Hi! we've had a major breakin on our computer and some being used as warez server... I'm forced to reinstall most of them but if this one is clean I can clone it. this is the log from Hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 22:09:18, on 2004-05-03
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program\Norman\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\Program\Canon\VDC\AuVdc.exe
C:\PROGRAM\NORMAN\Nvc\BIN\nvcoas.exe
C:\PROGRAM\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAM\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\PROGRAM\NORMAN\nvc\BIN\NJEEVES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\Program\Delade filer\Real\Update_OB\evntsvc.exe
C:\PROGRAM\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRAM\NORMAN\Nvc\BIN\cclaw.exe
C:\PROGRAM\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAM\NORMAN\Nvc\BIN\NIP.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\7-Zip\7zFMn.exe
C:\DOCUME~1\samuel\LOKALA~1\Temp\7zO3.tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.corpus.umu.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program\Delade filer\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/c...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37575.189224537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corpus.umu.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC8931A8-2A26-426C-88B5-166C13B595AA}: NameServer = 130.239.8.10,130.239.16.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corpus.umu.se
O17 - HKLM\System\CS1\Services\Tcpip\..\{AC8931A8-2A26-426C-88B5-166C13B595AA}: NameServer = 130.239.8.10,130.239.16.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corpus.umu.se
O17 - HKLM\System\CS2\Services\Tcpip\..\{AC8931A8-2A26-426C-88B5-166C13B595AA}: NameServer = 130.239.8.10,130.239.16.3

And this is the Startuplist.log:

StartupList report, 2004-05-03, 22:16:26
StartupList version: 1.52
Started from : C:\DOCUME~1\samuel\LOKALA~1\Temp\7zO3.tmp\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program\Norman\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\Program\Canon\VDC\AuVdc.exe
C:\PROGRAM\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAM\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\PROGRAM\NORMAN\nvc\BIN\NJEEVES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\Program\Delade filer\Real\Update_OB\evntsvc.exe
C:\PROGRAM\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRAM\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAM\NORMAN\Nvc\BIN\NIP.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\7-Zip\7zFMn.exe
C:\DOCUME~1\samuel\LOKALA~1\Temp\7zO3.tmp\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Delade filer\Real\Update_OB\rndal.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]
Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
SiS Tray = C:\WINNT\System32\sistray.EXE
SiS KHooker = C:\WINNT\System32\khooker.exe
TkBellExe = C:\Program\Delade filer\Real\Update_OB\evntsvc.exe -osboot
Norman ZANDA = C:\PROGRAM\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
SunJavaUpdateSched = C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
WinVNC = "C:\Program\TightVNC\WinVNC.exe" -servicehelper

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ Lite = C:\Program\ICQLite\ICQLite.exe -trayboot

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

setiathome-3.03.i386-winnt-cmdline.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/c...ontent/opuc.cab

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates...ontent/opuc.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...37575.189224537

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate.microsoft.com/R1009/V...sv/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 5 647 bytes


/LinuxSam

It looks ok, althought there's alot that doesn't need to be running, even for your networked systems.

Well have installed ZoneAlarm on that one now and upgraded things and hope to be able to clone it for use on the other computers later... what services can I shut down?

What we do is mounting a lot of shares from a SAMBA-server and we have some networked printers... other than that we don't use much. But it's hard to know what can be shut down.

/LinuxSam -- who thinks Linux is easier...

TkBellExe (Evntsvc.exe/Realsched.exe)
Real Networks Scheduler which gets installed with RealOne Player. Under Win9x/ME this task shows as TKBELLEXE, and as EVNTSVC under Windows 2000/XP or REALSCHED depending on which version of RealOne Player you have installed. From our experience, everything that applies to EVNTSVC below, also applies to REALSCHED. RNDAL elsewhere in these Task List pages is a good starting point to read about RealOne Player. Next, a 15-Jun-2002 extract from the RealOne Player License Agreement that is specific to EVNTSVC (the said License Agreement was updated on 25-Nov-2002 by Real Networks and EVNTSVC was replaced by REALSCHED in that version of the License Agreement) : An application Scheduler, known as "evntsvc.exe," is installed along with RealOne Player. Once installed, it runs independently of RealOne Player. The Scheduler does not collect personal information or communicate with RealNetworks’ servers. It is used to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. The Scheduler is also used to automatically launch RealNetworks’ Media Type Helper. The Media Type Helper ensures the system is configured for correct operation of the RealOne Player with Multi-Purpose Internet Mail Extensions ("MIME") types, file extensions, Internet protocols and other media types. If a media type has been assigned a different action by a different application, Media Type Helper may override the association and substitute its own association.
EVNTSVC slows down boot-ups unacceptably, using up to 90% of CPU time at times. There have also been reports of EVNTSVC dropping advertising shortcuts onto the desktop during idle times. If you absolutely want to keep RealOne Player, we suggest you rename EVNTSVC.EXE to EVNTSVC.EXE.OLD (or REALSCHED.EXE to REALSCHED.OLD) as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

CTFMon.exe
CTFMon comes with Microsoft Office XP and Windows XP – it activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. As long as the Text Services & Speech are enabled in the Control Panel, this program will force itself back into your list of background programs.

Disable “Text Services & Speech” in the Control Panel if you are not using them. Then, disable CTFMon using Startup Manager. (Note that if you use Word, Excel or PowerPoint to write in different languages, eg. English and Arabic, then you will be using “Text Services & Speech” facilities).

KHooker.exe
SiS Keyboard Daemon. System Tray utility which gets installed by the drivers of the latter day SiS VGA cards. The utility itself is not of much use in our opinion and may occasionally be contributing to Windows startup problems, although we have not been able to establish this for certain.

JUSched.exe
Sun Java Runtime Update Scheduler. This task will appear in your Task List if you have Sun Java runtime installed and it is configured to automatically look for updates. This task was first introduced in version 1.4.2 of the Sun Java Runtime and at the time of writing, 11-Dec-2003, runs only on Windows NT4/2000/XP/2003. For the layman : Java is nowadays an essential piece of software for your browser as there are many web pages which use Java to display information.

We always recommend against having any software updating itself automatically, even if it prompts the user before applying updates. Stay in control of your PC and disable this task as follows : double-click on the Java plug-in icon in the Control Panel, go to the Update tab and uncheck "Check for updates automatically", click APPLY – this will disable JUSCHED from starting at boot-up. If you want to update Sun Java at a later stage, simply go back to the same Java plug-in icon in the Control Panel, to the "Update" tab, and click the Update Now button.