1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.


Discussion in 'Windows XP' started by dustyddog, Apr 15, 2004.

Thread Status:
Not open for further replies.
  1. dustyddog

    dustyddog Thread Starter

    Apr 15, 2004
    This forum has been a great deal of support. We have five children with varying levels of computer skills. Started having strange problems. I have now been done Adaware, Spybot and here is the Hijack file. Please take a look and see if there is anything alarming, and let me know if there is anything else i need to do. Thanks in advance, Dusty

    Logfile of HijackThis v1.97.7
    Scan saved at 2:11:28 AM, on 4/15/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\Program Files\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2good2toss.com/
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - Global Startup: ZoneAlarm Pro.lnk = F:\Program Files\ZoneAlarm\zapro.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38089.9911689815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  2. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
    Shortest Scanlog I've ever seen. In fact I almost have to question its legitimacy since the log is not even showing normal Win2k Services. Are you sure you copied it completely?
  3. dustyddog

    dustyddog Thread Starter

    Apr 15, 2004
    Guess I'm not using hijackthis correctly. Seems simple enough, but maybe that's the problem - I'm too simple. How do you get a complete scan?
  4. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
    Once you have selected Scan, then save the Scanlog. Open that and select Edit > Select All, Edit > Copy. Then you can right click on a mesage box here and select "Paste". The entire log text should appear. Verify that what you see is what you get.

    To double check, would you also open the Task Manager (ctrl-alt-del) and verify that all the processes shown there are also listed as "Running Processes" in HijackThis.
  5. dustyddog

    dustyddog Thread Starter

    Apr 15, 2004
    I scanned again the scan log only shows 6 or 8 processes running of the 30 when I look at task manager?????????????? Doesn't make any sense to me. Andy
  6. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
    Extremely weird, but let's try another method. Run HijackThis, instead of selecting Scan, select:

    Config > Misc Tools, put a check in "also list minor sections" then select "Generate Startuplist". Copy/paste that here instead. It won't show some things the scanlog shows, but it might show what is missing.
  7. dustyddog

    dustyddog Thread Starter

    Apr 15, 2004
    StartupList report, 4/16/2004, 10:45:23 PM
    StartupList version: 1.52
    Started from : C:\Installs\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections

    Running processes:

    F:\program files\Quicktime\qttask.exe
    F:\Program Files\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    ZoneAlarm Pro.lnk = F:\Program Files\ZoneAlarm\zapro.exe


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,


    Autorun entries from Registry:

    Synchronization Manager = mobsync.exe /logon
    QuickTime Task = "F:\program files\Quicktime\qttask.exe" -atboottime


    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
    StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl


    Shell & screensaver key from C:\winnt\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*


    Checking for EXPLORER.EXE instances:

    C:\winnt\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\winnt\Explorer\Explorer.exe: not present
    C:\winnt\System\Explorer.exe: not present
    C:\winnt\System32\Explorer.exe: not present
    C:\winnt\Command\Explorer.exe: not present
    C:\winnt\Fonts\Explorer.exe: not present


    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden


    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\winnt\system32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38089.9911689815

    [Shockwave Flash Object]
    InProcServer32 = C:\winnt\system32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    AVSync Manager: "C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" (autostart)
    Computer Browser: %SystemRoot%\System32\services.exe (autostart)
    DHCP Client: %SystemRoot%\System32\services.exe (autostart)
    Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
    DNS Client: %SystemRoot%\System32\services.exe (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Server: %SystemRoot%\System32\services.exe (autostart)
    Workstation: %SystemRoot%\System32\services.exe (autostart)
    TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
    Messenger: %SystemRoot%\System32\services.exe (autostart)
    Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\services.exe (autostart)
    Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
    RunAs Service: %SystemRoot%\system32\services.exe (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
    vsdatant: \??\C:\WINNT\system32\vsdatant.sys (autostart)
    TrueVector Internet Monitor: C:\WINNT\system32\ZoneLabs\vsmon.exe -service (autostart)
    Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
    Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)


    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\winnt\System32\webcheck.dll
    SysTray: stobject.dll

    End of report, 7,450 bytes
    Report generated in 0.391 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220615

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice