a new hijack this report

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Wednesday 3.9.2025 / 21:30

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > a new hijack this report

Browse by topic

Forums

Start a new thread

a new hijack this report

Jump to:

Posted

Message

john1690

Member

27. June 2007 @ 12:42

Link to this message

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:40:54, on 27/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lorna Smith\Desktop\HiJackThis_v2.0.0.0.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.60/trafc-2/rfe.php?cmp...CMy%20Documents
R3 - Default URLSearchHook is missing
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 FTP.f-secure.com
O1 - Hosts: 1.1.1.1 FTP.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gxvkixcc.dll (file missing)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ilxmtuun.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C2CE418E-7DEC-4F98-9FB7-3C2A689742F8} - C:\WINDOWS\system32\gebabxy.dll (file missing)
O2 - BHO: (no name) - {F30F1A19-2589-47E5-AC5F-3809D6276985} - C:\WINDOWS\system32\geebc.dll (file missing)
O4 - HKLM\..\Run: [j6211333] rundll32 C:\WINDOWS\system32\j6211333.dll sook
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\cgolwebs.dll",realset
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [playholdmeowinternet] C:\Documents and Settings\All Users\Application Data\Poll Sign Play Hold\INFOOBJ.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{1994309F-21C9-486E-BAE6-622ED23D2A62}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{4485CF84-AD92-46C2-B7B4-C7BCA4040E31}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
O17 - HKLM\System\CS2\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: gebabxy - gebabxy.dll (file missing)
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 9630 bytes

[ + quote]

Etzo

Member

29. June 2007 @ 00:46

Link to this message

Hi!

You have various adwares in your computer.

Step 1: Download and Run: VundoFix
Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
=======

Step 2: Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.
=======

Step 3: Remove bad HijackThis entries

* Run HijackThis
* Click on the Scan button
* Put a check beside all of the items listed below (if present):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gxvkixcc.dll (file missing)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ilxmtuun.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C2CE418E-7DEC-4F98-9FB7-3C2A689742F8} - C:\WINDOWS\system32\gebabxy.dll (file missing)
O2 - BHO: (no name) - {F30F1A19-2589-47E5-AC5F-3809D6276985} - C:\WINDOWS\system32\geebc.dll (file missing)
O4 - HKLM\..\Run: [j6211333] rundll32 C:\WINDOWS\system32\j6211333.dll sook
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\cgolwebs.dll",realset
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [playholdmeowinternet] C:\Documents and Settings\All Users\Application Data\Poll Sign Play Hold\INFOOBJ.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{1994309F-21C9-486E-BAE6-622ED23D2A62}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{4485CF84-AD92-46C2-B7B4-C7BCA4040E31}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
O17 - HKLM\System\CS2\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132
O20 - Winlogon Notify: gebabxy - gebabxy.dll (file missing)
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)

* Close all open windows and browsers/email, etc...
* Click on the "Fix Checked" button
* When completed, close the application.

=======

Step 4: Download and Run NoLop
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

* First close any other programs you have running as this will require a reboot
* Double click NoLop.exe to run it.
* Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* A Message should popup from NoLop. If not, double click the program again and it will finish.
* Please post the contents of C:\NoLop.log later.

Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.
=======

Step 5: Download HostsXpretDownload HostsXpert and unzip it to your desktop.

Open HostsXpert that you earlier unzipped on your desktop

* Click "Make Hosts Writable?" upper right corner (if available)
* Click "Restore Microsoft's Original Hosts File" and then click OK
* Close HostsXpert
Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

=======

Step 6: Post back these logfiles: fresh HijackThis log, C:\vundofix.txt, C:\fixwareout\report.txt and C:\NoLop.log

[ + quote]

Virustorjunta.net asiantuntevaa palvelua ilman peeloilua.
Hjt-lokit tänne

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > a new hijack this report


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.