Virus Win 32 Trojan-gen multiple infections

Minko · 11-18-2007, 03:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:14:25 AM, on 19/11/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\NkvMon.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = www.kern.com.au
O1 - Hosts: ;143.216.89.4 PIRSAF09
O1 - Hosts: 143.216.174.112 PW2R_SHP_M450 # Sharp Copier/Scanner at Waite
O1 - Hosts: 143.216.89.232 PMCR_SHP_M450 # Sharp Copier/Scanner at Mt. Barker (Catchment Centre)
O1 - Hosts: 143.216.188.226 pirsad04
O1 - Hosts: 143.216.188.110 pirsad07
O1 - Hosts: 143.216.188.227 rampant
O1 - Hosts: 143.216.188.225 pirsaec01 PIRSAEC01-NDS XTRANET
O1 - Hosts: 143.216.188.253 pirsaec03
O1 - Hosts: 143.216.175.29 cygnus
O1 - Hosts: 143.216.188.139 adl0395
O1 - Hosts: 143.216.188.115 adl0247
O1 - Hosts: 143.216.180.249 argolis # New LOTS at DEHAA
O1 - Hosts: 143.216.161.200 DENRLOTS
O1 - Hosts: 143.216.233.3 Concept # Development Unix box at Glenside
O1 - Hosts: 143.216.233.7 Concept_Prod # Production Unix box at Glenside
O1 - Hosts: 143.216.234.2 GCC1 # IBM Mainframe @ glenside
O1 - Hosts: 143.216.150.45 WKVB # Transport SA
O1 - Hosts: 143.216.220.23 CERBERUS
O1 - Hosts: 143.216.161.120 macra # SDE server - testing
O1 - Hosts: 143.216.161.163 mestor # DEH Server (not in DNS)
O1 - Hosts: 143.216.163.84 solos # SDE server - production
O1 - Hosts: 143.216.59.13 sagemsa0001
O1 - Hosts: 143.216.59.11 sagemsbb001
O1 - Hosts: 143.216.59.10 sagemsbb004
O1 - Hosts: 143.216.59.14 sagemsbb006
O1 - Hosts: 143.216.59.21 sagemsbb007
O1 - Hosts: 143.216.59.22 sagemsbb008
O1 - Hosts: 143.216.59.17 sagemsbb010
O1 - Hosts: 143.216.59.23 sagemsg0004
O1 - Hosts: 143.216.59.26 sagemsg0005
O1 - Hosts: 143.216.59.29 sagemsg0006
O1 - Hosts: 143.216.59.30 sagemsg0007
O1 - Hosts: 143.216.59.9 sagemsg0008
O1 - Hosts: 143.216.59.8 sagemsg0009
O1 - Hosts: 143.216.59.20 sagemsg0010 sagemsa0012.sagemsmrd01.sa.gov.au
O1 - Hosts: 143.216.59.18 sagemsg0011
O1 - Hosts: 143.216.59.12 sagemsg0012
O1 - Hosts: 143.216.59.28 sagemsg0013
O1 - Hosts: 143.216.59.19 sagemsg0015
O1 - Hosts: 143.216.59.27 sagemsg0016
O1 - Hosts: 143.216.59.25 sagemsg0017
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: ICF - Unknown owner - C:\WINNT\System32\svchost.exe:exe.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

**ceewi1** · 11-18-2007, 10:50 PM

1. Please download this file - Combofix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Minko · 11-19-2007, 02:27 AM

Where can I get an updated copy of COMBOFIX,
the link sends me to an outdated copy which doesn't work.

**ceewi1** · 11-19-2007, 02:36 AM

That should be the latest version, but you can try one of these locations:
http://www.techsupportforum.com/sect...s/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

If that doesn't work, we'll do this another way:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Minko · 11-19-2007, 11:18 AM

SDFix: Version 1.115

Run by administrator on Mon 2007-11-19 at 21:23

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ICF

Path:
C:\WINNT\System32\svchost.exe:exe.exe

ICF - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\SYSTEM32\HELPER.XML - Deleted
C:\Temp\autorun.inf - Deleted
C:\Temp\install.exe - Deleted
C:\Temp\TMP4.tmp - Deleted
C:\Temp\TMP5.tmp - Deleted
C:\Temp.htm - Deleted
C:\WINNT\system32\RunOnce1.t__ - Deleted
C:\WINNT\system32\RunOnce1.tm_ - Deleted
C:\WINNT\Temp\$_2341235.TMP - Deleted
C:\WINNT\Temp\$b17a2e8.tmp - Deleted
C:\WINNT\Temp\removalfile.bat - Deleted

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
: ADS Found!

svchost.exe: deleted 24064 bytes in 1 streams.

Checking for remaining Streams

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 21:31:12
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 10 May 1980 34,816 ...H. --- "C:\~WRL0001.tmp"
Sat 19 Apr 1980 132,608 ...H. --- "C:\~WRL0002.tmp"
Sat 10 May 1980 19,456 ...H. --- "C:\~WRL0816.tmp"
Sat 10 May 1980 31,744 ...H. --- "C:\~WRL3826.tmp"
Mon 8 May 2006 249,856 A..H. --- "C:\Program Files\BabasChess\BabasCrashReport.exe"
Sat 3 Feb 2001 48,640 A..H. --- "C:\Program Files\BabasChess\timeseal.exe"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Sat 3 Jul 2004 89,088 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0319.tmp"
Sat 3 Jul 2004 86,016 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0534.tmp"
Sat 3 Jul 2004 78,336 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0546.tmp"
Sat 10 May 1980 32,256 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0640.tmp"
Sat 10 May 1980 33,280 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL1543.tmp"
Sat 3 Jul 2004 78,848 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL1927.tmp"
Sat 3 Jul 2004 90,624 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2007.tmp"
Sat 10 May 1980 29,696 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2199.tmp"
Sat 10 May 1980 36,864 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2611.tmp"
Sat 10 May 1980 23,040 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2679.tmp"
Sat 3 Jul 2004 88,064 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3347.tmp"
Sat 3 Jul 2004 90,624 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3363.tmp"
Sat 10 May 1980 27,136 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3540.tmp"
Sat 3 Jul 2004 88,064 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3632.tmp"

Finished!

Logfile of HijackThis v1.99.1
Scan saved at 21:41, on 2007-11-19
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\NkvMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = www.kern.com.au
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

**ceewi1** · 11-19-2007, 11:42 PM

Excellent, SDFix has killed that infection, how are things now?

It appears you were using a custom hosts file. SDFix restores hosts files to their default values, as they're often used by malware, so we'll need to put yours back.

Please copy C:\SDFix\backups\HOSTS to C:\winnt\system32\drivers\etc\HOSTS, overriding the existing file. To do so:

Navigate to C:\SDFix\backups
Right click on HOSTS and choose Copy
Navigate to C:\winnt\system32\drivers\etc\
Click on Edit -> Paste
When asked whether you want to replace the existing file, answer Yes

Minko · 11-20-2007, 03:13 AM

Things are well I am not getting any more virus alerts.

I think the computer was a bit different after the clean up but restoring the hosts might change this.

Thanks for the help it is much appreciated.

**ceewi1** · 11-20-2007, 05:53 AM

You're welcome. There are a few updates I suggest you install to help prevent future infections.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update:
Updating Java:

Go to Start > Control Panel double-click on the Software icon > Add or Remove Programss.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it:
Select it and click Remove.
Then Download and install the newest version from here:
- http://www.java.com/en/download/manual.jsp

I strongly suggest you update to Service Pack 4, as it contains some very important security updates. You can obtain Service Pack 4 from http://update.microsoft.com/

Once you've updated to Service Pack 4, please also download all critical updates from http://update.microsoft.com/

Minko · 11-20-2007, 04:02 PM

I have noticed that since doing SDFix none of my files show their extensions anymore, e.g. there is no .doc, .mpg, .jpg, or .flv displayed, only the name and then in another column it says what type of file it is. How do I get this back to normal.

Also I think the clock changed to 24 hour.

I installed the latest version of Java, the Service Pack 4 and Microsoft updates.

Thanks for the help.

**ceewi1** · 11-21-2007, 04:31 AM

Quote:

Originally Posted by Minko

I have noticed that since doing SDFix none of my files show their extensions anymore, e.g. there is no .doc, .mpg, .jpg, or .flv displayed, only the name and then in another column it says what type of file it is. How do I get this back to normal.

Open up My Computer (or any other folder) and click on Tools -> Folder Options -> View. Untick Hide extensions for known file types and click OK.

Quote:

Also I think the clock changed to 24 hour.

That sounds like Combofix. To change it back:

In Control Panel, click Date, Time, Language, and Regional Options.
Click Regional and Language Options.
Click Customize.
Click the Time tab.
Do one of the following:
Change Time format to hh:mm:ss tt

11-18-2007, 03:54 PM	#1 (permalink)
Minko New Member Join Date: May 2007 Posts: 16	Virus Win 32 Trojan-gen multiple infections - Hijack this log listed Logfile of HijackThis v1.99.1 Scan saved at 2:14:25 AM, on 19/11/2007 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe C:\WINNT\System32\NALNTSRV.EXE C:\Program Files\Reflection\rtsserv.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wm.exe C:\WINNT\System32\mspmspsv.exe C:\NOVELL\ZENRC\WUOLService.exe C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe C:\NOVELL\ZENRC\wuser32.exe C:\WINNT\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINNT\System32\NWTRAY.EXE C:\WINNT\System32\Atiptaxx.exe C:\WINNT\System32\ltmsg.exe C:\Program Files\Compaq\Hotkey Software\hkss.exe C:\WINNT\System32\PRPCUI.exe C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\NkvMon.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\hijackthis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = www.kern.com.au O1 - Hosts: ;143.216.89.4 PIRSAF09 O1 - Hosts: 143.216.174.112 PW2R_SHP_M450 # Sharp Copier/Scanner at Waite O1 - Hosts: 143.216.89.232 PMCR_SHP_M450 # Sharp Copier/Scanner at Mt. Barker (Catchment Centre) O1 - Hosts: 143.216.188.226 pirsad04 O1 - Hosts: 143.216.188.110 pirsad07 O1 - Hosts: 143.216.188.227 rampant O1 - Hosts: 143.216.188.225 pirsaec01 PIRSAEC01-NDS XTRANET O1 - Hosts: 143.216.188.253 pirsaec03 O1 - Hosts: 143.216.175.29 cygnus O1 - Hosts: 143.216.188.139 adl0395 O1 - Hosts: 143.216.188.115 adl0247 O1 - Hosts: 143.216.180.249 argolis # New LOTS at DEHAA O1 - Hosts: 143.216.161.200 DENRLOTS O1 - Hosts: 143.216.233.3 Concept # Development Unix box at Glenside O1 - Hosts: 143.216.233.7 Concept_Prod # Production Unix box at Glenside O1 - Hosts: 143.216.234.2 GCC1 # IBM Mainframe @ glenside O1 - Hosts: 143.216.150.45 WKVB # Transport SA O1 - Hosts: 143.216.220.23 CERBERUS O1 - Hosts: 143.216.161.120 macra # SDE server - testing O1 - Hosts: 143.216.161.163 mestor # DEH Server (not in DNS) O1 - Hosts: 143.216.163.84 solos # SDE server - production O1 - Hosts: 143.216.59.13 sagemsa0001 O1 - Hosts: 143.216.59.11 sagemsbb001 O1 - Hosts: 143.216.59.10 sagemsbb004 O1 - Hosts: 143.216.59.14 sagemsbb006 O1 - Hosts: 143.216.59.21 sagemsbb007 O1 - Hosts: 143.216.59.22 sagemsbb008 O1 - Hosts: 143.216.59.17 sagemsbb010 O1 - Hosts: 143.216.59.23 sagemsg0004 O1 - Hosts: 143.216.59.26 sagemsg0005 O1 - Hosts: 143.216.59.29 sagemsg0006 O1 - Hosts: 143.216.59.30 sagemsg0007 O1 - Hosts: 143.216.59.9 sagemsg0008 O1 - Hosts: 143.216.59.8 sagemsg0009 O1 - Hosts: 143.216.59.20 sagemsg0010 sagemsa0012.sagemsmrd01.sa.gov.au O1 - Hosts: 143.216.59.18 sagemsg0011 O1 - Hosts: 143.216.59.12 sagemsg0012 O1 - Hosts: 143.216.59.28 sagemsg0013 O1 - Hosts: 143.216.59.19 sagemsg0015 O1 - Hosts: 143.216.59.27 sagemsg0016 O1 - Hosts: 143.216.59.25 sagemsg0017 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe O23 - Service: ICF - Unknown owner - C:\WINNT\System32\svchost.exe:exe.exe O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

11-18-2007, 10:50 PM	#2 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 21 Posts: 5,280	1. Please download this file - Combofix to your desktop 2. Double click ComboFix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log. Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

11-19-2007, 02:36 AM	#4 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 21 Posts: 5,280	That should be the latest version, but you can try one of these locations: http://www.techsupportforum.com/sect...s/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe If that doesn't work, we'll do this another way: Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to C:\SDFix You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site. Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list). Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

11-19-2007, 11:42 PM	#6 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 21 Posts: 5,280	Excellent, SDFix has killed that infection, how are things now? It appears you were using a custom hosts file. SDFix restores hosts files to their default values, as they're often used by malware, so we'll need to put yours back. Please copy C:\SDFix\backups\HOSTS to C:\winnt\system32\drivers\etc\HOSTS, overriding the existing file. To do so: Navigate to C:\SDFix\backups Right click on HOSTS and choose Copy Navigate to C:\winnt\system32\drivers\etc\ Click on Edit -> Paste When asked whether you want to replace the existing file, answer Yes __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

11-20-2007, 05:53 AM	#8 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 21 Posts: 5,280	You're welcome. There are a few updates I suggest you install to help prevent future infections. Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update: Updating Java: Go to Start > Control Panel double-click on the Software icon > Add or Remove Programss. Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) It should have next icon next to it: Select it and click Remove. Then Download and install the newest version from here: http://www.java.com/en/download/manual.jsp I strongly suggest you update to Service Pack 4, as it contains some very important security updates. You can obtain Service Pack 4 from http://update.microsoft.com/ Once you've updated to Service Pack 4, please also download all critical updates from http://update.microsoft.com/ __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

11-19-2007, 02:27 AM	#3 (permalink)
Minko New Member Join Date: May 2007 Posts: 16	Where can I get an updated copy of COMBOFIX, the link sends me to an outdated copy which doesn't work.

11-19-2007, 11:18 AM	#5 (permalink)
Minko New Member Join Date: May 2007 Posts: 16	SDFix: Version 1.115 Run by administrator on Mon 2007-11-19 at 21:23 Microsoft Windows 2000 [Version 5.00.2195] Running From: C:\SDFix Safe Mode: Checking Services: Name: ICF Path: C:\WINNT\System32\svchost.exe:exe.exe ICF - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINNT\SYSTEM32\HELPER.XML - Deleted C:\Temp\autorun.inf - Deleted C:\Temp\install.exe - Deleted C:\Temp\TMP4.tmp - Deleted C:\Temp\TMP5.tmp - Deleted C:\Temp.htm - Deleted C:\WINNT\system32\RunOnce1.t__ - Deleted C:\WINNT\system32\RunOnce1.tm_ - Deleted C:\WINNT\Temp\$_2341235.TMP - Deleted C:\WINNT\Temp\$b17a2e8.tmp - Deleted C:\WINNT\Temp\removalfile.bat - Deleted Removing Temp Files... ADS Check: C:\WINNT No streams found. C:\WINNT\system32 No streams found. C:\WINNT\system32\svchost.exe : ADS Found! svchost.exe: deleted 24064 bytes in 1 streams. Checking for remaining Streams C:\WINNT\system32\svchost.exe No streams found. C:\WINNT\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-19 21:31:12 Windows 5.0.2195 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Sat 10 May 1980 34,816 ...H. --- "C:\~WRL0001.tmp" Sat 19 Apr 1980 132,608 ...H. --- "C:\~WRL0002.tmp" Sat 10 May 1980 19,456 ...H. --- "C:\~WRL0816.tmp" Sat 10 May 1980 31,744 ...H. --- "C:\~WRL3826.tmp" Mon 8 May 2006 249,856 A..H. --- "C:\Program Files\BabasChess\BabasCrashReport.exe" Sat 3 Feb 2001 48,640 A..H. --- "C:\Program Files\BabasChess\timeseal.exe" Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll" Sat 3 Jul 2004 89,088 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0319.tmp" Sat 3 Jul 2004 86,016 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0534.tmp" Sat 3 Jul 2004 78,336 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0546.tmp" Sat 10 May 1980 32,256 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0640.tmp" Sat 10 May 1980 33,280 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL1543.tmp" Sat 3 Jul 2004 78,848 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL1927.tmp" Sat 3 Jul 2004 90,624 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2007.tmp" Sat 10 May 1980 29,696 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2199.tmp" Sat 10 May 1980 36,864 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2611.tmp" Sat 10 May 1980 23,040 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2679.tmp" Sat 3 Jul 2004 88,064 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3347.tmp" Sat 3 Jul 2004 90,624 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3363.tmp" Sat 10 May 1980 27,136 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3540.tmp" Sat 3 Jul 2004 88,064 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3632.tmp" Finished! Logfile of HijackThis v1.99.1 Scan saved at 21:41, on 2007-11-19 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe C:\WINNT\System32\NALNTSRV.EXE C:\Program Files\Reflection\rtsserv.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wm.exe C:\WINNT\System32\mspmspsv.exe C:\NOVELL\ZENRC\WUOLService.exe C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe C:\NOVELL\ZENRC\wuser32.exe C:\WINNT\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe C:\WINNT\system32\notepad.exe C:\WINNT\System32\NWTRAY.EXE C:\WINNT\System32\Atiptaxx.exe C:\WINNT\System32\ltmsg.exe C:\Program Files\Compaq\Hotkey Software\hkss.exe C:\WINNT\System32\PRPCUI.exe C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\NkvMon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE D:\hijackthis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = www.kern.com.au O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

11-20-2007, 03:13 AM	#7 (permalink)
Minko New Member Join Date: May 2007 Posts: 16	Things are well I am not getting any more virus alerts. I think the computer was a bit different after the clean up but restoring the hosts might change this. Thanks for the help it is much appreciated.

11-20-2007, 04:02 PM	#9 (permalink)
Minko New Member Join Date: May 2007 Posts: 16	I have noticed that since doing SDFix none of my files show their extensions anymore, e.g. there is no .doc, .mpg, .jpg, or .flv displayed, only the name and then in another column it says what type of file it is. How do I get this back to normal. Also I think the clock changed to 24 hour. I installed the latest version of Java, the Service Pack 4 and Microsoft updates. Thanks for the help.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hijack This: Trojan Clicker.FMZ	Btech	Computer Security	11	05-22-2007 10:39 PM
Unknown virus or trojan HijackThis log file	A49ers2121	Computer Security	24	11-30-2006 02:56 AM
Dell Instant Win Program?	cyclones9	Laptop and Handheld Computers	5	08-26-2006 09:06 PM
downloaded a virus...afraid to restart-- hijack this log	computermaineack	Computer Security	7	05-28-2006 10:10 PM
Computer Problems - A joke	Darkomen	General Computer Chat	31	10-31-2005 06:37 PM