Hijack Log help please

Good Afternoon. Im not sure If ive posted this in the right section of the forum.Im after some expert advice if possible.

I recently installed the Comodo Firewall ,everything is ok until this suddenly appears.

“c:\windows\system32\svchost.exe was blocked " Source ip was 212.9.104.90.” & the port was “64728”

" I did block this when the popup appeared". I searched the ip and its comes from leieister UK.

Is this anything to be worried about? This message does keep popping up from this ip address Alot… Perhaps im over paranoid,but my pc has been hacked and attacked before.

Thanks for all your time and help.hope you can understand my typing.

svchost.exe is a Windows system process. Often times malware injects code into it (as well as into many other processes). Sometimes there are similar names to svchost.exe that malware disguises itself as, such as scvhost.exe, etc.

But, if CFP is blocking svchost.exe and gives info on that IP, then, perhaps you have malware on your system.

I’m not aware of your security setup - antivirus, antispyware… or any other tool you use. But at the moment, one thing I would suggest is for you to block that IP in CFP - Firewall section - My blocked network zones - Add - New blocked address - Single IP address.

Also, perhaps you could download and install Hijackthis and post a log, so that we can further assist you (I’m pretty sure everyone will be more than happy to help.)

But perhaps you should place all this info and explain your problem at https://forums.comodo.com/virusmalware_removal_assistance-b58.0/

Edit: You also may want to stealth your ports. To do that open CFP and at Firewall section, choose Stealth Ports Wizard and choose the last option."

"Hello im just posting this as I got a reply from “darkbutterFly” I was told this forum might be able to help me.

Here is my hijack this .

Thanks very much for all reply and help please

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:40:08, on 30/08/2008
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Windows\PixArt\PAC207\Monitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Twain_32\CA561A\SnapDetect.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Michael\Desktop\aNTI sPYWARE\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talksport.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=E4214
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=E4214
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=E4214
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [CHotkey] zHotkey.exe
O4 - HKLM..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [MSConfig] “C:\Windows\system32\msconfig.exe” /auto
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\COMODO\Firewall\cfp.exe” -h
O4 - HKCU..\Run: [Sidebar] “C:\Program Files\Windows Sidebar\sidebar.exe” /autoRun
O4 - HKCU..\Run: [RunSpySweeperScheduleAtStartup] “C:\Windows\system32\msfeedssync.exe” /ScheduleSweep=User_Feed_Synchronization-{5B039379-BA94-4A29-8C1C-79A883197CC9}
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Nine Poker - {04AC392D-B4C9-48a3-9DB9-F8E0AC10F377} - C:\Microgaming\Poker\NinePokerMPP\MPPoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Casino Del Rio - {45FD16E0-0BC3-4774-AD53-228976E8C19F} - (no file)
O9 - Extra ‘Tools’ menuitem: Casino Del Rio - {45FD16E0-0BC3-4774-AD53-228976E8C19F} - (no file)
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra ‘Tools’ menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra ‘Tools’ menuitem: &KeyScrambler… - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - (no file)
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra ‘Tools’ menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra ‘Tools’ menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\PokerTime\MPPoker.exe (HKCU)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra ‘Tools’ menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: Poker.com - {4f34c291-5837-4f45-ade1-da5502c69fef} - C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Poker.com\Poker.com.lnk (HKCU)
O13 - Gopher Prefix:

Using Hijackthis, make a fix on these entries:

O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com

That means that the Hosts file has been hijacked. So fix those entries. After that if using Xp or Vista go at C:\Windows\System32\drivers\etc and delete the Hosts file. Hijackthis reveals those hijacked entries, but perhaps there could be more that it can’t detect. So delete it! Then use a new Hosts file, shuch as MVPS, hpHosts, Blocklist Pro. You can also use Hostsman, which is an utility that will automatically update MVPS or hpHosts Hosts file. You can update more if you wish to use a customized hosts file, but if you do not want to “lose” time updating and checking your Hosts file on a daily basis, then I suggest using one Hosts file. Personally, I’m very found of hpHosts. Later on, if you wish I can give you more details on Hostsman.
Right now, lets continue with your biggest problem!

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - You may fix this one as well, as it is an unedeed entry.

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) - unedeed as well

O9 - Extra button: Casino Del Rio - {45FD16E0-0BC3-4774-AD53-228976E8C19F} - (no file) - uneeded

O9 - Extra ‘Tools’ menuitem: Casino Del Rio - {45FD16E0-0BC3-4774-AD53-228976E8C19F} - (no file) - uneeded

O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - (no file) - uneeded

O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - (no file) - uneeded

O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe - I don’t think this is a game… I don’t know it lol… Do you? If not, fix it.

O9 - Extra ‘Tools’ menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe - If you don’t know it, fix it!

O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\PokerTime\MPPoker.exe (HKCU) - Same deal with this one…

Do you have anything installed on your system from PixArt?

Edit: I just realised you use Spybot. Perhaps you could use MalwareBytes Antimalware and SUPERAntiSpyware. Those are the top antispywares of the moment, and you can use them freely. The only catch is that the free versions offer no real time protection. I would strongly advice you to get them and update them. Then verify your system in Safe Mode.
I would also try a different AV. Perhaps Avast! 4.8 Home Edition. Also scan your system online with Kaspersky, Eset, Panda…

I don’t know if you know but CFP under Defense+ as a malware scanner. Run it and be connected to the internet in order to update. Won’t hurt to check it with as well…

Thanks for the reply darkbutterfly.

Ive done what you said with hijack this.Im trying to learn about this firewall.

Would you know what ip blocks on

Application- Windows operating system

Blocked ICMP

Destination port - Code (1) code (2) code (3)

Would this be anything to worry about?

I did block the other ip single which kept popping up.

Thanks

If the firewall blocks other systems (IPs) from connecting to your machine, you got nothing to worry about.
You only need to worry with those it may not block :wink:

Have you set the Stealth Ports Wizard under the Firewall section for the last choice? If not, do it so!

Also scan your system with SUPERAntiSpyware Free Edition and Malwarebytes Anti-Malware in Safe Mode.
If you haven’t deleted the Hosts file, do it, and replace it with one of the ones I mentioned.

These are the oficial sites where you can get them:

MVPS - Blocking Unwanted Connections with a Hosts File
hpHosts - http://hosts-file.net/
Blocklist Pro/Bluetack - http://blocklistpro.com/download-center/view-details/blocklist-pro-blocklists-mirror/277-hosts.zip.html

Get and install Hostsman. It will manage the Hosts file, including automatic updates if you chose to. I believe it won’t be able to automatically update Blocklist Pro’s Hosts file, though, as the link won’t pull the file automatically, it will open a new page to download the file. Haven’t tried it, yet.

But I strongly advice you using one these Hosts file, as Spybot’s hosts file sucks big time, and honestly Spybot lost some of its power, and we can see that by noticing how often updates are available. Sometimes there is 1 entire week without any updates.
Later on, if you want some advices on how to use Hostsman, ask me, and I gladly will tell you how to work with it.

You would be better of with SUPERAntispyware and/or MalwareBytes Antimalware.

Don’t forget to update them and verify your system in Safe Mode.

Tell me some news…

Best regards

Thank you darkbutterfly for all your time and help.I found alot of spyware after scanning with the software you said.Im going to delete my hosts file and try a new one.My pc does seems abit faster after the scans:)

I will keep you posted in this post if thats ok?.