Spyware, Malware, Trojans ... ? HJT Log Attached - Computer #3

[shesun4givn2]

I'm in the process of cleaning up 4 computers. Here is the HJT log of the 3rd machine. After reading $teve's instructions in the top sticky thread, I am posting my first HJT log before installing Adaware & Spybot. At this point all I have done to the machine is install Zone Alarm firewall and HijackThis. If I need to remove any malware before installing, configuring & running Adaware, Spybot & SpywareBlaster, please let me know.


Logfile of HijackThis v1.98.2
Scan saved at 9:57:41 AM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Employee\Desktop\Tools CD\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startpage.iload.to/?m=abc&t=&u=http://www.msn.com/&x=B5413D9B-CAD5-4703-8EFC-F8F3CE253E0A
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/assist/cc/1.0/assist_ct.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {D14D6793-9B65-11D3-80B6-00500487BDBA} (CSBHO Class) - http://files.cc.cometsystems.com/cc2/release/bin/plat-4-3-333-ccct.cab

 

[shesun4givn2]

Bump =)

 

[jwbirdsong]

Print these instructions as you need to have IE closed from all of the fixes listed below.

Please check your settings so that you are able to Show Hidden Files and Folders

Please Download CWShredder from HERE .Don't run it yet; just have it on your desktop (or where ever) ready to go when we need it Please re download/update if you already have this. Make sure you have the latest version!

Open Control Panel>Add/Remove and uninstall Comet Cursor, or Comet anything..) if ask to reboot deny it for now.

With ONLY HijackThis running
Place a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startpage.iload.to/?m=abc&t=...FC-F8F3CE253E0A
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/as.../assist_ct.html
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {D14D6793-9B65-11D3-80B6-00500487BDBA} (CSBHO Class) - http://files.cc.cometsystems.com/cc...-3-333-ccct.cab

THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".


Go to then delete all ofthe following files/folders you are able to remove...(there are always a couple in temp folder that won't delete):-

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

[*]C:\Windows\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

[*]Empty your "Recycle Bin"


Now close all windows (including this one) then run the CWShredder you downloaded earlier; clicking on 'Fix' NOT 'Scan Only'

Then Reboot and post a fresh log back to this thread.