Skip to content
View in the app

A better way to browse. Learn more.

Tip.It Forum

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

HJT Log for review

Featured Replies

Hi guys. The following HJT log is from one of our users that is too shy to post it here for review. So I'm posting it for him. This is not my log. His original log was littered with spyware and other nasties, inlcuding a couple of Trojans :shock: . He's tried to clean it up some, and wants some opinions.

 

 

 

 

 

 

 

Comments please?

 

 

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)



Scan saved at 19:27:17, on 31.3.2007



Platform: Windows XP SP2 (WinNT 5.01.2600)



Boot mode: Normal







Running processes:



C:\WINDOWS\System32\smss[Caution]



C:\WINDOWS\system32\winlogon[Caution]



C:\WINDOWS\system32\services[Caution]



C:\WINDOWS\system32\lsass[Caution]



C:\WINDOWS\system32\svchost[Caution]



C:\WINDOWS\System32\svchost[Caution]



C:\WINDOWS\system32\ZoneLabs\vsmon[Caution]



C:\WINDOWS\system32\spoolsv[Caution]



C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution]



C:\Program Files\Alwil Software\Avast4\ashServ[Caution]



C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution]



C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution]



C:\Program Files\Java\jre1.5.0_11\bin\jusched[Caution]



C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution]



C:\Program Files\Winamp\winampa[Caution]



C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution]



C:\Program Files\MSN Messenger\MsnMsgr[Caution]



C:\Program Files\MSN Messenger\usnsvc[Caution]



C:\Program Files\Mozilla Firefox\firefox[Caution]



C:\Documents and Settings\Teemu\TyÃÆÃâÃâöpÃÆÃâÃâöytÃÆÃâÃâä\HiJackThis_v2[Caution]







R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit



O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\nmeinsxh.dll



O2 - BHO: (no name) - {5FC32D8B-6888-4C33-88FD-C6996BB61C1C} - C:\WINDOWS\System32\gebcc.dll



O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\System32\qomjjjg.dll



O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate[Caution] /auto



O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched[Caution]"



O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates[Caution] /auto



O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution]



O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa[Caution]



O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution]"



O4 - HKLM\..\Run: [soundService] rundll32[Caution] "C:\WINDOWS\System32\lqrhthbd.dll",setvm



O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution]" /background



O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine[Caution]" boot



O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)



O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)



O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution]



O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution]



O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175253790968



O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll



O20 - Winlogon Notify: qomjjjg - C:\WINDOWS\SYSTEM32\qomjjjg.dll



O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution]



O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ[Caution]



O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution]



O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution]



O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin[Caution]



O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services[Caution]



O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi[Caution]



O23 - Service: NetMeeting etÃÆÃâÃâätyÃÆÃâÃâöpÃÆÃâÃâöydÃÆÃâÃâän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc[Caution]



O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services[Caution]



O23 - Service: EtÃÆÃâÃâätyÃÆÃâÃâöpÃÆÃâÃâöydÃÆÃâÃâän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr[Caution]



O23 - Service: ÃÆÃââââ¬Ã¾lykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr[Caution]



O23 - Service: Resurssilokit ja -hÃÆÃâÃâälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc[Caution]



O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon[Caution]



O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc[Caution]



O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv[Caution]

Remember, the SEARCH button is your friend. Use it!

Unless it's a foreign version, the foreign stuff seems highly suspicious.

 

 

 

 

 

 

 

The BHO's (O2's) seem very suspicious:

 

 

 

First one http://www.castlecops.com/tk32250-no_name.html - yes, it's bad.

 

 

 

Second one, gebcc.dll is identified as "winfixer" - badware

 

 

 

3rd one, no solid identification, but the GUID seems to have many bad references, and a pretty nonsense filename.

 

 

 

 

 

 

 

Out of time now, but I don't like the look of the winupdate / winupdates - looks like a classic malware hide, unless there is a legitimate product it may be associated with.

The foreign stuff is Finnish stuff, and it should be ok..

 

 

 

And those winupdates seems to be like windows' own stuff?

[/url]">i_had_a_deal.png
[4Th in Finland to achieve 99 mining. 3Rd of June 2007]


Pixels make me horny.

Winupdate and Winupdates - as what appear to be normal program entries, are highly suspicious, many google hits on them being worms.

 

 

 

 

 

 

 

So far, I think I would fix:

 

 

 

 

 

 

 

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\nmeinsxh.dll

 

 

 

O2 - BHO: (no name) - {5FC32D8B-6888-4C33-88FD-C6996BB61C1C} - C:\WINDOWS\System32\gebcc.dll

 

 

 

O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\System32\qomjjjg.dll

 

 

 

 

 

 

 

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate[Caution] /auto

 

 

 

 

 

 

 

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates[Caution] /auto

 

 

 

 

 

 

 

O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll

 

 

 

O20 - Winlogon Notify: qomjjjg - C:\WINDOWS\SYSTEM32\qomjjjg.dll

 

 

 

 

 

 

 

- With the Java entries that are "file missing", I'd be inclined to uninstall Java 5 (after completion of malware cleaning), clean up any more "file missing" issues, and then install Java 6.

Woops been to Madrid for a week...

 

 

 

 

 

 

 

It looks like you've got vundo in there but can you give us a new log from HijackThis 1.99.1 - the old version. (notice the version you have now is BETA)

 

 

 

 

 

 

 

Thanks.

Create an account or sign in to comment

Important Information

By using this site, you agree to our Terms of Use.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.