MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Please help with hijack log
June 07, 2020, 03:27:48 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 07, 2020, 03:27:48 AM

Login with username, password and session length
 Featured Sites:
News
New  Looking for cheap hardware and/or software?
Visit our new Online Store where you will be able to purchase from a reputable vendor by country.
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Please help with hijack log  (Read 1335 times)
Dars
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 2


Bookmark and Share

View Profile
« on: January 18, 2005, 06:55:37 PM »

Every time i change the start page it goes back to e-finder. Can somebody please help.

This is my hicak log:

Logfile of HijackThis v1.99.0
Scan saved at 19:54:26, on 18.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\CTFMONSS.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\CSRSSW.EXE
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\Nvc\BIN\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\dag\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINDOWS\wtlbass32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CTFMONSS] C:\WINDOWS\System32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINDOWS\System32\CSRSSW.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105898079437
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown - C:\Norman\Nvc\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Creative NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: January 18, 2005, 10:30:36 PM »

Before we start Dars...

Please make a folder for Hijackthis.
It's not adviseable to leave it on your desktop, backups will be spread all over your screen ..
Right click an empty spot in the MyDocuments Folder----left click NEW---Folder
Name it HJT---copy and paste hijackthis to that new folder and delete the one on the desktop originally downloaded.
Don't delete backups until everything is running ok...

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

CSRSSW.EXE
wuauclt.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINDOWS\wtlbass32.dll

O4 - HKCU\..\Run: [CSRSSW] C:\WINDOWS\System32\CSRSSW.EXE


The next are optional, but recommended for removal,Resource hogs and not needed on startup, but does not disable the program:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"


Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


e-Finder

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\System32\CSRSSW.EXE
C:\WINDOWS\wtlbass32.dll



Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONSand make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Dars
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 2


Bookmark and Share

View Profile
« Reply #2 on: January 20, 2005, 07:02:04 PM »

This is my new log

Logfile of HijackThis v1.99.0
Scan saved at 19:58:22, on 20.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\Nvc\BIN\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\dag\My Documents\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105898079437
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{12B8079A-CB20-4FE1-9462-33FC9ED72FE9}: NameServer = 192.168.2.1
O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown - C:\Norman\Nvc\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Creative NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

The problems seems do have gone away now.

I also removed the:
O4 - HKCU\..\Run: [CTFMONSS] C:\WINDOWS\System32\CTFMONSS.EXE
in hijack this. and deleted the file. It seems to have done the trick.
Please tell me if you see anything else wrong with my log file.

I can't thank you enuf for fixing my problem. Thank yuo very much. I fas about to format my hard drive. I dont need to now.

sincerely
Dag Roar
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #3 on: January 20, 2005, 07:11:12 PM »

Logfile looks good now.. Grin

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 30, 2018, 01:21:36 PM