Hello, anyone spot anything amiss here?

Discussion in 'adware, spyware & hijack cleaning' started by ghinzani, Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. ghinzani

    ghinzani Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    1
    I regularly run Spybot and Ad-aware but still seem to have problems - anything obvious here? The ones I wonder about are umonit and svchost - there always seem to be a few of these running. Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 14:46:48, on 06/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\umonit.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\beaver.ZEN\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi1.ebay.co.uk/aw-cgi/ebayI...&p1=0&p2=0&p3=0&p4=0&p5=0&ssPageName=MerchMax
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.9748842593
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi ghinzani,

    Before you start move unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. These will now end up on your desktop.

    Check the following item in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\svchost.exe <= NOTE: do NOT attempt to delete C:\WINDOWS\system32\svchost.exe (which is the real Windows file)

    Update Windows and IE at your earliest convenience.

    When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.