Hello,

 

I have been following your advice about the trojan virus and have up to this point turned system restore off, scanned with avg 6.0 and removed virus, adware removed malware etc, and now this is the latest scan of hijack. Could you please tell me what files to remove and then what steps next before turning system restore back on.

 

Thanks for you time,

Suz

 

Logfile of HijackThis v1.98.2
Scan saved at 8:43:25 AM, on 9/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\MrSnappy95\snappy95.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://sell.ebay.com/sell
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

http://www.rr.com/
R3 - URLSearchHook: (no name) -

_{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) -

_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} -

C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no

file)
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} -

C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no

file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay

Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE

/AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart

11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program

Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

/STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

Money\System\mnyexpr.exe"
O4 - Startup: Mr. Snappy 95.lnk = C:\Program

Files\MrSnappy95\snappy95.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program

Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program

Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3}

- C:\Program Files\Lycos\Sidesearch\sidesearch1410.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet

Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX

Class) -

r.cab?
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl

Class) -

http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

reme/wtinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -

 

Hey

 

Scan with Hijacktis, close all other windows, put a checkmark to these, and fix:
R3 - URLSearchHook: (no name) -
_{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) -
_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} -
C:\Program Files\ClearSearch\CSIE.DLL
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}(MiniBugTransporterX
Class) -
http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporte

r.cab?

Boot to safe mode- Tapping F8

Find and delete:
C:\Program Files\ClearSearch\CSIE.DLL <<Folder ClearSearch

 

You can activate system restore again. Still have the Trojan?

 

 

 

You've got the Magic Touch!!!! She's a purring like a kitten.!!!!!  Scanned with Avg came up clean. Thanks so much for your help..anything else I need to do???? Again, appreciate your time and help.

Suz

Hey suz

Glad to hear, you fixed it

One last thing, you can do- install these:
For safer surfing: