What is supposed to be in Win Xp Home

And if anyone can conduct the computer forensics, I agree, Joe can. But I know how to stop it all- Do all back ups, change BIOS to boot from CD, put OS cd in, Sit through 39 minutes of MS propaganda, kill Bliss and so on.

But the first things I would do are what Dave (Noahdfear) suggested. Separate the network and test each machine. Run the scans. Could this be something as simple as a corrupted user account? Is there someone you suspect that is capable of doing this with access to your computer? Just thoughts running through my head...

Johanna

 

Ok I have scanned my computer so far with the virus scanners and they say I am clean.

I have downloaded and updated (I hope I did the manual update ok) and I am always looking to see if anything has preset rules. When I first downloaded adaware there were somethings marked that it should ignore. I unchecked those and didn't find anything.

I am wondering if this is something like that, if I go to trojanhunter and I select ruleset and I get this

Ruleset datestamp : Monday, May 31, 2004
Scan kernel : 3.0 (Ehlana)
Ruleset entries : 15724
Trojan definitions : 5048
Detection rules : 10676

+-- Loaded rulesets -------------------------
Number of loaded rulesets : 2
Rulesets :

0: Trojan detection rules
1: Custom detection rules

+-- Trojan definitions ----------------------
Trojans.trf : 5048 definitions
CustomTrojans.trf : 0 definitions

+-- Registry checker ------------------------
Rule description : Registry Rules
Rule type : Registry
Number of rules : 776
Loaded rule files :

RegistryRules.trf 776 rules
CustomRegistryRules.trf 0 rules

+-- Inifile checker -------------------------
Rule description : Inifile Rules
Rule type : Inifile
Number of rules : 71
Loaded rule files :

InifileRules.trf 71 rules
CustomInifileRules.trf 0 rules

+-- File checker ----------------------------
Rule description : File Rules
Rule type : File
Number of rules : 6420
Loaded rule files :

FileRules.trf 6420 rules
CustomFileRules.trf 0 rules

+-- Port checker ----------------------------
Rule description : Port Rules
Rule type : Port
Number of rules : 585
Loaded rule files :

PortRules.trf 585 rules
CustomPortRules.trf 0 rules

+-- Process checker -------------------------
Rule description : Process Rules
Rule type : Process
Number of rules : 2620
Loaded rule files :

ProcessRules.trf 2620 rules
CustomProcessRules.trf 0 rules

+-- Script checker --------------------------
Rule description : Script Rules
Rule type : Script
Number of rules : 204
Loaded rule files :

ScriptRules.trf 204 rules
CustomScriptRules.trf 0 rules

Are these rules from Trojan hunter?


I have antivirus through zonealarm. I double checked and it is on and I also went ahead and started a scan with that. I had norton on my other computer and Chris (my new computer guy) told me that he found 2 virus's on that computer.

Is it possible to have it setup that anything that scans my computer doesn't scan a certain section? When I do searches on my computer I will get long pauses where it looks like it is stuck on something.

 

I wish this would work. I cannot even remember how many times I have reinstalled in the past year, then we bought the new computer and router.

From what I understand now-didn't until recently. You get 3 different options when you reinstall Windows XP please let me know if I am wrong. The first guy I paid to reinstall on the XPS told me this.

one is repair which he said wouldn't let him use it
then you can do a fresh install
and a clean install

He said that when you do a clean install (I think) that it puts a clean copy of windows but all the other programs are still on your computer. You just need to reinstall them. Well everytime I reinstall everything is gone and I am left with alot of empty folders and I also have access to the internet without reinstalling my router or my modem. I have all these driver disks and stuff that I don't need. I already have a connection to the internet and everything.

Well if I play around and try to start the install from going into explore the disk and click the EXE for windows then it starts and goes for a little bit and then I get an error saying that I can't do this because there are settings on the computer that are needed.

Sorry I keep going and going. This has been going on for a long time and I think I have forgotten as much as I remember.

 

Yes.

This looks very much like hacking activity to me, and I think Joe will ultimately be able to confirm or disspell that thinking. Meanwhile, I'm curious what has been given permission for internet access through the firewall. Is anything allowed to act as a server? Take a look at the logs and see what's been allowed and blocked , and if you can identify it. You can identify addresses, such as 207.69.188.187, with a WhoIs search.

Mind posting a HijackThis log to this thread? Also click the config button, then misc. tools and generate a startup list. Check both minor and empty section boxes. Post it's log here too.

How about a Sheilds UP port scan at GRC. If your firewall prompts you to do anything during the test, ignore it.

Ad-aware should only be configured to do a custom full scan. Anything set by default to ignore should be left alone.

Is this PC on a home network?

 

Don't pay that guy any more money. For ANYTHING! A clean install wipes everything from the drive/partition. There will be no folders, no programs, no nothing, unless they were on a partition separate from the OS, and separate from the partition you format and install on. It doesn't surprise me that you don't have to install drivers, and everything is configured and ready to connect after an install. XP comes loaded with ALOT of drivers.

 

I won't take anything to him anymore. While I was picking up my computer he was closing up shop to work out of his house. He was supposed to call me with his new number and never has.



Here is my HIJACK THIS I will go look at the other things now too.
Logfile of HijackThis v1.97.7
Scan saved at 8:50:29 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\Program Files\MonitorWare\Agent\mwagent.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\ZoneLabs\isafe.exe
D:\WINDOWS\system32\clipsrv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Security Administrator\newadmin.exe
D:\WINDOWS\System32\ltmsg.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Turbo Searcher\TurboSearcher.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\SpywareGuard\sgmain.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\TrojanHunter 3.9\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegistryMechanic] D:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [00saskda] "D:\Program Files\Security Administrator\newadmin.exe" saskda
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Turbo Searcher] "D:\Program Files\Turbo Searcher\TurboSearcher.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.639375
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

THis may not fit the case being discussed but I found that others on my LAN were getting to my machine VIA THE DEFAULT SHARING that XP sets up.

That my freinds ended VERY quickly.

With only one User on this machine I saw NO reasonf for things like My Docs being shared.

In fact nothing is shared on any machine.

BillyBob

 

One thing off the top of my head is that Yahoo keeps asking to act as a server. I always say no. I also try to remove msn messenger and it never seems to go away. I used add/remove for the microsoft products. When messenger is in my tray and I close it I get a message that something else is using it and cannot be closed.

Generic Host process is the only thing listed as a trusted server.

I think that happened when I let generic host access the internet. If I say no to that I cannot get online so I guess it is needed.

 

Here is my zonealarm log from the day I reinstalled I tried saying no to everything I could to see what I could get away with not letting access the internet. That is why it is sooooooo long, also I had that I didn't trust my own network. I have added it as trusted now and I don't get many alerts at all.



ZoneAlarm Logging Client v5.0.590.015
Windows XP-5.1.2600-Service Pack 1-SP
type,date,time,source,destination,transport (security)
type,date,time,virus name,file name,mode,e-mail id (antivirus)
type,date,time,source,destination,action,service (IM security)
PE,2004/06/09,05:55:48 -4:00 GMT,Generic Host Process for Win32 Services,216.144.187.199:53,N/A
ACCESS,2004/06/09,05:55:48 -4:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for connecting to the Internet (216.144.187.199NS); access was denied.,N/A,N/A
PE,2004/06/09,05:55:48 -4:00 GMT,Generic Host Process for Win32 Services,216.144.187.199:53,N/A
PE,2004/06/09,05:55:52 -4:00 GMT,Generic Host Process for Win32 Services,216.144.187.199:53,N/A
PE,2004/06/09,05:55:52 -4:00 GMT,Generic Host Process for Win32 Services,216.144.187.199:53,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Generic Host Process for Win32 Services,216.144.187.199:53,N/A
ACCESS,2004/06/09,05:55:54 -4:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for connecting to the Internet (216.144.187.199NS); access was denied.,N/A,N/A
PE,2004/06/09,05:55:54 -4:00 GMT,Generic Host Process for Win32 Services,216.144.187.199:53,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup was unable to obtain permission for connecting to the Internet (216.64.193.20:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup was unable to obtain permission for connecting to the Internet (216.64.193.20:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Windows Service Pack Setup,216.64.193.20:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.134.30:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.134.30:80,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A
ACCESS,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer was unable to obtain permission for connecting to the Internet (207.46.197.121:HTTP); access was denied.,N/A,N/A
PE,2004/06/09,05:56:00 -4:00 GMT,Internet Explorer,207.46.197.121:80,N/A

 

tried to cut some of the stuff out that was logged over and over



AV/update,2004/06/09,18:33:26 -4:00 GMT,vet.signatures(8388),Update Install Completed,Manual
AV/scan,2004/06/09,18:35:50 -4:00 GMT,Multiple Files,Scan Completed,Manual
PE,2004/06/09,18:38:04 -4:00 GMT,Yahoo! Suite Installer,204.71.201.134:80,N/A
FWOUT,2004/06/09,18:38:54 -4:00 GMT,192.168.1.101:1028,216.144.187.199:53,UDP
PE,2004/06/09,18:39:12 -4:00 GMT,Yahoo! Messenger,207.44.96.129:53,N/A
FWIN,2004/06/09,18:40:18 -4:00 GMT,192.168.1.100:1208,192.168.1.101:20500,TCP (flags:S)
PE,2004/06/09,18:42:18 -4:00 GMT,YPager.exe,207.44.96.129:53,N/A
PE,2004/06/09,18:42:22 -4:00 GMT,Yahoo AutoUpdater,207.44.96.129:53,N/A
PE,2004/06/09,18:42:26 -4:00 GMT,YPager.exe,0.0.0.0:5101,N/A
PE,2004/06/09,18:44:46 -4:00 GMT,Windows Service Pack Setup,216.144.187.71:53,N/A
FWOUT,2004/06/09,18:47:56 -4:00 GMT,192.168.1.101:0,224.0.0.22:0,IGMP (type:34)
PE,2004/06/09,18:48:08 -4:00 GMT,YPager.exe,0.0.0.0:5101,N/A
PE,2004/06/09,18:49:12 -4:00 GMT,Application Layer Gateway Service,192.168.1.101:3065,N/A
PE,2004/06/09,18:49:32 -4:00 GMT,YPager.exe,216.136.225.27:25,N/A
ACCESS,2004/06/09,19:04:00 -4:00 GMT,Application Layer Gateway Service was temporarily blocked from accepting a connection from the Internet (192.168.1.101ort 3065).,N/A,N/A
ACCESS,2004/06/09,19:04:20 -4:00 GMT,ypager.exe has been blocked from sending e-mail messages. Use the Programs List to allow Send Mail permissions for this program.,N/A,N/A
PE,2004/06/09,19:06:24 -4:00 GMT,Microsoft Help and Support Center,216.144.187.199:53,N/A
PE,2004/06/09,19:08:16 -4:00 GMT,Microsoft Help Center Hosting Server,216.144.187.199:53,N/A
FWOUT,2004/06/09,19:53:40 -4:00 GMT,192.168.1.101:0,224.0.0.22:0,IGMP (type:34)
PE,2004/06/09,19:53:54 -4:00 GMT,YPager.exe,0.0.0.0:5101,N/A
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8777,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8778,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8779,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8780,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8781,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8782,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8783,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8784,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8785,UDP
FWIN,2004/06/09,20:14:36 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8786,UDP
FWIN,2004/06/09,20:15:34 -4:00 GMT,192.168.1.100:1370,192.168.1.101:20500,TCP (flags:S)
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8777,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8778,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8779,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8780,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8781,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8782,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8783,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8784,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8785,UDP
FWIN,2004/06/09,20:21:02 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8786,UDP
PE,2004/06/09,20:27:34 -4:00 GMT,YPager.exe,0.0.0.0:5101,N/A
PE,2004/06/09,20:28:30 -4:00 GMT,RealPlayer,216.144.187.71:53,N/A
FWOUT,2004/06/09,20:28:42 -4:00 GMT,192.168.1.101:3006,216.144.187.199:53,UDP
PE,2004/06/09,20:29:56 -4:00 GMT,RealNetworks Rhapsody,207.44.96.129:53,N/A
PE,2004/06/09,20:32:42 -4:00 GMT,Microsoft Windows Media Configuration Utility,207.44.96.129:53,N/A
PE,2004/06/09,20:32:46 -4:00 GMT,Windows Media Player,207.44.96.129:53,N/A
PE,2004/06/09,20:34:18 -4:00 GMT,RealPlayer,216.144.187.199:53,N/A
ACCESS,2004/06/09,20:48:00 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (207.44.96.129NS).,N/A,N/A

 

IM Security,2004/06/09,20:49:16 -4:00 GMT,mmsmith411,**********,encryption deactivated,Yahoo
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8777,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8778,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8779,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8780,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8781,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8782,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8783,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8784,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8785,UDP
FWIN,2004/06/09,21:53:40 -4:00 GMT,192.168.1.100:9777,255.255.255.255:8786,UDP
FWOUT,2004/06/09,21:56:54 -4:00 GMT,192.168.1.101:3008,216.144.187.199:53,UDP
PE,2004/06/09,22:42:54 -4:00 GMT,Application Layer Gateway Service,192.168.1.101:3870,N/A

 

oops


I have heard that something isn't good with having iis running and this log was right by the zonealarm one.

[9/13/2002 2:7:45] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[9/13/2002 2:7:45] Initial thread locale=409
[9/13/2002 2:7:45] returned from France fix with locale 409
[9/13/2002 2:7:45] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[9/13/2002 2:7:45] OC_INIT_COMPONENT:[iis,(null)] Start.
[9/13/2002 2:7:45] OC_INIT_COMPONENT:9/3/2002 16:35:06 A_______ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[9/13/2002 2:7:45] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[9/13/2002 2:7:45] OC_INIT_COMPONENT:CmdLine=setup -newsetup
[6/9/2004 3:28:26] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:53:55] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:53:55] Initial thread locale=409
[6/9/2004 5:53:55] returned from France fix with locale 409
[6/9/2004 5:53:55] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:53:55] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:53:55] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[6/9/2004 5:53:55] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[6/9/2004 5:53:55] OC_INIT_COMPONENT:CmdLine=c:\5b91f5fffcc0428df10e0979\update\update.exe -q /Z -ER -PA
[6/9/2004 5:53:55] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:53:55] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:53:59] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:54:46] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:54:46] Initial thread locale=409
[6/9/2004 5:54:46] returned from France fix with locale 409
[6/9/2004 5:54:46] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:54:46] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:54:46] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[6/9/2004 5:54:46] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[6/9/2004 5:54:46] OC_INIT_COMPONENT:CmdLine=c:\17083323d08dd4e20955f0189036f895\sp2\update\update.exe -q /Z -ER
[6/9/2004 5:54:46] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:54:46] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:54:47] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:55:21] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:55:21] Initial thread locale=409
[6/9/2004 5:55:21] returned from France fix with locale 409
[6/9/2004 5:55:21] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:55:21] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:55:21] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[6/9/2004 5:55:21] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[6/9/2004 5:55:21] OC_INIT_COMPONENT:CmdLine=c:\0cd0aa1f25dd7b93c17aa05433\update\update.exe -q /Z -ER -PA
[6/9/2004 5:55:21] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:55:21] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:55:23] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:55:51] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:55:51] Initial thread locale=409
[6/9/2004 5:55:51] returned from France fix with locale 409
[6/9/2004 5:55:51] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:55:51] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:55:51] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[6/9/2004 5:55:51] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[6/9/2004 5:55:51] OC_INIT_COMPONENT:CmdLine=c:\e9657ba44f5f1a807567\update\update.exe -q /Z -ER -PA
[6/9/2004 5:55:51] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:55:51] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:55:53] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:56:32] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:56:32] Initial thread locale=409
[6/9/2004 5:56:32] returned from France fix with locale 409
[6/9/2004 5:56:32] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:56:32] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:56:32] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[6/9/2004 5:56:32] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[6/9/2004 5:56:32] OC_INIT_COMPONENT:CmdLine=c:\8a5b4de3176eb4b0e5087c\sp2\update\update.exe -q /Z -ER
[6/9/2004 5:56:32] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:56:32] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:56:34] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:56:59] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:56:59] Initial thread locale=409
[6/9/2004 5:56:59] returned from France fix with locale 409
[6/9/2004 5:56:59] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:56:59] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:56:59] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[6/9/2004 5:56:59] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[6/9/2004 5:56:59] OC_INIT_COMPONENT:CmdLine=c:\ccb3d3e7b3096a3ef0acc4f219\update\update.exe -q /Z -ER
[6/9/2004 5:56:59] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:56:59] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:57:1] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:57:34] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:57:34] Initial thread locale=409
[6/9/2004 5:57:34] returned from France fix with locale 409
[6/9/2004 5:57:34] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:57:34] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:57:34] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll
[6/9/2004 5:57:34] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
[6/9/2004 5:57:34] OC_INIT_COMPONENT:CmdLine=c:\60be4e974b8785dc9d\update\update.exe -q -z -ER
[6/9/2004 5:57:34] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:57:34] OC_INIT_COMPONENT:Old InetPub='D:\Inetpub'. Does not exist. we'll use the default. WARNING.
[6/9/2004 5:57:36] OC_CLEANUP:Final Check:LogFile Close.
[6/9/2004 5:58:16] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
[6/9/2004 5:58:16] Initial thread locale=409
[6/9/2004 5:58:16] returned from France fix with locale 409
[6/9/2004 5:58:16] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[6/9/2004 5:58:16] OC_INIT_COMPONENT:[iis,(null)] Start.
[6/9/2004 5:58:16] OC_INIT_COMPONENT:9/3/2002 20:35:06 _____N__ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: D:\WINDOWS\System32\Setup\iis.dll


Ok well here is part of it and if anyone thinks that this could have to do with anything I will post the rest of it. It is about 3 posts long just for the day I reinstalled

 

I am very excited about talking to Joe tomorrow. Sounds like if anyone can figure this out he can.


HUGS to everyone that is trying to help me. This is really a great site!!!!

 

You stated earlier that you never used Monitor Ware, but it is installed and running.

D:\Program Files\MonitorWare\Agent\mwagent.exe
D:\Program Files\Security Administrator\newadmin.exe
O4 - HKLM\..\Run: [00saskda] "D:\Program Files\Security Administrator\newadmin.exe" saskda

That executable, newadmin.exe, suggests to me that there is a NEW administrator. Disable that program, uninstall it, whatever. If you're not using it, get rid of it. It's in use and may be over-riding your Admin rights.

I'll keep looking through the HJT log. Just wanted to stop and address that.

 

WOW, this is the startup list and boy is it long.

StartupList report, 6/14/2004, 9:39:25 PM
StartupList version: 1.52
Started from : D:\Program Files\TrojanHunter 3.9\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\Program Files\MonitorWare\Agent\mwagent.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\ZoneLabs\isafe.exe
D:\WINDOWS\system32\clipsrv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Security Administrator\newadmin.exe
D:\WINDOWS\System32\ltmsg.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Turbo Searcher\TurboSearcher.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\SpywareGuard\sgmain.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\TrojanHunter 3.9\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\RealRhapsody\Rhapsody.exe
D:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[D:\Documents and Settings\Melissa\Start Menu\Programs\Startup]
SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[D:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Zone Labs Client = "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
TkBellExe = "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RegistryMechanic = D:\Program Files\Registry Mechanic\RegMech.exe /QS
00saskda = "D:\Program Files\Security Administrator\newadmin.exe" saskda
zzsecagent =
LTWinModem1 = ltmsg.exe 9
NvCplDaemon = RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
MSConfig = D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
SpybotSD TeaTimer = D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Turbo Searcher = "D:\Program Files\Turbo Searcher\TurboSearcher.exe" /minimized
NvMediaCenter = RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

more of HJT startup, this may take a few posts

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = D:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = D:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "D:\WINDOWS\System32\rundll32.exe" "D:\Program Files\Messenger\msgsc.dll ",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from D:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=D:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

 

and more

--------------------------------------------------

Checking for EXPLORER.EXE instances:

D:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
D:\WINDOWS\Explorer\Explorer.exe: not present
D:\WINDOWS\System\Explorer.exe: not present
D:\WINDOWS\System32\Explorer.exe: not present
D:\WINDOWS\Command\Explorer.exe: not present
D:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: not hidden (arrow overlay: yes)
.pif: not hidden (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: not hidden
.shb: not hidden
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: not hidden (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in D:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
SpywareGuard Download Protection - D:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - d:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://D:\WINDOWS\Java\classes\dajava.cab
OSD = D:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://D:\WINDOWS\Java\classes\xmldso.cab
OSD = D:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave ActiveX Control]
InProcServer32 = D:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[YInstStarter Class]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Microsoft.WinRep]
InProcServer32 = D:\WINDOWS\System32\Winrep.dll
CODEBASE = https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

[Update Class]
InProcServer32 = D:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.639375

[CRAVOnline Object]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\ravonline.dll
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

[YAddBook Class]
InProcServer32 = D:\PROGRA~1\Yahoo!\Common\yaddbook.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

[Shockwave Flash Object]
InProcServer32 = D:\WINDOWS\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: D:\WINDOWS\System32\mswsock.dll
NameSpace #2: D:\WINDOWS\System32\winrnr.dll
NameSpace #3: D:\WINDOWS\System32\mswsock.dll
Protocol #1: imslsp.dll (file MISSING)
Protocol #2: imslsp.dll (file MISSING)
Protocol #3: imslsp.dll (file MISSING)
Protocol #4: D:\WINDOWS\System32\ZoneLabs\vetredir.dll
Protocol #5: D:\WINDOWS\system32\mswsock.dll
Protocol #6: D:\WINDOWS\system32\mswsock.dll
Protocol #7: D:\WINDOWS\system32\mswsock.dll
Protocol #8: D:\WINDOWS\system32\rsvpsp.dll
Protocol #9: D:\WINDOWS\system32\rsvpsp.dll
Protocol #10: D:\WINDOWS\system32\mswsock.dll
Protocol #11: D:\WINDOWS\system32\mswsock.dll
Protocol #12: D:\WINDOWS\system32\mswsock.dll
Protocol #13: D:\WINDOWS\system32\mswsock.dll
Protocol #14: D:\WINDOWS\system32\mswsock.dll
Protocol #15: D:\WINDOWS\system32\mswsock.dll
Protocol #16: D:\WINDOWS\System32\ZoneLabs\vetredir.dll
Protocol #17: imslsp.dll (file MISSING)

 

more

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AdisconMonitoreWareAgent: D:\Program Files\MonitorWare\Agent\mwagent.exe (autostart)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CA ISafe: D:\WINDOWS\System32\ZoneLabs\isafe.exe (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (autostart)
COM+ System Application: D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver: System32\DRIVERS\DM9PCI5.SYS (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Creative SB Live! (WDM): system32\drivers\emu10k1m.sys (manual start)
Creative Interface Manager Driver (WDM): system32\drivers\ctlfacem.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: D:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: D:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start)
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

wowzers one more


Lucent Modem Driver: System32\DRIVERS\ltmdmxp.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: D:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: D:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: D:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: D:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (disabled)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Creative SoundFont Manager Driver (WDM): system32\drivers\sfmanm.sys (manual start)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: D:\WINDOWS\System32\dllhost.exe /Processid:{0ACA68B2-D126-41C3-A1E6-24A3342418FF} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: D:\WINDOWS\system32\ZONELABS\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (disabled)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: D:\WINDOWS\System32\wbem\wmiapsrv.exe (autostart)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: D:\WINDOWS\System32\webcheck.dll
SysTray: D:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 31,128 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data

 

I didn't know you can customize HJT, I only ever looked at the one page, I took off to ignore safe items and it changed a bit

Logfile of HijackThis v1.97.7
Scan saved at 9:52:04 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\Program Files\MonitorWare\Agent\mwagent.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\ZoneLabs\isafe.exe
D:\WINDOWS\system32\clipsrv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Security Administrator\newadmin.exe
D:\WINDOWS\System32\ltmsg.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Turbo Searcher\TurboSearcher.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\SpywareGuard\sgmain.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\TrojanHunter 3.9\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\RealRhapsody\Rhapsody.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\System32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegistryMechanic] D:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [00saskda] "D:\Program Files\Security Administrator\newadmin.exe" saskda
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Turbo Searcher] "D:\Program Files\Turbo Searcher\TurboSearcher.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.639375
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab