| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 70319 | 2006-06-29 04:48:00 | HJT Log Help Please | J ZEP (336) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 467055 | 2006-06-29 04:48:00 | Hi all, have a friends system here, have done all the usual scans etc... everything comes up clean, however i am noticing constant traffic activity when connected to net, ZA can tell me its a "generic host process..." - can't work out whats causing this (oviously a service), i have been through the hjt log, looks reasonably o.k, also done the online analysis for the hjt log which tell me everything safe???, however i see a couple of things which i would like/hope somebody can advise me about. Many thanks :). Hopefully something stands out to you hjt pros! System is a Dell Dimesion 3000 XPSP2. They use broadband and i am on dialup, so as i dont know whats necessary for b/b, want to be a little careful so her b/b connects normal etc... i.e unsure of these???: O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe Logfile of HijackThis v1.99.1 Scan saved at 3:20:36 p.m., on 29/06/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xtra.co.nz/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - messenger.zone.msn.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe |
J ZEP (336) | ||
| 467056 | 2006-06-29 11:46:00 | Hi J ZEP :) I'm a bit too tired to have a look at this tonight but if you haven't had a reply by tomorrow I'll check it out for you. |
FoxyMX (5) | ||
| 467057 | 2006-06-29 11:50:00 | "generic host process" is normall. provided the "internet server" in ZA has a red X in it it will be fine. most likly the pc is doing windows updates. | tweak'e (69) | ||
| 467058 | 2006-06-29 13:01:00 | For HJT log analysis, check out my signature. Cheers :) |
Renmoo (66) | ||
| 467059 | 2006-06-29 14:12:00 | Seems like some redundant advice you're giving there James... .... done the online analysis for the hjt log which tell me everything safe???,... |
roddy_boy (4115) | ||
| 467060 | 2006-06-29 20:48:00 | Seems like some redundant advice you're giving there James... Well seen Roddy. |
Cicero (40) | ||
| 467061 | 2006-06-29 23:53:00 | Thanks guys, further to what i have already mentioned, it doesn't appear to be win updates, as i can see when its doing that check (and i ruled out what i thought would be the obvious culprits initially), and it is right up to date with win updates . . . (It just appears to go on and on with actitivity unless i block it in ZA again, after connecting) . I have left access to the server in ZA blocked from day one, however the prob arises from the "access to internet", as of course if i block that (svchost . exe) i cant use the browser etc . . . as its blocking net access . . . Funny thing is i came across something very similar about 6 months back on a PBell system, the only solution in the end was formatting etc . . . :groan: I keep hoping i am missing something simple . . . Any more suggestions please, Thanks guys :) . |
J ZEP (336) | ||
| 467062 | 2006-06-30 01:45:00 | The 021 ok..... Windows Portable Device Shell Service Object and 023... Intel Corporation is also ok to leave |
Pancake (6359) | ||
| 467063 | 2006-06-30 03:08:00 | The 021 ok..... Windows Portable Device Shell Service Object and 023... Intel Corporation is also ok to leave "Windows Portable Device Shell Service Object" - Of course... Thanks Pancake :), i was having trouble defining exactly what that was. I will probably do a clean install, as she has only just brought this system (second hand), so i guess it would be a good start for her. I wasn't going to bother, as it "looks" really clean and uncluttered, and downloading the post SP2 updates again will take forever on my dialup connection to reinstall... I am really at a loss as to whats causing all the activity though? Thanks guys :) |
J ZEP (336) | ||
| 467064 | 2006-06-30 04:43:00 | I will probably do a clean install, as she has only just brought this system (second hand), so i guess it would be a good start for her. I wasn't going to bother, as it "looks" really clean and uncluttered, and downloading the post SP2 updates again will take forever on my dialup connection to reinstall... I am really at a loss as to whats causing all the activity though? Formatting and reinstalling would be a good idea. There are key logging programs that are able to hide themselves very well and remain undetected by AV programs, firewalls and trojan scanners so you would be wise to be wary, especially with a second-hand PC. |
FoxyMX (5) | ||
| 1 | |||||