Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchos1at problem - please help with HJT log


  • Please log in to reply
22 replies to this topic

#1 Panta

Panta

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 07 May 2005 - 09:59 AM

Hi folks.

I have a problem very similar to this one.

I have a couple of files in my Wondows directory: Svchos11at.exe, Svchos2sat.exe and Svchost.dll - I can't get rid of them.

I ran Panda a few days ago (when I started having this problem) and it found 4 objects but couldn't fix them.

Spybot and AdAware don't seem to be able to delete them.

The problem is at a certain point during my internet connection the connection is dropped and if I doub˛e-click to reconnect again Windows tells me the connection doesn't exist and I should create a new one.

This is my HJT log, right after the last reboot:


Logfile of HijackThis v1.98.2
Scan saved at 16.50.10, on 07/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Kataweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\SVCHOST.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMPA.EXE
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: DSLMON.lnk = C:\Programmi\ARESCOM\Modem Telindus Arescom ND220\dslmon.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.google.it
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab


I don't see any trace of 2 of those files I mentioned, but I checked and they're still there. HJT found the .dll but not the .exe's (unless I can't see them).

There is a Svchos1at or something like application that starts running at a certain point, I think only when I'm connected and/or browsing a web-page. If I disconnect it closes automatically - I think.

Please help! Thanks in advance.
/Fred

Edited by Panta, 07 May 2005 - 01:03 PM.


BC AdBot (Login to Remove)

 


#2 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 07 May 2005 - 01:04 PM

Bump. :thumbsup:

#3 drunkndunk

drunkndunk

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 07 May 2005 - 02:20 PM

Hi m8,

have had (about 12hrs clean now!!) the exact same problem.

Its some type of dialer that disconnects you from the internet and tries to dial a premium number via your dial-up modem. I don't have a dial up modem (usb broadband) so I was not worried about it trying to dial a premium number. It was the internet disconnects that were pissing me off. It also screwed up my internet connections.

A short term fix for this is to download asquared (a2) Have the a2 guard running and it will detect when the svchos1at.exe is trying to run. Then at least u can delete it and not get disconnected!!!

I ran the panda online scan hopefully the files it flagged got rid off it.

hope this helps

#4 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 07 May 2005 - 02:23 PM

Yeah I have broadband too. I'll try it, thanks a lot man! Wish me luck. :thumbsup:

#5 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 08 May 2005 - 08:30 AM

This is an updated log. Just scanned with HJT a few minutes ago. Since last time I downloaded A Squared and I have it running at the moment in guard mode. Any advice about it? Is it good?


Logfile of HijackThis v1.98.2
Scan saved at 15.28.27, on 08/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\PROGRAMMI\A2\A2GUARD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAMMI\ARESCOM\MODEM TELINDUS ARESCOM ND220\DSLMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Kataweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\SVCHOST.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMPA.EXE
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [a-squared] "C:\PROGRAMMI\A2\a2guard.exe"
O4 - Startup: DSLMON.lnk = C:\Programmi\ARESCOM\Modem Telindus Arescom ND220\dslmon.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.google.it
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab


A friend of mine said the svchost.dll file is a system one. Now HJT says it's missing, it was probably removed by A Squared because part of the dialer or something... Any ideas about this?

Thanks a lot.

#6 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 08 May 2005 - 08:37 AM

One more thing: now that I'm running A Squared it sometimes tells me, when starting IE, that the browser is trying to send info over to the internet. I click the "Terminate" button, start it again and it works without any warning from A2. Maybe some wrong setting in the IE options?


Edit: Actually, now that I think about it, I think the info IE would send out would allow the dialer to work on my machine and drop my connection to try to start his own one. Is this possible?

I'm pretty confused as you can see...

Edited by Panta, 08 May 2005 - 08:44 AM.


#7 drunkndunk

drunkndunk

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 08 May 2005 - 10:20 AM

the sytem file of svchost will be in c\windows\system or system 32.
The bad 1 will be in c\windows.

I think a2 guard will warn u at least once whenever anything is trying to get a internet connection. The 1st time I tried to connect 2 the internet a guard popped up saying file *** was trying to dial a connection. I then selected the option 'always allow this program'

I don't know much about a2.

But if u follow the procedure that I was told to do when I 1st posted, it should sort u out.

#8 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 08 May 2005 - 10:34 AM

I'm not sure, my log is very different from yours. I think I need some specific help.

#9 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 08 May 2005 - 04:06 PM

Anyone? :thumbsup:

#10 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 09 May 2005 - 07:44 PM

I still have svchos11at.exe and svchos2sat.exe in my Wondows dir.
A2 Guard prevents the dialer to drop my connection, telling me when it's trying to do something, so I can terminate it.
But I'd like to get rid of them.
Can someone help me please and tell me what to do?
Thanks.

Edited by Panta, 09 May 2005 - 07:45 PM.


#11 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 10 May 2005 - 11:34 AM

There is a newer version (1.99.1) of HijackThis than what you are using. Please get the new version from one of these addresses.
http://www.bleepingcomputer.com/files/hijackthis.php
http://209.133.47.12/~merijn/files/HijackThis.exe
http://www.downloads.subratam.org/hijackthis.zip
Posted Image

#12 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 10 May 2005 - 06:33 PM

Ok, I've downloaded it. What are the best conditions to run it and save a log to post?

#13 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 11 May 2005 - 05:02 AM

The best conditions to post? Just as with the other HijackThis. Start up your computer in normal mode, run HijackThis->Scan and post the log in this thread.
Posted Image

#14 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 11 May 2005 - 06:14 PM

Then here goes a fresh one:

Logfile of HijackThis v1.99.1
Scan saved at 0.30.01, on 12/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\PROGRAMMI\A2\A2GUARD.EXE
C:\PROGRAMMI\ARESCOM\MODEM TELINDUS ARESCOM ND220\DSLMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Kataweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\SVCHOST.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMPA.EXE
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [a-squared] "C:\PROGRAMMI\A2\a2guard.exe"
O4 - Startup: DSLMON.lnk = C:\Programmi\ARESCOM\Modem Telindus Arescom ND220\dslmon.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.google.it
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab

I have no idea if this is any different from before.
Thanks for your help and sorry if I posted in the sticky before the 5 days had passed. :thumbsup:

#15 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 12 May 2005 - 05:57 AM

Hi Panta,

Download http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html

F1 - win.ini: load=ptsnoop.exe

O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\SVCHOST.DLL (file missing)

O4 - HKLM\..\Run: [JVM0.14] C:\WINAMPA.EXE
O4 - HKLM\..\Run: [autoclk] autoclk.exe

O15 - Trusted Zone: www.google.it
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)


Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINAMPA.EXE
c:\WIndows\System\autoclk.exe

Restart your computer and post a new log in this thread.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users