1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

a new hijack this report

Discussion in 'Windows - Virus and spyware problems' started by john1690, Jun 27, 2007.

  1. john1690

    john1690 Regular member

    Joined:
    Nov 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    26
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 21:40:54, on 27/06/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Lorna Smith\Desktop\HiJackThis_v2.0.0.0.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.60/trafc-2/rfe.ph...cuments and Settings\Lorna Smith\My Documents
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 1.1.1.1 f-secure.com
    O1 - Hosts: 1.1.1.1 www.f-secure.com
    O1 - Hosts: 1.1.1.1 ftp.f-secure.com
    O1 - Hosts: 1.1.1.1 ftp.sophos.com
    O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
    O1 - Hosts: 1.1.1.1 customer.symantec.com
    O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
    O1 - Hosts: 1.1.1.1 download.mcafee.com
    O1 - Hosts: 1.1.1.1 rads.mcafee.com
    O1 - Hosts: 1.1.1.1 mast.mcafee.com
    O1 - Hosts: 1.1.1.1 my-etrust.com
    O1 - Hosts: 1.1.1.1 www.my-etrust.com
    O1 - Hosts: 1.1.1.1 nai.com
    O1 - Hosts: 1.1.1.1 www.nai.com
    O1 - Hosts: 1.1.1.1 networkassociates.com
    O1 - Hosts: 1.1.1.1 secure.nai.com
    O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
    O1 - Hosts: 1.1.1.1 service1.symantec.com
    O1 - Hosts: 1.1.1.1 sophos.com
    O1 - Hosts: 1.1.1.1 www.sophos.com
    O1 - Hosts: 1.1.1.1 support.microsoft.com
    O1 - Hosts: 1.1.1.1 symantec.com
    O1 - Hosts: 1.1.1.1 www.symantec.com
    O1 - Hosts: 1.1.1.1 update.symantec.com
    O1 - Hosts: 1.1.1.1 updates.symantec.com
    O1 - Hosts: 1.1.1.1 us.mcafee.com
    O1 - Hosts: 1.1.1.1 vil.nai.com
    O1 - Hosts: 1.1.1.1 viruslist.com
    O1 - Hosts: 1.1.1.1 www.viruslist.com
    O1 - Hosts: 1.1.1.1 grisoft.com
    O1 - Hosts: 1.1.1.1 www.grisoft.com
    O1 - Hosts: 1.1.1.1 free.grisoft.com
    O1 - Hosts: 1.1.1.1 trendmicro.com
    O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
    O1 - Hosts: 1.1.1.1 www.trendmicro.com
    O1 - Hosts: 1.1.1.1 pandasoftware.com
    O1 - Hosts: 1.1.1.1 www.pandasoftware.com
    O1 - Hosts: 1.1.1.1 usa.kaspersky.com
    O1 - Hosts: 1.1.1.1 ewido.net
    O1 - Hosts: 1.1.1.1 www.ewido.net
    O1 - Hosts: 1.1.1.1 zonelabs.com
    O1 - Hosts: 1.1.1.1 www.zonelabs.com
    O1 - Hosts: 1.1.1.1 bitdefender.com
    O1 - Hosts: 1.1.1.1 www.bitdefender.com
    O1 - Hosts: 1.1.1.1 download.bitdefender.com
    O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
    O1 - Hosts: 1.1.1.1 spywareinfo.com
    O1 - Hosts: 1.1.1.1 www.spywareinfo.com
    O1 - Hosts: 1.1.1.1 merijn.org
    O1 - Hosts: 1.1.1.1 www.merijn.org
    O1 - Hosts: 1.1.1.1 sysinternals.com
    O1 - Hosts: 1.1.1.1 www.sysinternals.com
    O1 - Hosts: 1.1.1.1 onguardonline.gov
    O1 - Hosts: 1.1.1.1 www.onguardonline.gov
    O1 - Hosts: 1.1.1.1 avast.com
    O1 - Hosts: 1.1.1.1 www.avast.com
    O1 - Hosts: 1.1.1.1 safety.live.com
    O1 - Hosts: 1.1.1.1 www.paretologic.com
    O1 - Hosts: 1.1.1.1 paretologic.com
    O1 - Hosts: 1.1.1.1 virusscan.jotti.org
    O1 - Hosts: 1.1.1.1 services.google.com
    O1 - Hosts: 1.1.1.1 www.webroot.com
    O1 - Hosts: 1.1.1.1 webroot.com
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gxvkixcc.dll (file missing)
    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ilxmtuun.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {C2CE418E-7DEC-4F98-9FB7-3C2A689742F8} - C:\WINDOWS\system32\gebabxy.dll (file missing)
    O2 - BHO: (no name) - {F30F1A19-2589-47E5-AC5F-3809D6276985} - C:\WINDOWS\system32\geebc.dll (file missing)
    O4 - HKLM\..\Run: [j6211333] rundll32 C:\WINDOWS\system32\j6211333.dll sook
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\cgolwebs.dll",realset
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [playholdmeowinternet] C:\Documents and Settings\All Users\Application Data\Poll Sign Play Hold\INFOOBJ.exe
    O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'Default user')
    O4 - Global Startup: AutorunsDisabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1994309F-21C9-486E-BAE6-622ED23D2A62}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4485CF84-AD92-46C2-B7B4-C7BCA4040E31}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
    O20 - Winlogon Notify: gebabxy - gebabxy.dll (file missing)
    O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

    --
    End of file - 9630 bytes
     
    john1690, Jun 27, 2007
    #1
  2. Etzo

    Etzo Regular member

    Joined:
    Feb 8, 2007
    Messages:
    489
    Likes Received:
    0
    Trophy Points:
    26
    Hi!

    You have various adwares in your computer.

    Step 1: Download and Run: VundoFix
    Please download VundoFix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * Click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
    =======

    Step 2: Download and Run FixWarout
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.
    =======

    Step 3: Remove bad HijackThis entries

    * Run HijackThis
    * Click on the Scan button
    * Put a check beside all of the items listed below (if present):

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gxvkixcc.dll (file missing)
    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ilxmtuun.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {C2CE418E-7DEC-4F98-9FB7-3C2A689742F8} - C:\WINDOWS\system32\gebabxy.dll (file missing)
    O2 - BHO: (no name) - {F30F1A19-2589-47E5-AC5F-3809D6276985} - C:\WINDOWS\system32\geebc.dll (file missing)
    O4 - HKLM\..\Run: [j6211333] rundll32 C:\WINDOWS\system32\j6211333.dll sook
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\cgolwebs.dll",realset
    O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
    O4 - HKLM\..\Run: [playholdmeowinternet] C:\Documents and Settings\All Users\Application Data\Poll Sign Play Hold\INFOOBJ.exe
    O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'Default user')
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1994309F-21C9-486E-BAE6-622ED23D2A62}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4485CF84-AD92-46C2-B7B4-C7BCA4040E31}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
    O20 - Winlogon Notify: gebabxy - gebabxy.dll (file missing)
    O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)

    * Close all open windows and browsers/email, etc...
    * Click on the "Fix Checked" button
    * When completed, close the application.

    =======

    Step 4: Download and Run NoLop
    Please Download NoLop to your desktop from one of the links below...
    Link 1
    Link 2
    Link 3

    * First close any other programs you have running as this will require a reboot
    * Double click NoLop.exe to run it.
    * Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    * When scanning is finished you will be prompted to reboot only if infected, Click OK
    * Now click the "REBOOT" Button.
    * A Message should popup from NoLop. If not, double click the program again and it will finish.
    * Please post the contents of C:\NoLop.log later.

    Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.
    =======

    Step 5: Download HostsXpretDownload HostsXpert and unzip it to your desktop.

    Open HostsXpert that you earlier unzipped on your desktop

    * Click "Make Hosts Writable?" upper right corner (if available)
    * Click "Restore Microsoft's Original Hosts File" and then click OK
    * Close HostsXpert
    Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

    =======

    Step 6: Post back these logfiles: fresh HijackThis log, C:\vundofix.txt, C:\fixwareout\report.txt and C:\NoLop.log
     
    Etzo, Jun 29, 2007
    #2

Share This Page