP Client: %SystemRoot%\System32\serv ices.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmad min.exe /com (manual start)
dmboot: System32\drivers\dmboot.sy s (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sy s (system)
Logical Disk Manager: %SystemRoot%\System32\serv ices.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sy s (manual start)
DNS Client: %SystemRoot%\System32\serv ices.exe (manual start)
Print Class Driver for IEEE-1284.4 hpoipr07: system32\DRIVERS\hpoipr07. sys (manual start)
3Com EtherLink XL B/C Adapter Driver: System32\DRIVERS\el90xbc5. sys (manual start)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp. sys (manual start)
Event Log: %SystemRoot%\system32\serv ices.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost. exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxs vc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk. sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sy s (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
IEEE-1284.4 Driver hpoid407: system32\DRIVERS\hpoid407. sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt. sys (system)
i81x: System32\DRIVERS\i81xnt5.s ys (manual start)
IntelIde: System32\DRIVERS\intelide. sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv. sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sy s (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sy s (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sy s (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass. sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sy s (manual start)
Server: %SystemRoot%\System32\serv ices.exe (autostart)
Workstation: %SystemRoot%\System32\serv ices.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\serv ices.exe (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.s ys (manual start)
Messenger: %SystemRoot%\System32\serv ices.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc. exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA. sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass. sys (system)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sy s (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.ex e (manual start)
Windows Installer: C:\WINNT\System32\MsiExec. exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.s ys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK. sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC. sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\S YMANT~1\VI RUSD~1\200 40825.021\ NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\S YMANT~1\VI RUSD~1\200 40825.021\ NavEx15.Sy s (manual start)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi. sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.s ys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.s ys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.s ys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netd de.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netd de.exe (manual start)
NetDetect: \SystemRoot\system32\drive rs\netdtec t.sys (manual start)
Net Logon: %SystemRoot%\System32\lsas s.exe (manual start)
Network Connections: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsas s.exe (manual start)
Removable Storage: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt. sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd. sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx. sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.s ys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx. sys (autostart)
Parallel class driver: System32\DRIVERS\parallel. sys (manual start)
Parallel port driver: System32\DRIVERS\parport.s ys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\serv ices.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsas s.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.s ys (manual start)
Protected Storage: %SystemRoot%\system32\serv ices.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.s ys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sy s (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.s ys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sy s (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.s ys (system)
Routing and Remote Access: %SystemRoot%\System32\svch ost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regs vc.exe (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.s ys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\loca tor.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svch ost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp .exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsas s.exe (autostart)
SAVRT: \??\C:\WINNT\system32\Driv ers\SAVRT. SYS (manual start)
SAVRTPEL: \??\C:\WINNT\system32\Driv ers\SAVRTP EL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMAN T~1\SCRIPT ~1\SBServ. exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCar dSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCar dSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTa sk.exe (autostart)
RunAs Service: %SystemRoot%\system32\serv ices.exe (autostart)
System Event Notification: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.s ys (manual start)
Serial port driver: System32\DRIVERS\serial.sy s (system)
Internet Connection Sharing: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoo lsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stis vc.exe (autostart)
BDA IPSink: system32\DRIVERS\StreamIP. sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sy s (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sy s (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SY S (manual start)
SYMREDRV: \??\C:\WINNT\system32\Driv ers\SYMRED RV.SYS (manual start)
SYMTDI: \??\C:\WINNT\system32\Driv ers\SYMTDI .SYS (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio. sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlo gsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlnt svr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\serv ices.exe (disabled)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sy s (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups. exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sy s (manual start)
Utility Manager: %SystemRoot%\System32\Util Man.exe (manual start)
VgaSave: \SystemRoot\System32\drive rs\vga.sys (system)
Windows Time: %SystemRoot%\System32\serv ices.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sy s (manual start)
WAN Miniport (ATW): system32\DRIVERS\wanatw4.s ys (manual start)
WAN Miniport (ATW) Service: "C:\WINNT\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sy s (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM \WinMgmt.e xe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Serv ices.exe (manual start)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC. SYS (manual start)
Automatic Updates: %systemroot%\system32\svch ost.exe -k wugroup (manual start)
Wireless Configuration: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
-------------------------- ---------- ---------- ----
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperation s: *Registry value not found*
-------------------------- ---------- ---------- ----
Enumerating ShellServiceObjectDelayLoa d items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL .dll
WebCheck: C:\WINNT\System32\webcheck .dll
SysTray: stobject.dll
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \policies\ Explorer\R un
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \policies\ Explorer\R un
*Registry key not found*
-------------------------- ---------- ---------- ----
End of report, 28,840 bytes
Report generated in 0.221 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
hijackthis.log:
Logfile of HijackThis v1.98.2
Scan saved at 6:49:57 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\System32\svchost. exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\stisvc.e xe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.ex e
C:\WINNT\system32\taskmgr. exe
C:\Documents and Settings\ian1\Desktop\Hija ckThis.exe
A:\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://home.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\system32\msdxm.oc x
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O16 - DPF: {2B323CD9-50E3-11D3-9466-0 0A0C970049 8} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0 09027A35D7 3} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-8 47D1036C65 D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\T cpip\..\{3 47DEE52-17 68-473E-B4 19-FAD1B4B FC7B8}: NameServer = 64.81.159.2
processlist.txt:
Process list saved on 6:47:22 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
[full path to filename] [file version] [company name]
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 1.0.3.4 Symantec Corporation
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\svchost.
C:\Program Files\Norton AntiVirus\navapsvc.exe 9.0.5.1015 Symantec Corporation
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\stisvc.e
C:\WINNT\wanmpsvc.exe 7.0.0.2 America Online, Inc.
C:\WINNT\Explorer.EXE 5.0.3700.6690 Microsoft Corporation
C:\Program Files\Common Files\Symantec Shared\ccApp.exe 1.0.3.15 Symantec Corporation
C:\WINNT\system32\ntvdm.ex
C:\WINNT\system32\taskmgr.
C:\Documents and Settings\ian1\Desktop\Hija
DLLs loaded by process C:\WINNT\System32\smss.exe
[full path to filename] [file version] [company name]
C:\WINNT\system32\ntdll.dl
C:\WINNT\System32\sfcfiles
startuplist.txt:
StartupList report, 9/7/2004, 6:48:37 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ian1\Desktop\Hija
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==========================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\svchost.
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\stisvc.e
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.ex
C:\WINNT\system32\taskmgr.
C:\Documents and Settings\ian1\Desktop\Hija
--------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\ian1\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W
UserInit = C:\WINNT\system32\userinit
[HKLM\Software\Microsoft\W
*Registry key not found*
[HKCU\Software\Microsoft\W
*Registry value not found*
[HKCU\Software\Microsoft\W
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
Synchronization Manager = mobsync.exe /logon
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*No values found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*No values found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*No values found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*No values found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
[OptionalComponents]
*No values found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\
(Default) = "%1" %*
--------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\
(Default) = "%1" %*
--------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\
(Default) = "%1" %*
--------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\
(Default) = "%1" %*
--------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\
(Default) = "%1" /S
--------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\
(Default) = C:\WINNT\System32\mshta.ex
--------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\
(Default) = %SystemRoot%\system32\NOTE
--------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Ac
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab
StubPath = C:\WINNT\system32\setup\wm
[>{26923b43-4d38-484f-9b9e
StubPath = "C:\WINNT\System32\shmgrat
[>{86EEAFA8-6F38-4657-B4F7
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061
StubPath = "C:\WINNT\System32\shmgrat
[{44BBA840-CC51-11CF-AAFA-
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-
StubPath = rundll32.exe advpack.dll,LaunchINFSecti
[{6A5110B5-E14B-4268-A065-
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
[{6BF52A52-394A-11d3-B153-
StubPath = rundll32.exe advpack.dll,LaunchINFSecti
[{7790769C-0471-11d2-AF11-
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-
StubPath = %SystemRoot%\System32\ie4u
[{9EF0045A-CDD9-438e-95E6-
StubPath = %SystemRoot%\System32\updc
--------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\IC
*Registry key not found*
--------------------------
Load/Run keys from C:\WINNT\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon
HKLM\..\Windows NT\CurrentVersion\WinLogon
HKLM\..\Windows\CurrentVer
HKLM\..\Windows\CurrentVer
HKCU\..\Windows NT\CurrentVersion\WinLogon
HKCU\..\Windows NT\CurrentVersion\WinLogon
HKCU\..\Windows\CurrentVer
HKCU\..\Windows\CurrentVer
HKCU\..\Windows NT\CurrentVersion\Windows:
HKCU\..\Windows NT\CurrentVersion\Windows:
HKLM\..\Windows NT\CurrentVersion\Windows:
HKLM\..\Windows NT\CurrentVersion\Windows:
HKLM\..\Windows NT\CurrentVersion\Windows:
--------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------
Checking for EXPLORER.EXE instances:
C:\WINNT\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer
C:\WINNT\System\Explorer.e
C:\WINNT\System32\Explorer
C:\WINNT\Command\Explorer.
C:\WINNT\Fonts\Explorer.ex
--------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-F
--------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
--------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\class
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\class
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd
[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINNT\DOWNLO~1\yacscom.
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
[Yahoo! Audio UI1]
InProcServer32 = C:\WINNT\Downloaded Program Files\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dl
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37848.7365972222
[QDiagHUpdateObj Class]
InProcServer32 = C:\WINNT\system32\qdiagh.o
CODEBASE = http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
--------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINNT\System32\rnr20.dl
NameSpace #2: C:\WINNT\System32\winrnr.d
NameSpace #3: C:\WINNT\System32\nwprovau
Protocol #1: C:\WINNT\system32\msafd.dl
Protocol #2: C:\WINNT\system32\msafd.dl
Protocol #3: C:\WINNT\system32\msafd.dl
Protocol #4: C:\WINNT\system32\rsvpsp.d
Protocol #5: C:\WINNT\system32\rsvpsp.d
Protocol #6: C:\WINNT\system32\msafd.dl
Protocol #7: C:\WINNT\system32\msafd.dl
Protocol #8: C:\WINNT\system32\msafd.dl
Protocol #9: C:\WINNT\system32\msafd.dl
Protocol #10: C:\WINNT\system32\msafd.dl
Protocol #11: C:\WINNT\system32\msafd.dl
Protocol #12: C:\WINNT\system32\msafd.dl
Protocol #13: C:\WINNT\system32\msafd.dl
Protocol #14: C:\WINNT\system32\msafd.dl
Protocol #15: C:\WINNT\system32\msafd.dl
Protocol #16: C:\WINNT\system32\msafd.dl
Protocol #17: C:\WINNT\system32\msafd.dl
Protocol #18: C:\WINNT\system32\msafd.dl
Protocol #19: C:\WINNT\system32\msafd.dl
Protocol #20: C:\WINNT\system32\msafd.dl
Protocol #21: C:\WINNT\system32\msafd.dl
Protocol #22: C:\WINNT\system32\msafd.dl
Protocol #23: C:\WINNT\system32\msafd.dl
Protocol #24: C:\WINNT\system32\msafd.dl
Protocol #25: C:\WINNT\system32\msafd.dl
Protocol #26: C:\WINNT\system32\msafd.dl
Protocol #27: C:\WINNT\system32\msafd.dl
Protocol #28: C:\WINNT\system32\msafd.dl
Protocol #29: C:\WINNT\system32\msafd.dl
Protocol #30: C:\WINNT\system32\msafd.dl
Protocol #31: C:\WINNT\system32\msafd.dl
Protocol #32: C:\WINNT\system32\msafd.dl
Protocol #33: C:\WINNT\system32\msafd.dl
Protocol #34: C:\WINNT\system32\msafd.dl
Protocol #35: C:\WINNT\system32\msafd.dl
Protocol #36: C:\WINNT\system32\msafd.dl
--------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drive
Alerter: %SystemRoot%\System32\serv
Application Management: %SystemRoot%\system32\serv
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.s
Audio Stub Driver: System32\DRIVERS\audstub.s
Background Intelligent Transfer Service: %SystemRoot%\System32\svch
Computer Browser: %SystemRoot%\System32\serv
Closed Caption Decoder: system32\DRIVERS\CCDECODE.
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys
Indexing Service: C:\WINNT\system32\cisvc.ex
ClipBook: %SystemRoot%\system32\clip
DHCP Client: %SystemRoot%\System32\serv
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmad
dmboot: System32\drivers\dmboot.sy
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sy
Logical Disk Manager: %SystemRoot%\System32\serv
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sy
DNS Client: %SystemRoot%\System32\serv
Print Class Driver for IEEE-1284.4 hpoipr07: system32\DRIVERS\hpoipr07.
3Com EtherLink XL B/C Adapter Driver: System32\DRIVERS\el90xbc5.
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.
Event Log: %SystemRoot%\system32\serv
COM+ Event System: C:\WINNT\System32\svchost.
Fax Service: %systemroot%\system32\faxs
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.
Volume Manager Driver: System32\DRIVERS\ftdisk.sy
Generic Packet Classifier: System32\DRIVERS\msgpc.sys
IEEE-1284.4 Driver hpoid407: system32\DRIVERS\hpoid407.
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.
i81x: System32\DRIVERS\i81xnt5.s
IntelIde: System32\DRIVERS\intelide.
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sy
IP Network Address Translator: System32\DRIVERS\ipnat.sys
IPSEC driver: System32\DRIVERS\ipsec.sys
IR Enumerator Service: System32\DRIVERS\irenum.sy
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sy
Keyboard Class Driver: System32\DRIVERS\kbdclass.
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sy
Server: %SystemRoot%\System32\serv
Workstation: %SystemRoot%\System32\serv
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\serv
LT Modem Driver: System32\DRIVERS\ltmdmnt.s
Messenger: %SystemRoot%\System32\serv
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.
Mouse Class Driver: System32\DRIVERS\mouclass.
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sy
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.ex
Windows Installer: C:\WINNT\System32\MsiExec.
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.s
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\S
NAVEX15: \??\C:\PROGRA~1\COMMON~1\S
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.s
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.s
NetBIOS Interface: System32\DRIVERS\netbios.s
NetBT: System32\DRIVERS\netbt.sys
Network DDE: %SystemRoot%\system32\netd
Network DDE DSDM: %SystemRoot%\system32\netd
NetDetect: \SystemRoot\system32\drive
Net Logon: %SystemRoot%\System32\lsas
Network Connections: %SystemRoot%\System32\svch
NT LM Security Support Provider: %SystemRoot%\System32\lsas
Removable Storage: %SystemRoot%\System32\svch
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.
NWLink NetBIOS: System32\DRIVERS\nwlnknb.s
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.
Parallel class driver: System32\DRIVERS\parallel.
Parallel port driver: System32\DRIVERS\parport.s
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\serv
IPSEC Policy Agent: %SystemRoot%\System32\lsas
WAN Miniport (PPTP): System32\DRIVERS\raspptp.s
Protected Storage: %SystemRoot%\system32\serv
Direct Parallel Link Driver: System32\DRIVERS\ptilink.s
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sy
Remote Access Auto Connection Manager: %SystemRoot%\System32\svch
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.s
Remote Access Connection Manager: %SystemRoot%\System32\svch
Direct Parallel: System32\DRIVERS\raspti.sy
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.s
Routing and Remote Access: %SystemRoot%\System32\svch
Remote Registry Service: %SystemRoot%\system32\regs
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.s
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\loca
Remote Procedure Call (RPC): %SystemRoot%\system32\svch
QoS RSVP: %SystemRoot%\System32\rsvp
Security Accounts Manager: %SystemRoot%\system32\lsas
SAVRT: \??\C:\WINNT\system32\Driv
SAVRTPEL: \??\C:\WINNT\system32\Driv
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMAN
Smart Card Helper: %SystemRoot%\System32\SCar
Smart Card: %SystemRoot%\System32\SCar
Task Scheduler: %SystemRoot%\system32\MSTa
RunAs Service: %SystemRoot%\system32\serv
System Event Notification: %SystemRoot%\system32\svch
Serenum Filter Driver: System32\DRIVERS\serenum.s
Serial port driver: System32\DRIVERS\serial.sy
Internet Connection Sharing: %SystemRoot%\System32\svch
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoo
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stis
BDA IPSink: system32\DRIVERS\StreamIP.
Software Bus Driver: System32\DRIVERS\swenum.sy
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sy
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SY
SYMREDRV: \??\C:\WINNT\system32\Driv
SYMTDI: \??\C:\WINNT\system32\Driv
Microsoft System Audio Device: system32\drivers\sysaudio.
Performance Logs and Alerts: %SystemRoot%\system32\smlo
Telephony: %SystemRoot%\System32\svch
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys
Telnet: %SystemRoot%\system32\tlnt
Distributed Link Tracking Client: %SystemRoot%\system32\serv
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sy
Uninterruptible Power Supply: %SystemRoot%\System32\ups.
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sy
Utility Manager: %SystemRoot%\System32\Util
VgaSave: \SystemRoot\System32\drive
Windows Time: %SystemRoot%\System32\serv
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sy
WAN Miniport (ATW): system32\DRIVERS\wanatw4.s
WAN Miniport (ATW) Service: "C:\WINNT\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sy
Windows Management Instrumentation: %SystemRoot%\System32\WBEM
Portable Media Serial Number Service: %SystemRoot%\System32\svch
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Serv
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.
Automatic Updates: %systemroot%\system32\svch
Wireless Configuration: %SystemRoot%\System32\svch
--------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperation
--------------------------
Enumerating ShellServiceObjectDelayLoa
Network.ConnectionTray: C:\WINNT\system32\NETSHELL
WebCheck: C:\WINNT\System32\webcheck
SysTray: stobject.dll
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
End of report, 28,840 bytes
Report generated in 0.221 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
hijackthis.log:
Logfile of HijackThis v1.98.2
Scan saved at 6:49:57 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\svchost.
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\stisvc.e
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.ex
C:\WINNT\system32\taskmgr.
C:\Documents and Settings\ian1\Desktop\Hija
A:\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O16 - DPF: {2B323CD9-50E3-11D3-9466-0
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0
O16 - DPF: {EB387D2F-E27B-4D36-979E-8
O17 - HKLM\System\CCS\Services\T
ASKER
In Windows Task Manager, Processes tab under "Image Name" there is an item called "System Idle Process" PID 0 CPU 99 MemUsage 16k. Is this of any concern? It is the only item showing a considerable CPU time usage.
I'm desperately grasping at straws here.
I'm desperately grasping at straws here.
ASKER
No, I guess not - http:Q_20798928.html#9753538
Why is that yahoo crud there?
Go uninstall any unecessary applications.
How much free space do you have?
Go uninstall any unecessary applications.
How much free space do you have?
ASKER
I've taken out all un-needed apps already and got rid of most of that crud. I'll post an updated log if you want.
At this time there is 2.3 GB used of 12.6 GB total.
I've noticed that on boot up (a 30 min process!) the computer seems to get stuck on "Applying security policy".
At this time there is 2.3 GB used of 12.6 GB total.
I've noticed that on boot up (a 30 min process!) the computer seems to get stuck on "Applying security policy".
What GPOs do you have enabled?
What was the last thing you changed?
What was the last thing you changed?
I assume this is part of a domain... they arent trying something silly like pushing a large install down via GPOs are they?
ASKER
No, its just a desktop PC and not part of a network. I dont know what a GPO is and I'm not the primary user so I have no clue what was done before today. I can tell you that there are no audits curently enabled.
Well you could unplug the network cable, then login the local admin acct, then login the user offline, that would tell us something.
Iit is leaning towards a group policy issue, but we need to veerify that.
Iit is leaning towards a group policy issue, but we need to veerify that.
ASKER
I could use some step-bystep instructions. There is no network cable to anything and I am now logged is as admin. (I have physical access to the machine now)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does it matter what user you login as? Is it still super slow?
ASKER
There has been an improvement in performance, but the boot up is still taking way too long as noted above. What would creating a new profile gain?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also the unexplained disk activity has ceased so we have seen some progress.
ASKER
Ok, I can create a new profile. How shall I proceed?
Thanks by the way for taking time to help me out :-)
Thanks by the way for taking time to help me out :-)
Using Hijack this, you can delete these:
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://home.netscape.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\system32\msdxm.oc x
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O16 - DPF: {2B323CD9-50E3-11D3-9466-0 0A0C970049 8} (Yahoo! Audio Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0 09027A35D7 3} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-8 47D1036C65 D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\T cpip\..\{3 47DEE52-17 68-473E-B4 19-FAD1B4B FC7B8}: NameServer = 64.81.159.2
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O16 - DPF: {2B323CD9-50E3-11D3-9466-0
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-F
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0
O16 - DPF: {EB387D2F-E27B-4D36-979E-8
http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\T
ASKER
From the control panel, I'm unable to add a user. The button is gray.
ASKER
Those have all been removed except for NameServer and the extra buttons.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If it is greyed out.. re you sure this is not part of a domain? Rt click on My computer and goto properties. It should say WORKGROUP... if it says domain, then it is in fact part of a domain.
ASKER
I dont see users and computers - I have Local Users and Groups
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are correct. In the System Properties - network id tab the workgroup name is WORKGROUP
Local Users and groups, sorry, that is what you want. If you can create a new user there, that would help test profle when you login as that user.
ASKER
A hardware failure has crossed my mind. I'm contemplating a drive check and testing memory, but I dont want to overlook the obvious. (actually not so obvious in my case)
I saw another link I had saved where the guy said it was a hard drive issue... but I kinda doubt that.
Were you able to create a user?
Were you able to create a user?
ASKER
I have created user "test1" and added to the administrators group.
You can also dload CWshredder, extract to a floppy and run it too. http://computercops.biz/downloads-file-349.html
Login as Test1 and let me know the performance and how long it takes to login.
ASKER
I logged off then logged back in at test1 and am presented with the Getting Started with Windows 2000 dialogue box. It seemed to work fine - took just a few seconds.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can't wait, passing out from no sleep :)
Seems like its all fixed, so GL bud!
Seems like its all fixed, so GL bud!
ASKER
Well windows started up faster - it didnt get stuck on "Applying security policy" but the desktop icons have not yet appeared - its still thinking about it (the disk indicator is flashing and I hear the ticking).
It is behaving much the same as it had been only instead of the security policies; I'm waiting for the desktop. All I have is the task bar, clock and the blue background. Its been booting up for just under ten minutes now.
Well go to bed - this thing can wait. Thanks!
It is behaving much the same as it had been only instead of the security policies; I'm waiting for the desktop. All I have is the task bar, clock and the blue background. Its been booting up for just under ten minutes now.
Well go to bed - this thing can wait. Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jonnietexas
I dont see anything in the registry where you pointed me that looks suspicious and the temp directory was pretty much empty to begin with. (its completely empty now).
Thanks for the help, but it appears that the problem lies elsewhere.
Good morning, Debsyl99 :-)
I do not have an Internet connection to that machine at the moment, but I do have sneaker net available. Those on-line scanners will be difficult to employ. Do you have any alternate suggestions that I might try?
I’ll go ahead at get msconfig as you’ve suggested. Jayca has suggested cwshredder, which I have yet to try.
Where might I find those event logs exactly?
I dont see anything in the registry where you pointed me that looks suspicious and the temp directory was pretty much empty to begin with. (its completely empty now).
Thanks for the help, but it appears that the problem lies elsewhere.
Good morning, Debsyl99 :-)
I do not have an Internet connection to that machine at the moment, but I do have sneaker net available. Those on-line scanners will be difficult to employ. Do you have any alternate suggestions that I might try?
I’ll go ahead at get msconfig as you’ve suggested. Jayca has suggested cwshredder, which I have yet to try.
Where might I find those event logs exactly?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
good lord slacker! This isnt fixed yet?
:)
:)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, every step is painfully slow! As I said, it takes about 30 min just to boot up.
Once the desktop appeared, everything seems to be running relatively normally.
I made an Internet connection through the AOL interface and it connected without problems, but the system became bogged down just as soon as I fired up Internet Explorer. I was however able to start a Panda ActiveScan, when suddenly the system again slowed to a crawl.
Jonnietexas, about the only thing notable is the Norton antivirus protection. Perhaps that's what is misbehaving. I think I'll go ahead and remove it at the next opportunity. (I can always re-install it latter).
I've notice that when the system slows, the acoustical signature of the hard drive changes. It is the same sound that it makes while waiting for the desktop or the security policies. (Sounds more like a defrag operation rather than the typical read/write sounds that breeze right through.)
Its incredibly frustrating to have to wait 5 or ten minutes and longer for anything to respond.
I'll post an update just as soon as possible.
Once the desktop appeared, everything seems to be running relatively normally.
I made an Internet connection through the AOL interface and it connected without problems, but the system became bogged down just as soon as I fired up Internet Explorer. I was however able to start a Panda ActiveScan, when suddenly the system again slowed to a crawl.
Jonnietexas, about the only thing notable is the Norton antivirus protection. Perhaps that's what is misbehaving. I think I'll go ahead and remove it at the next opportunity. (I can always re-install it latter).
I've notice that when the system slows, the acoustical signature of the hard drive changes. It is the same sound that it makes while waiting for the desktop or the security policies. (Sounds more like a defrag operation rather than the typical read/write sounds that breeze right through.)
Its incredibly frustrating to have to wait 5 or ten minutes and longer for anything to respond.
I'll post an update just as soon as possible.
Just a thought. I have seen many systems that have this exact problem, and it is typically related to the drive being misconfigured. Either it is set to Slave instead of Master, or Cable Select and not on the last connector, or a CD, CDRW, DVD etc, is on the same channel etc. Did you change any of the drive configurations or a dd a hard drive.
J
P.S. Way too many posts, someone may have already said this becuase I haven't read them all. If that is the case, accept my apologies ;)
J
J
P.S. Way too many posts, someone may have already said this becuase I haven't read them all. If that is the case, accept my apologies ;)
J
No I don't think they have JD (practically know this thread off by heart now ;-) but that's a good suggestion. By the way (should have asked this before) what ARE the specs of this PC anyway? ie Processor, RAM etc?
ASKER
Not a problem, I can filter that out in my head :-)
But no, I have not changed anything like that and I suspect the owner/user has not either. I can check that out when the system releases control to me again. :-/
But no, I have not changed anything like that and I suspect the owner/user has not either. I can check that out when the system releases control to me again. :-/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you used the CD to reinstall/repair of the OS, did it seem to take a long time?
J
J
Hi Deb! ;)
J
J
ASKER
No, that worked pretty well.
Bad news - the system crashed during the scan. But at least I can give you guys/gals the informatin you want
The unit is a Dell OptiPlex GX110 Pentium III
Win2K pro os Build 2195 SP4
Computer: X86 Family 6 Moded 8 Stepping 6 GenuineIntel
AT/AT Compatible
129,260kb ram
In the Event Viewer there are lots of warnings and errors. All or most related to disk and atapi.
"The device, \Device\ide\ideport0, did not respond within the timeout period" and
"An error was detected on device \Device\Harddisk0\DR0 during a paging operation"
Security Log is empty and the Application Log is also full of errors and warnings.
The system is now in safe mode.
Bad news - the system crashed during the scan. But at least I can give you guys/gals the informatin you want
The unit is a Dell OptiPlex GX110 Pentium III
Win2K pro os Build 2195 SP4
Computer: X86 Family 6 Moded 8 Stepping 6 GenuineIntel
AT/AT Compatible
129,260kb ram
In the Event Viewer there are lots of warnings and errors. All or most related to disk and atapi.
"The device, \Device\ide\ideport0, did not respond within the timeout period" and
"An error was detected on device \Device\Harddisk0\DR0 during a paging operation"
Security Log is empty and the Application Log is also full of errors and warnings.
The system is now in safe mode.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try Robs suggestion with the CHKDSK C: /R, plus you are a bit light on RAM for Win2k and a load of apps,
Deb :))
Deb :))
ASKER
C:\>chkdsk c: /r
The type of the file system is NTFS.
Cannot lock current drive.
Chkdsk cannot run because the volume is in use by another process.
The type of the file system is NTFS.
Cannot lock current drive.
Chkdsk cannot run because the volume is in use by another process.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That was supposed to say hours by the way - Hi JD :))
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you have any spare drives you can use? And you only have 128 megs of mem, that's not much with all that stuff they have running FYI :)
ASKER
The problem has been positively identified as a bad hard drive. The drive eventually failed completely but I did manage to retrieve the data first.
Thanks for all your help - your assistance was invaluable to me.
I’ve split the points among the comments that I found to be the most helpful and awarded the answer to hehewithbrackets for being the first to correctly identify the root cause of the trouble as hardware related.
Thanks again for all your help!
Thanks for all your help - your assistance was invaluable to me.
I’ve split the points among the comments that I found to be the most helpful and awarded the answer to hehewithbrackets for being the first to correctly identify the root cause of the trouble as hardware related.
Thanks again for all your help!
Perhaps he should look for *.Temp and *.tmp files in his computer and then get rid of anything to do with Norton AV...