Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Server having problems


  • Please log in to reply
5 replies to this topic

#1 Ragnarok

Ragnarok

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 04 August 2005 - 12:35 PM

This is taken from one of our servers at work. It has been having problems all week.
Problems consist of our Symantec Antivirus seems to be disabled. The icon in the tray has the symbol indicating it is disabled, and when you attempt to run a virus scan it says it was stopped by user and does no scan.

I managed to find a way to make it scan. I go into the services screen and attempt to stop the service. It warns me that it cannot stop the service and I hit OK and then try to scan the computer again and this time the scan goes through its process.

It found some viruses on the computer and managed to contain them, but I am still having problems with Symantec being disabled after a reboot. Also a couple days ago it would not let me open IE, the process would start but no application would open. Outlook would also freeze when trying to open it. After getting the virus scan to run I can now open IE with no problems.

I was going to run the scan in safe mode but it will not allow me to get into safe mode. It almost gets to the login screen and then it just restarts itself. I have not been able to overcome this. I have been running the virus scan every night for the past few days and it is finding a few here and there in the new emails coming into the server for our users. (This server is our exchange system.)

Also, when rebooting, it takes a long time for the desktop to show up. It used to take just a few seconds but now it takes almost 3 minutes. Retrospect (our backup software) has not ran since this started happening last weekend. It is vital we get these issues resolved as soon as possible.

Is there anything else I can try? I contacted Symantec only to be told our tech support expired a couple months ago without my knowledge. Our reseller failed to inform us it was expiring. So while I get that straightened out, I would appreciate it if you all could take a look at this log and let me know what I can do to get things running smoothly again and get Symantec enabled.

Edit: BTW, I have ran AdAware and this log was posted after running that, virus scan, plus fresh reboot.


Logfile of HijackThis v1.99.1
Scan saved at 12:21:23 PM, on 8/4/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
d:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
d:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\PolicyService.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
D:\MySQL\bin\mysqld-nt.exe
C:\PROGRA~1\SAV\Rtvscan.exe
D:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\rsvp.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
d:\Program Files\WatchGuard\WBServer\wbserver.exe
d:\Program Files\WatchGuard\CONTROLD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
D:\ZFAX\SERVER\SYSMAN.EXE
D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\ReportingService.exe
D:\ZFAX\SERVER\EPSTIFF.EXE
D:\ZFAX\SERVER\QM.EXE
D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\UpdateService.exe
D:\ZFAX\SERVER\ADB.EXE
D:\ZFAX\SERVER\DEVFC.EXE
C:\WINNT\System32\dns.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
D:\ZFAX\SERVER\DEVPRNT.EXE
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\WatchGuard\controldGUI.exe
C:\Program Files\PrintKey-Pro\PKey_Pro.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\WatchGuard\controldGUI.exe
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
D:\Program Files\M2MWin\m2m.exe
E:\SAVClnt\savceclt.exe
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Documents and Settings\Administrator\Desktop\anti virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = EFS:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Conisio Login Manager] "C:\PROGRA~1\GCS\Conisio\EDMSER~1.EXE" /runatlogin
O4 - HKCU\..\RunOnce: [_Sym_MI_] "E:\SAVClnt\savceclt.exe" /z /nosp
O4 - Startup: PrintKey-Pro.lnk = C:\Program Files\PrintKey-Pro\PKey_Pro.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WSEP Status+Configuration.lnk = D:\Program Files\WatchGuard\controldGUI.exe
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B995C6C-B5F1-47FD-98A7-94DC5A5D218C}: NameServer = 192.168.0.210
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B995C6C-B5F1-47FD-98A7-94DC5A5D218C}: NameServer = 192.168.0.210
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B995C6C-B5F1-47FD-98A7-94DC5A5D218C}: NameServer = 192.168.0.210
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\\NavLogon.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - d:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - d:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: CounterSpy Policy Service - Sunbelt Software Inc. - D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\PolicyService.exe
O23 - Service: CounterSpy Reporting Service - Sunbelt Software inc. - D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\ReportingService.exe
O23 - Service: CounterSpy Update Service - Sunbelt Software inc. - D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\UpdateService.exe
O23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) - Dell Computer Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
O23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Computer Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Microsoft H.323 Gatekeeper (GKSVC) - Unknown owner - svchost.exe (file missing)
O23 - Service: Symantec Quarantine Agent (IcePack) - IBM Corp. - D:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Microsoft Connector for POP3 Mailboxes (MSPOP3Connector) - Unknown owner - C:\Program Files\Microsoft BackOffice\Connectivity\POP3 Connector\vmimb.exe" /SERVICE (file missing)
O23 - Service: MySql - Unknown owner - D:/MySQL/bin/mysqld-nt.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - D:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - D:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Symantec Quarantine Scanner (ScanExplicit) - IBM Corp. - D:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
O23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: WG WebBlocker Server (WBServer) - WatchGuard Technologies, Inc. - d:\Program Files\WatchGuard\WBServer\wbserver.exe
O23 - Service: WG Security Event Processor - Unknown owner - d:\Program Files\WatchGuard\CONTROLD.EXE
O23 - Service: Zetafax Server (ZetafaxServer) - EQUISYS plc - D:\ZFAX\SERVER\SYSMAN.EXE

Edited by Ragnarok, 04 August 2005 - 01:48 PM.


BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:34 AM

Posted 04 August 2005 - 02:22 PM

Hello Ragnarok and welcome to the BC malware forum. I only see a cuple of items in the log to fix so let's take care of those.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\ShopperReports\ <--folder
C:\PROGRAM FILES\MYWEBS~1\ <--folder (a folder whose name begins with MYWEBS)

If that does not resolve the problem then do the following:

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log (do not run create the HijackThis log is Safe Mode) so I can review it.

OT

Edited by OldTimer, 04 August 2005 - 02:23 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Ragnarok

Ragnarok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 04 August 2005 - 03:52 PM

Thanks for the speedy reply!
I followed your instructions the best I could.
The files you said to fix in the HJT log still show up after fixing them, but it says the file is missing. I assume that is alright?

Here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:46:08 PM, on 8/4/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
d:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
d:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\PolicyService.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
D:\MySQL\bin\mysqld-nt.exe
C:\PROGRA~1\SAV\Rtvscan.exe
D:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\rsvp.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
d:\Program Files\WatchGuard\WBServer\wbserver.exe
d:\Program Files\WatchGuard\CONTROLD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
D:\ZFAX\SERVER\SYSMAN.EXE
D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\ReportingService.exe
D:\ZFAX\SERVER\EPSTIFF.EXE
D:\ZFAX\SERVER\QM.EXE
D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\UpdateService.exe
D:\ZFAX\SERVER\ADB.EXE
D:\ZFAX\SERVER\DEVFC.EXE
C:\WINNT\System32\dns.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
D:\ZFAX\SERVER\DEVPRNT.EXE
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\WatchGuard\controldGUI.exe
C:\Program Files\PrintKey-Pro\PKey_Pro.exe
E:\SAVClnt\savceclt.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\WatchGuard\controldGUI.exe
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\System32\logon.scr
C:\Documents and Settings\Administrator\Desktop\anti virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = EFS:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Conisio Login Manager] "C:\PROGRA~1\GCS\Conisio\EDMSER~1.EXE" /runatlogin
O4 - HKCU\..\RunOnce: [_Sym_MI_] "E:\SAVClnt\savceclt.exe" /z /nosp
O4 - Startup: PrintKey-Pro.lnk = C:\Program Files\PrintKey-Pro\PKey_Pro.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WSEP Status+Configuration.lnk = D:\Program Files\WatchGuard\controldGUI.exe
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.0.1\SmrtShpr.dll (file missing)
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B995C6C-B5F1-47FD-98A7-94DC5A5D218C}: NameServer = 192.168.0.210
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B995C6C-B5F1-47FD-98A7-94DC5A5D218C}: NameServer = 192.168.0.210
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B995C6C-B5F1-47FD-98A7-94DC5A5D218C}: NameServer = 192.168.0.210
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\\NavLogon.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - d:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - d:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: CounterSpy Policy Service - Sunbelt Software Inc. - D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\PolicyService.exe
O23 - Service: CounterSpy Reporting Service - Sunbelt Software inc. - D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\ReportingService.exe
O23 - Service: CounterSpy Update Service - Sunbelt Software inc. - D:\Program Files\Sunbelt Software\CounterSpy\Enterprise\UpdateService.exe
O23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) - Dell Computer Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
O23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Computer Corporation. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Microsoft H.323 Gatekeeper (GKSVC) - Unknown owner - svchost.exe (file missing)
O23 - Service: Symantec Quarantine Agent (IcePack) - IBM Corp. - D:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Microsoft Connector for POP3 Mailboxes (MSPOP3Connector) - Unknown owner - C:\Program Files\Microsoft BackOffice\Connectivity\POP3 Connector\vmimb.exe" /SERVICE (file missing)
O23 - Service: MySql - Unknown owner - D:/MySQL/bin/mysqld-nt.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - D:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - D:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Symantec Quarantine Scanner (ScanExplicit) - IBM Corp. - D:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
O23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: WG WebBlocker Server (WBServer) - WatchGuard Technologies, Inc. - d:\Program Files\WatchGuard\WBServer\wbserver.exe
O23 - Service: WG Security Event Processor - Unknown owner - d:\Program Files\WatchGuard\CONTROLD.EXE
O23 - Service: Zetafax Server (ZetafaxServer) - EQUISYS plc - D:\ZFAX\SERVER\SYSMAN.EXE


I mentioned in my original post that I cannot get into safemode as it the computer automatically restarts just before it asks for the login information. I apologize for not getting it done in safe mode but for the time being I unable to do so. I will be attempting a boot from CD in about half an hour to see if I can get in that way.

I ran WinPFind in regular mode and the results are as follows:



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 6/23/2000 12:21:16 AM 76800 C:\WINNT\SYSTEM32\acrypt32.dll
UPX! 6/23/2000 12:20:42 AM 100864 C:\WINNT\SYSTEM32\acrypt32.ocx
PECompact2 7/6/2005 9:21:30 PM 1366872 C:\WINNT\SYSTEM32\MRT.exe
aspack 7/6/2005 9:21:30 PM 1366872 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 7/22/2002 2:05:04 PM 528144 C:\WINNT\SYSTEM32\RASDLG.DLL
winsync 7/26/2000 7:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
8/4/2005 1:17:32 PM 143370 C:\WINNT\ShellIconCache
6/23/2005 2:01:46 PM 23 C:\WINNT\yacht.xws
6/17/2005 1:21:34 PM 227 C:\WINNT\assembly\Desktop.ini
7/19/2005 9:46:16 AM 0 C:\WINNT\inf\oem16.inf
8/4/2005 2:16:52 PM 1024 C:\WINNT\system32\config\default.LOG
8/4/2005 12:58:46 AM 1024 C:\WINNT\system32\config\SECURITY.LOG
8/4/2005 3:44:30 PM 1024 C:\WINNT\system32\config\software.LOG
8/3/2005 5:48:48 PM 6 C:\WINNT\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/5/2004 12:41:32 PM 567 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
7/15/2004 5:24:34 AM 1568 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
1/22/2004 1:36:16 PM 577 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WSEP Status+Configuration.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
7/16/2004 6:42:26 PM 601 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\PrintKey-Pro.lnk
12/17/2003 9:57:02 AM 511 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinMySQLadmin.lnk

Checking files in %USERPROFILE%\Application Data folder...
7/27/2003 6:32:20 PM 0 C:\Documents and Settings\Administrator\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
FunWebProducts =
Hotbar4.5.3.0 = Hotbar

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ConisioFileViewer
{F91AE121-7E44-11D4-911A-00C04F56B3AF} = C:\Program Files\GCS\Conisio\StartViewExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SciTE
{120B94B5-2E6A-4F13-94D0-414BCB64FA0F} = D:\Scintilla Text Editor\wscitecm.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ConisioSearch
{960495F9-F09C-4CB9-A101-A19EC6218CF0} = C:\Program Files\GCS\Conisio\StartSearchExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{946B3E9E-E21A-49c8-9F63-900533FAFE14}
ButtonText = ShopperReports - Compare travel rates :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E77EDA01-3C56-4a96-8D08-02B42891C169}
ButtonText = ShopperReports - Compare product prices :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{B195B3B3-8A05-11D3-97A4-0004ACA6948E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{B195B3B3-8A05-11D3-97A4-0004ACA6948E} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsmqIntCert regsvr32 /s mqrt.dll
bacstray BacsTray.exe
vptray C:\PROGRA~1\SAV\vptray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Conisio Login Manager "C:\PROGRA~1\GCS\Conisio\EDMSER~1.EXE" /runatlogin

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
_Sym_MI_ "E:\SAVClnt\savceclt.exe" /z /nosp

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
ShowSuperHidden 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
disablecad 0
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
ForceStartMenuLogOff 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINNT\System32\\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/4/2005 3:44:53 PM

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:34 AM

Posted 04 August 2005 - 04:24 PM

Hi Ragnarok. That looks a little better. If the registry is restricted or protected in any way then HijackThis cannot fix the entries. Let's do a manual repair.

Start regedit and go to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

Delete theses 2 values under this key:FunWebProducts
Hotbar4.5.3.0

Now navigate to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions

and delete these 2 subkeys:{946B3E9E-E21A-49c8-9F63-900533FAFE14}
{E77EDA01-3C56-4a96-8D08-02B42891C169}

Now navigate to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

and delete these keys:{946B3E9E-E21A-49c8-9F63-900533FAFE14}
{E77EDA01-3C56-4a96-8D08-02B42891C169}

That's it. That's all I see. Reboot the machine and see how it acts.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Ragnarok

Ragnarok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 05 August 2005 - 12:36 PM

Followed your final steps and those items are now gone from the HJT log. But the server issues we've been having are still there.

Can't boot into safe mode.
Desktop takes forever to load.
Symantec Antivirus is Disabled.
Retrospect will not run.

I will continue to look for solutions to these problems.

Thanks for all of your help!

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:34 AM

Posted 05 August 2005 - 01:45 PM

Hi Ragnarok. Have you tried to uninstall Norton and then reinstall it. I have instances where an update or other change to the system has caused Norton to hang and since the main problem appears to be with Norton it would point to that.

Try that and let me know how it turns out.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users