1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Malware Spyware and Trojans? Oh My!

Discussion in 'Virus & Other Malware Removal' started by bella6100, Dec 18, 2008.

Thread Status:
Not open for further replies.
  1. bella6100

    bella6100 Thread Starter

    Feb 6, 2005
    Hi all!

    This is regarding my computer at work. I am working on an HP 7550 with Windows XP Professional Version 2002 Service Pack 1. I am getting constant pop-ups that my computer might be infected with adware, spyware, trojans. There is a yellow triangle with an exclaimation mark that appears constantly with different alerts. I dl spyware doctor but it told me I had to update before I could scan and my network would not let it update b/c I believe it's restricted. I was able to download Spyware Terminator and I scanned and deleted one thing but I don't think it did much. There are certain anti-virus and anti-other problem programs I may not be able use if I have to update first before I can run them. Spybot S&D lets me scan without updating, but I don't know about others so I will try all the suggestions that I can. I have dl Spybot S&D but before I run it I thought I should post a Hi-Jack This Log first. So, here it is!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:30:24 PM, on 12/18/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\WebMediaViewer\qttask.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\WebMediaViewer\qttaskm.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prevhomepage.com/?q=http...om/?q=http://intranet/onenet/page.aspx?item=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by IDHS
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = Localhost;10.*;intranet;ebtlink;intranet.*;*.dhs;*.state.il.us;*.illinois.gov;192.*;*netlearning*;69*;hfs.infonet*;*extranet.sdu;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
    O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
    O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\System32\iprntctl.exe TRAY_ICON
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
    O4 - HKUS\S-1-5-21-84980950-3897556790-1145724395-1029\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
    O4 - Global Startup: Notify.lnk = C:\novell\GroupWise\notify.exe
    O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.servicemenutool.com/redirect.php (file missing)
    O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.servicemenutool.com/redirect.php (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O14 - IERESET.INF: START_PAGE_URL=http://intranet
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://www.humsurf.info/cgiproxy/np...omedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://reports.illinois.gov/per/content/ddiprintengine.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
    O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
    O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

    End of file - 8271 bytes

    Thanks in advance for any help!
  2. dvk01

    dvk01 Derek Moderator Malware Specialist

    Dec 14, 2002
    Delete any existing version of ComboFix you have sitting on your desktop

    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns
  3. bella6100

    bella6100 Thread Starter

    Feb 6, 2005

    Thanks so much for the quick response. Unfortunately I will not be at work until Monday so I will definitely do everything you stated as soon as I get back into the office! Thanks again.
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Aug 27, 2003
    We don't normally work on company computers and this looks like a government one. Is that the case? :)
  5. bella6100

    bella6100 Thread Starter

    Feb 6, 2005
    It is a work computer but it is not a government one. This same computer was used previously by someone else but it is mine for now. I understand if you cannot assist me but if that is the case I will probably just try to run whatever removal programs I can since I already tried system restore and it just will not work. However, whatever is on it messed up the computer and until I fix it I can barely get my work completed....
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Aug 27, 2003
    Does your company have an IT department or person?
  7. bella6100

    bella6100 Thread Starter

    Feb 6, 2005
    Yes we do but he is on vacation atm and he will not be back until after January...and i cannot wait that long. I also did have a tech ticket put in but they can't tell me when the tech will be out there to fix it. All I want to do is just get rid of any spyware and other infections that are messing up the computer so that I can work effectively.
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Aug 27, 2003
    I'm sorry but I'm afraid we won't be able to help in this situation. Please refer to this sticky post at the top of this forum and specifically the paragraph below:



    Please do not request assistance for corporate/company owned computers. Many changes/deletions are made during the clean up process, some of which may involve uninstalling programs, deleting folders/files, changing settings and/or removing policies etc. As we have no way of knowing for sure if these are actually needed for company operations, malware issues in these cases should be handled by your own IT Departments in order to avoid any undesirable results.
  9. bella6100

    bella6100 Thread Starter

    Feb 6, 2005
    Ok, I can totally understand that. I'll try fixing it myself but just one more question....I tried to do a system restore and I tried several different days but for some reason it would just not restore it. Do you have any idea why that might be; this has also happened on my home computer but eventually a certain day worked and I was able to restore it. The infections just showed up earlier this week so at least if I can restore it to an earlier day then I wouldn't even need to run any anti-virus or anti-spyware programs.
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Aug 27, 2003
    Unfortunately, malware sometimes disables the restore points as well. You can try and see if you can get one to work but chances are since you've already had some that don't work I doubt there will be any. :(
  11. dvk01

    dvk01 Derek Moderator Malware Specialist

    Dec 14, 2002
    You have what appears to be a backdoor trojan that normally comes with a rootkit and is capable of stealing any information on your computer

    YOU MUST NOT use it or let it connect to the net or the copany network until the company tech support have fixed it

    it is very likely that the entire company network has been compromised and they need to get a tech in IMMEDIATELY to fix it & save the company
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/780981