1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] my hijack log powerscan please help

Discussion in 'Virus & Other Malware Removal' started by Biglog9, Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Biglog9

    Biglog9 Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    9
    im new to this forum and sorry if i do something wrong

    first i got the power scan problem and though this forum many threads said to list there hijack log

    can someone please have a look and help with my problem

    thanks in advance

    Logfile of HijackThis v1.97.7
    Scan saved at 8:00:53 PM, on 4/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\YAHOO!\PARENT~1\YPCSER~1.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\AddCLS.exe
    C:\WINDOWS\System32\wintsu.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\Jason Logsdon\Application Data\ncsd.exe
    C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
    F:\patches and things\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
    O4 - HKCU\..\Run: [Nsdt] C:\Documents and Settings\Jason Logsdon\Application Data\eets.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsu.exe
    O4 - HKCU\..\Run: [Bdat] C:\Documents and Settings\Jason Logsdon\Application Data\ncsd.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: Yahoo! MLB StatTracker - http://aud6.sports.yahoo.com/java/y/mlbst8294_x.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud1.sports.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D72CE892-0D6D-4B06-8146-915084B66BCF}: NameServer = 4.2.2.2,4.2.2.1
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi Biglog9

    Welcome to TSG! :)

    Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

    The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"



    Go here and download Adaware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    Then go here and download Spybot Search & Destroy.

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  3. Biglog9

    Biglog9 Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    9
    first thanks for the help and the fast reply, you guys/girls are great
    :)
    i did all the above and here is my next hijack log
    :)

    Logfile of HijackThis v1.97.7
    Scan saved at 11:10:01 PM, on 4/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\wintsu.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\YAHOO!\PARENT~1\YPCSER~1.EXE
    F:\patches and things\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsu.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: Yahoo! MLB StatTracker - http://aud6.sports.yahoo.com/java/y/mlbst8294_x.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud1.sports.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38082.8131481481
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D72CE892-0D6D-4B06-8146-915084B66BCF}: NameServer = 4.2.2.2,4.2.2.1
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsu.exe


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\Program Files\AutoUpdate folder
    The C:\WINDOWS\System32\wintsu.exe file
     
  5. Biglog9

    Biglog9 Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    9
    :) :) :) :) :)
    thanks for your help

    i was at the point where i was going to reformat and start over.

    i am new to the virus protection stuff and will now start learning more about it. i was ignornt to thinking that nortons would stop everything.

    thanks to people like you, people like me are greatful.

    thanks alot
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Glad we were able to help! :)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217460

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice