Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 21:40:54, on 27/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\Lorna Smith\Desktop\HiJackThis_v2.0.0.0.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.60/trafc-2/rfe.ph...cuments and Settings\Lorna Smith\My Documents R3 - Default URLSearchHook is missing O1 - Hosts: 1.1.1.1 f-secure.com O1 - Hosts: 1.1.1.1 www.f-secure.com O1 - Hosts: 1.1.1.1 ftp.f-secure.com O1 - Hosts: 1.1.1.1 ftp.sophos.com O1 - Hosts: 1.1.1.1 liveupdate.symantec.com O1 - Hosts: 1.1.1.1 customer.symantec.com O1 - Hosts: 1.1.1.1 dispatch.mcafee.com O1 - Hosts: 1.1.1.1 download.mcafee.com O1 - Hosts: 1.1.1.1 rads.mcafee.com O1 - Hosts: 1.1.1.1 mast.mcafee.com O1 - Hosts: 1.1.1.1 my-etrust.com O1 - Hosts: 1.1.1.1 www.my-etrust.com O1 - Hosts: 1.1.1.1 nai.com O1 - Hosts: 1.1.1.1 www.nai.com O1 - Hosts: 1.1.1.1 networkassociates.com O1 - Hosts: 1.1.1.1 secure.nai.com O1 - Hosts: 1.1.1.1 securityresponse.symantec.com O1 - Hosts: 1.1.1.1 service1.symantec.com O1 - Hosts: 1.1.1.1 sophos.com O1 - Hosts: 1.1.1.1 www.sophos.com O1 - Hosts: 1.1.1.1 support.microsoft.com O1 - Hosts: 1.1.1.1 symantec.com O1 - Hosts: 1.1.1.1 www.symantec.com O1 - Hosts: 1.1.1.1 update.symantec.com O1 - Hosts: 1.1.1.1 updates.symantec.com O1 - Hosts: 1.1.1.1 us.mcafee.com O1 - Hosts: 1.1.1.1 vil.nai.com O1 - Hosts: 1.1.1.1 viruslist.com O1 - Hosts: 1.1.1.1 www.viruslist.com O1 - Hosts: 1.1.1.1 grisoft.com O1 - Hosts: 1.1.1.1 www.grisoft.com O1 - Hosts: 1.1.1.1 free.grisoft.com O1 - Hosts: 1.1.1.1 trendmicro.com O1 - Hosts: 1.1.1.1 housecall.trendmicro.com O1 - Hosts: 1.1.1.1 www.trendmicro.com O1 - Hosts: 1.1.1.1 pandasoftware.com O1 - Hosts: 1.1.1.1 www.pandasoftware.com O1 - Hosts: 1.1.1.1 usa.kaspersky.com O1 - Hosts: 1.1.1.1 ewido.net O1 - Hosts: 1.1.1.1 www.ewido.net O1 - Hosts: 1.1.1.1 zonelabs.com O1 - Hosts: 1.1.1.1 www.zonelabs.com O1 - Hosts: 1.1.1.1 bitdefender.com O1 - Hosts: 1.1.1.1 www.bitdefender.com O1 - Hosts: 1.1.1.1 download.bitdefender.com O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com O1 - Hosts: 1.1.1.1 spywareinfo.com O1 - Hosts: 1.1.1.1 www.spywareinfo.com O1 - Hosts: 1.1.1.1 merijn.org O1 - Hosts: 1.1.1.1 www.merijn.org O1 - Hosts: 1.1.1.1 sysinternals.com O1 - Hosts: 1.1.1.1 www.sysinternals.com O1 - Hosts: 1.1.1.1 onguardonline.gov O1 - Hosts: 1.1.1.1 www.onguardonline.gov O1 - Hosts: 1.1.1.1 avast.com O1 - Hosts: 1.1.1.1 www.avast.com O1 - Hosts: 1.1.1.1 safety.live.com O1 - Hosts: 1.1.1.1 www.paretologic.com O1 - Hosts: 1.1.1.1 paretologic.com O1 - Hosts: 1.1.1.1 virusscan.jotti.org O1 - Hosts: 1.1.1.1 services.google.com O1 - Hosts: 1.1.1.1 www.webroot.com O1 - Hosts: 1.1.1.1 webroot.com O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gxvkixcc.dll (file missing) O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ilxmtuun.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {C2CE418E-7DEC-4F98-9FB7-3C2A689742F8} - C:\WINDOWS\system32\gebabxy.dll (file missing) O2 - BHO: (no name) - {F30F1A19-2589-47E5-AC5F-3809D6276985} - C:\WINDOWS\system32\geebc.dll (file missing) O4 - HKLM\..\Run: [j6211333] rundll32 C:\WINDOWS\system32\j6211333.dll sook O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\cgolwebs.dll",realset O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [playholdmeowinternet] C:\Documents and Settings\All Users\Application Data\Poll Sign Play Hold\INFOOBJ.exe O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'Default user') O4 - Global Startup: AutorunsDisabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CCS\Services\Tcpip\..\{1994309F-21C9-486E-BAE6-622ED23D2A62}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CCS\Services\Tcpip\..\{4485CF84-AD92-46C2-B7B4-C7BCA4040E31}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132 O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132 O17 - HKLM\System\CS2\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132 O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll O20 - Winlogon Notify: gebabxy - gebabxy.dll (file missing) O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- End of file - 9630 bytes
Hi! You have various adwares in your computer. Step 1: Download and Run: VundoFix Please download VundoFix.exe to your desktop. * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. ======= Step 2: Download and Run FixWarout Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://download.bleepingcomputer.com/lonny/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. At the end of the fix, you may need to restart your computer again. ======= Step 3: Remove bad HijackThis entries * Run HijackThis * Click on the Scan button * Put a check beside all of the items listed below (if present): R3 - Default URLSearchHook is missing O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gxvkixcc.dll (file missing) O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ilxmtuun.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {C2CE418E-7DEC-4F98-9FB7-3C2A689742F8} - C:\WINDOWS\system32\gebabxy.dll (file missing) O2 - BHO: (no name) - {F30F1A19-2589-47E5-AC5F-3809D6276985} - C:\WINDOWS\system32\geebc.dll (file missing) O4 - HKLM\..\Run: [j6211333] rundll32 C:\WINDOWS\system32\j6211333.dll sook O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\cgolwebs.dll",realset O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe O4 - HKLM\..\Run: [playholdmeowinternet] C:\Documents and Settings\All Users\Application Data\Poll Sign Play Hold\INFOOBJ.exe O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{6C37DC5A-07C8-1033-0924-02040220002c}] "C:\Program Files\Common Files\{6C37DC5A-07C8-1033-0924-02040220002c}\Update.exe" mc-110-12-0000627 (User 'Default user') O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CCS\Services\Tcpip\..\{1994309F-21C9-486E-BAE6-622ED23D2A62}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CCS\Services\Tcpip\..\{4485CF84-AD92-46C2-B7B4-C7BCA4040E31}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132 O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132 O17 - HKLM\System\CS2\Services\Tcpip\..\{0DD02633-997E-4946-9107-9ED7B5B99CCA}: NameServer = 85.255.114.94,85.255.112.132 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132 O20 - Winlogon Notify: gebabxy - gebabxy.dll (file missing) O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing) * Close all open windows and browsers/email, etc... * Click on the "Fix Checked" button * When completed, close the application. ======= Step 4: Download and Run NoLop Please Download NoLop to your desktop from one of the links below... Link 1 Link 2 Link 3 * First close any other programs you have running as this will require a reboot * Double click NoLop.exe to run it. * Now click the button labelled "Search and Destroy" <<your computer will now be scanned for infected files>> * When scanning is finished you will be prompted to reboot only if infected, Click OK * Now click the "REBOOT" Button. * A Message should popup from NoLop. If not, double click the program again and it will finish. * Please post the contents of C:\NoLop.log later. Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program. ======= Step 5: Download HostsXpretDownload HostsXpert and unzip it to your desktop. Open HostsXpert that you earlier unzipped on your desktop * Click "Make Hosts Writable?" upper right corner (if available) * Click "Restore Microsoft's Original Hosts File" and then click OK * Close HostsXpert Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually ======= Step 6: Post back these logfiles: fresh HijackThis log, C:\vundofix.txt, C:\fixwareout\report.txt and C:\NoLop.log
