1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware, Malware, Trojans ... ? HJT Log Attached - Computer #3

Discussion in 'Virus & Other Malware Removal' started by shesun4givn2, Sep 9, 2004.

Thread Status:
Not open for further replies.
  1. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    I'm in the process of cleaning up 4 computers. Here is the HJT log of the 3rd machine. After reading $teve's instructions in the top sticky thread, I am posting my first HJT log before installing Adaware & Spybot. At this point all I have done to the machine is install Zone Alarm firewall and HijackThis. If I need to remove any malware before installing, configuring & running Adaware, Spybot & SpywareBlaster, please let me know.


    Logfile of HijackThis v1.98.2
    Scan saved at 9:57:41 AM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Employee\Desktop\Tools CD\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startpage.iload.to/?m=abc&t=&u=http://www.msn.com/&x=B5413D9B-CAD5-4703-8EFC-F8F3CE253E0A
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/assist/cc/1.0/assist_ct.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} - http://install.global-netcom.de/ieloader.cab
    O16 - DPF: {D14D6793-9B65-11D3-80B6-00500487BDBA} (CSBHO Class) - http://files.cc.cometsystems.com/cc2/release/bin/plat-4-3-333-ccct.cab
     
  2. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
  3. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Print these instructions as you need to have IE closed from all of the fixes listed below.

    Please check your settings so that you are able to Show Hidden Files and Folders

    Please Download CWShredder from HERE .Don't run it yet; just have it on your desktop (or where ever) ready to go when we need it Please re download/update if you already have this. Make sure you have the latest version!

    Open Control Panel>Add/Remove and uninstall Comet Cursor, or Comet anything..) if ask to reboot deny it for now.

    With ONLY HijackThis running
    Place a check next to these entries:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startpage.iload.to/?m=abc&t=...FC-F8F3CE253E0A
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/as.../assist_ct.html
    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll
    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
    O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} - http://install.global-netcom.de/ieloader.cab
    O16 - DPF: {D14D6793-9B65-11D3-80B6-00500487BDBA} (CSBHO Class) - http://files.cc.cometsystems.com/cc...-3-333-ccct.cab

    THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".


    Go to then delete all ofthe following files/folders you are able to remove...(there are always a couple in temp folder that won't delete):-

    Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

    [*]C:\Windows\Temp\

    [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

    [*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

    [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

    [*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

    [*]Empty your "Recycle Bin"



    Now close all windows (including this one) then run the CWShredder you downloaded earlier; clicking on 'Fix' NOT 'Scan Only'

    Then Reboot and post a fresh log back to this thread.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272019

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice