Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Malware Spyware and Trojans? Oh My!


(!)

bella6100's Avatar
bella6100 bella6100 is offline
Computer Specs
Member with 117 posts.
THREAD STARTER
 
Join Date: Feb 2005
Experience: Beginner
18-Dec-2008, 05:33 PM #1
Malware, Spyware and Trojans, Please help! HiJackThis Log Posted
Hi all!

This is regarding my computer at work. I am working on an HP 7550 with Windows XP Professional Version 2002 Service Pack 1. I am getting constant pop-ups that my computer might be infected with adware, spyware, trojans. There is a yellow triangle with an exclaimation mark that appears constantly with different alerts. I dl spyware doctor but it told me I had to update before I could scan and my network would not let it update b/c I believe it's restricted. I was able to download Spyware Terminator and I scanned and deleted one thing but I don't think it did much. There are certain anti-virus and anti-other problem programs I may not be able use if I have to update first before I can run them. Spybot S&D lets me scan without updating, but I don't know about others so I will try all the suggestions that I can. I have dl Spybot S&D but before I run it I thought I should post a Hi-Jack This Log first. So, here it is!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:24 PM, on 12/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wm.exe
C:\WINDOWS\System32\WMRUNDLL.EXE
C:\NOVELL\ZENRC\WUOLService.exe
z:\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebMediaViewer\qttask.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\iprntctl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\WebMediaViewer\qttaskm.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NALDESK.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\novell\GroupWise\notify.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
w:\forte\install\bin\ftexec.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Progra~1\Extra!\EBMNGR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prevhomepage.com/?q=http:...ge.aspx?item=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by IDHS
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = Localhost;10.*;intranet;ebtlink;intranet.*;*.dhs;*.state.il.us;*.illinois.g ov;192.*;*netlearning*;69*;hfs.infonet*;*extranet.sdu;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\System32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKUS\S-1-5-21-84980950-3897556790-1145724395-1029\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: Notify.lnk = C:\novell\GroupWise\notify.exe
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.servicemenutool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.servicemenutool.com/redirect.php (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://www.humsurf.info/cgiproxy/nph...irector/sw.cab
O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://reports.illinois.gov/per/con...rintengine.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

--
End of file - 8271 bytes

Thanks in advance for any help!

Last edited by bella6100; 19-Dec-2008 at 12:35 PM..
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,099 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
20-Dec-2008, 09:13 AM #2
Delete any existing version of ComboFix you have sitting on your desktop

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
bella6100's Avatar
bella6100 bella6100 is offline
Computer Specs
Member with 117 posts.
THREAD STARTER
 
Join Date: Feb 2005
Experience: Beginner
20-Dec-2008, 11:01 AM #3
Hey!

Thanks so much for the quick response. Unfortunately I will not be at work until Monday so I will definitely do everything you stated as soon as I get back into the office! Thanks again.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,380 posts.
 
Join Date: Aug 2003
20-Dec-2008, 11:53 AM #4
We don't normally work on company computers and this looks like a government one. Is that the case?
bella6100's Avatar
bella6100 bella6100 is offline
Computer Specs
Member with 117 posts.
THREAD STARTER
 
Join Date: Feb 2005
Experience: Beginner
20-Dec-2008, 12:34 PM #5
It is a work computer but it is not a government one. This same computer was used previously by someone else but it is mine for now. I understand if you cannot assist me but if that is the case I will probably just try to run whatever removal programs I can since I already tried system restore and it just will not work. However, whatever is on it messed up the computer and until I fix it I can barely get my work completed....
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,380 posts.
 
Join Date: Aug 2003
20-Dec-2008, 12:44 PM #6
Does your company have an IT department or person?
bella6100's Avatar
bella6100 bella6100 is offline
Computer Specs
Member with 117 posts.
THREAD STARTER
 
Join Date: Feb 2005
Experience: Beginner
20-Dec-2008, 04:19 PM #7
Yes we do but he is on vacation atm and he will not be back until after January...and i cannot wait that long. I also did have a tech ticket put in but they can't tell me when the tech will be out there to fix it. All I want to do is just get rid of any spyware and other infections that are messing up the computer so that I can work effectively.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,380 posts.
 
Join Date: Aug 2003
20-Dec-2008, 04:24 PM #8
I'm sorry but I'm afraid we won't be able to help in this situation. Please refer to this sticky post at the top of this forum and specifically the paragraph below:

http://forums.techguy.org/malware-re...st-before.html


IMPORTANT NOTE REGARDING CORPORATE/COMPANY OWNED COMPUTERS

Please do not request assistance for corporate/company owned computers. Many changes/deletions are made during the clean up process, some of which may involve uninstalling programs, deleting folders/files, changing settings and/or removing policies etc. As we have no way of knowing for sure if these are actually needed for company operations, malware issues in these cases should be handled by your own IT Departments in order to avoid any undesirable results.
__________________
Microsoft MVP - Consumer Security

Last edited by Cookiegal; 21-Dec-2008 at 08:31 AM..
bella6100's Avatar
bella6100 bella6100 is offline
Computer Specs
Member with 117 posts.
THREAD STARTER
 
Join Date: Feb 2005
Experience: Beginner
20-Dec-2008, 07:48 PM #9
Ok, I can totally understand that. I'll try fixing it myself but just one more question....I tried to do a system restore and I tried several different days but for some reason it would just not restore it. Do you have any idea why that might be; this has also happened on my home computer but eventually a certain day worked and I was able to restore it. The infections just showed up earlier this week so at least if I can restore it to an earlier day then I wouldn't even need to run any anti-virus or anti-spyware programs.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 98,380 posts.
 
Join Date: Aug 2003
20-Dec-2008, 07:59 PM #10
Unfortunately, malware sometimes disables the restore points as well. You can try and see if you can get one to work but chances are since you've already had some that don't work I doubt there will be any.
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,099 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
21-Dec-2008, 05:40 AM #11
You have what appears to be a backdoor trojan that normally comes with a rootkit and is capable of stealing any information on your computer

YOU MUST NOT use it or let it connect to the net or the copany network until the company tech support have fixed it

it is very likely that the entire company network has been compromised and they need to get a tech in IMMEDIATELY to fix it & save the company
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2