1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cleaning a Computer

Discussion in 'Virus & Other Malware Removal' started by Orionis, Jul 19, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Orionis

    Orionis Thread Starter

    Joined:
    Jul 19, 2007
    Messages:
    2
    I've been tasked with cleaning up a computer that ran for several months without an Antivirus and without XP Service Pack 2. I have installed an antivirus and updated the OS to plug up some holes. I removed quite a number of viruses and spyware however there is something still on the system that I cannot seem to find and was hoping one of you who knows a bit more about this area could help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:46:11 AM, on 7/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\iISystem Wiper\SystemWiper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\TEMP\IOEBED.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
    C:\WINDOWS\system32\cleanmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\administrator\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscb.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {644F1D89-844A-8FE2-1A1A-8A8DB12183BE} - C:\WINDOWS\System32\anlxo.dll (file missing)
    O2 - BHO: (no name) - {7388EEC1-AF12-4939-824D-4BE489A0634B} - C:\Program Files\WindowsUpdate\hoker83122.dll (file missing)
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {c4cb5ba1-5be3-4a8d-bc6f-0a74293c1efd} - C:\WINDOWS\System32\gdpvrlr.dll (file missing)
    O2 - BHO: (no name) - {D27B84D6-AD23-4C64-B41F-70A8D8EC2300} - C:\WINDOWS\System32\ljjjk.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
    O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184778705520
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
    O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
    O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

    --
    End of file - 6992 bytes
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    If you have vundofix, remove it and get the current version

    Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
    Double-click VundoFix.exe to run it.
    click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt – Even if it does not find anything.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Please let Vundo finish its thing, sometimes it can take multiple passes
    ====================
    Download Superantispyware (SAS)

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This can take a while!
     
  3. Orionis

    Orionis Thread Starter

    Joined:
    Jul 19, 2007
    Messages:
    2
    VundoFix V6.5.6

    Checking Java version...

    Sun Java not detected
    Scan started at 1:54:11 PM 7/17/2007

    Listing files found while scanning....

    C:\windows\system32\aoyjytpy.dll
    C:\windows\system32\ghsmipav.dll
    C:\WINDOWS\System32\iaiumqal.ini
    C:\WINDOWS\System32\laqmuiai.dll
    C:\WINDOWS\System32\ljjjk.dll
    C:\WINDOWS\System32\mljgeef.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\aoyjytpy.dll
    C:\windows\system32\aoyjytpy.dll Has been deleted!

    Attempting to delete C:\windows\system32\ghsmipav.dll
    C:\windows\system32\ghsmipav.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\iaiumqal.ini
    C:\WINDOWS\System32\iaiumqal.ini Has been deleted!

    Attempting to delete C:\WINDOWS\System32\laqmuiai.dll
    C:\WINDOWS\System32\laqmuiai.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ljjjk.dll
    C:\WINDOWS\System32\ljjjk.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\mljgeef.dll
    C:\WINDOWS\System32\mljgeef.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.6

    Checking Java version...

    Sun Java not detected
    Scan started at 3:35:15 PM 7/19/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    --------------------------------------------------------------------------------------------

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/19/2007 at 05:27 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3271
    Trace Rules Database Version: 1282

    Scan type : Complete Scan
    Total Scan Time : 01:46:38

    Memory items scanned : 380
    Memory threats detected : 0
    Registry items scanned : 4442
    Registry threats detected : 14
    File items scanned : 86556
    File threats detected : 184

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{D27B84D6-AD23-4C64-B41F-70A8D8EC2300}
    HKCR\CLSID\{D27B84D6-AD23-4C64-B41F-70A8D8EC2300}
    HKCR\CLSID\{D27B84D6-AD23-4C64-B41F-70A8D8EC2300}\InprocServer32
    HKCR\CLSID\{D27B84D6-AD23-4C64-B41F-70A8D8EC2300}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\LJJJK.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D27B84D6-AD23-4C64-B41F-70A8D8EC2300}

    Adware.ClickSpring/Outer Info Network
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
    C:\Program Files\Outerinfo\OiUninstaller.exe
    C:\Program Files\Outerinfo\outerinfo.ico
    C:\Program Files\Outerinfo\Terms.rtf
    C:\Program Files\Outerinfo
    C:\DOCUMENTS AND SETTINGS\SJBRETON\START MENU\PROGRAMS\OUTERINFO\UNINSTALL.LNK

    Adware.ClickSpring-Variant
    C:\DOCUMENTS AND SETTINGS\SJBRETON\APPLICATION DATA\RACLE~1\MSHTA.EXE

    Adware.Tracking Cookie
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][1].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\sjbreton\Cookies\[email protected][2].txt
    C:\Documents and Settings\uscb\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][2].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt
    C:\Documents and Settings\user\Cookies\[email protected][1].txt

    Trojan.ZenoSearch
    C:\DOCUMENTS AND SETTINGS\SJBRETON\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\LJNBL10E\DT[1].EXE

    Adware.ClickSpring/PuritySCAN
    C:\QUARANTINE\NDRV.EXE

    Trojan.Unknown Origin
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5AEAC65-3914-450C-A458-3B6493437693}\RP354\A0077942.EXE
    C:\WINDOWS\SYSTEM32\WAPIICOM32.EXE

    Trojan.Rootkit-TnCore/Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5AEAC65-3914-450C-A458-3B6493437693}\RP354\A0077949.EXE

    Adware.WebBuying Assistant-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5AEAC65-3914-450C-A458-3B6493437693}\RP354\A0077950.EXE

    Adware.ZenoSearch
    C:\WINDOWS\TISKY009.EXE

    --------------------------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:34:59 PM, on 7/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\TEMP\XZE20C.EXE
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\iISystem Wiper\SystemWiper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\administrator\Desktop\HiJackThis.exe
    C:\Program Files\Trend Micro\OfficeScan Client\TSC.EXE
    C:\WINDOWS\System32\svchost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscb.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {644F1D89-844A-8FE2-1A1A-8A8DB12183BE} - C:\WINDOWS\System32\anlxo.dll (file missing)
    O2 - BHO: (no name) - {7388EEC1-AF12-4939-824D-4BE489A0634B} - C:\Program Files\WindowsUpdate\hoker83122.dll (file missing)
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {c4cb5ba1-5be3-4a8d-bc6f-0a74293c1efd} - C:\WINDOWS\System32\gdpvrlr.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
    O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184778705520
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
    O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
    O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

    --
    End of file - 7063 bytes
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix these with HiJackThis – mark them, close IE, click fix checked

    O2 - BHO: (no name) - {644F1D89-844A-8FE2-1A1A-8A8DB12183BE} - C:\WINDOWS\System32\anlxo.dll (file missing)

    O2 - BHO: (no name) - {7388EEC1-AF12-4939-824D-4BE489A0634B} - C:\Program Files\WindowsUpdate\hoker83122.dll (file missing)

    O2 - BHO: (no name) - {c4cb5ba1-5be3-4a8d-bc6f-0a74293c1efd} - C:\WINDOWS\System32\gdpvrlr.dll (file missing)

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode



    How are things????????
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/597744

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice