I-explorer errors, pop-ups, trojans Hi-Jack this log listed

M

Minko

New Member
Hi,

I was wondering if someone could help me with my problem. My computer frequently tries to access the internet automatically. It does this in various ways, sometimes through internet explorer via pop up window. When it is by pop up window I know it is MALWARE - some type of antivirus ad. It also downloads viruses. I have installed zone-alarm to try and stop this. It has helped to some extent. I have also done the Anti-Spyware and Spybot SD checks and have Avast installed.

I still can't get rid of the problem. I also think this may be affecting other internet functions such as viewing youtube videos but perhaps not.

Also I have had numerous viruses and spyware detected and removed including - bravesentry.

Every time I start my computer it says something like - ieupdater.exe has generated errors and must be restarted. Also whenever I set internet explorer to block all cookies, the next time I open it it accepts ALL COOKIES! I no longer use internet explorer, only mozilla.

Here is my Hi-Jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:32:09 PM, on 19/05/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\NkvMon.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.kern.com.au
O1 - Hosts: ;143.216.89.4 PIRSAF09
O1 - Hosts: 143.216.174.112 PW2R_SHP_M450 # Sharp Copier/Scanner at Waite
O1 - Hosts: 143.216.89.232 PMCR_SHP_M450 # Sharp Copier/Scanner at Mt. Barker (Catchment Centre)
O1 - Hosts: 143.216.188.226 pirsad04
O1 - Hosts: 143.216.188.110 pirsad07
O1 - Hosts: 143.216.188.227 rampant
O1 - Hosts: 143.216.188.225 pirsaec01 PIRSAEC01-NDS XTRANET
O1 - Hosts: 143.216.188.253 pirsaec03
O1 - Hosts: 143.216.175.29 cygnus
O1 - Hosts: 143.216.188.139 adl0395
O1 - Hosts: 143.216.188.115 adl0247
O1 - Hosts: 143.216.180.249 argolis # New LOTS at DEHAA
O1 - Hosts: 143.216.161.200 DENRLOTS
O1 - Hosts: 143.216.233.3 Concept # Development Unix box at Glenside
O1 - Hosts: 143.216.233.7 Concept_Prod # Production Unix box at Glenside
O1 - Hosts: 143.216.234.2 GCC1 # IBM Mainframe @ glenside
O1 - Hosts: 143.216.150.45 WKVB # Transport SA
O1 - Hosts: 143.216.220.23 CERBERUS
O1 - Hosts: 143.216.161.120 macra # SDE server - testing
O1 - Hosts: 143.216.161.163 mestor # DEH Server (not in DNS)
O1 - Hosts: 143.216.163.84 solos # SDE server - production
O1 - Hosts: 143.216.59.13 sagemsa0001
O1 - Hosts: 143.216.59.11 sagemsbb001
O1 - Hosts: 143.216.59.10 sagemsbb004
O1 - Hosts: 143.216.59.14 sagemsbb006
O1 - Hosts: 143.216.59.21 sagemsbb007
O1 - Hosts: 143.216.59.22 sagemsbb008
O1 - Hosts: 143.216.59.17 sagemsbb010
O1 - Hosts: 143.216.59.23 sagemsg0004
O1 - Hosts: 143.216.59.26 sagemsg0005
O1 - Hosts: 143.216.59.29 sagemsg0006
O1 - Hosts: 143.216.59.30 sagemsg0007
O1 - Hosts: 143.216.59.9 sagemsg0008
O1 - Hosts: 143.216.59.8 sagemsg0009
O1 - Hosts: 143.216.59.20 sagemsg0010 sagemsa0012.sagemsmrd01.sa.gov.au
O1 - Hosts: 143.216.59.18 sagemsg0011
O1 - Hosts: 143.216.59.12 sagemsg0012
O1 - Hosts: 143.216.59.28 sagemsg0013
O1 - Hosts: 143.216.59.19 sagemsg0015
O1 - Hosts: 143.216.59.27 sagemsg0016
O1 - Hosts: 143.216.59.25 sagemsg0017
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\System32\xmmihqle.dll",realset
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: MSIEUpdater_1 (Microsoft IE Updater_1) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater1.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

What should I do?

Thank you in anticipation of your help.
 
O.K here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 5:20:03 PM, on 19/05/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\NkvMon.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
D:\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.kern.com.au
O1 - Hosts: ;143.216.89.4 PIRSAF09
O1 - Hosts: 143.216.174.112 PW2R_SHP_M450 # Sharp Copier/Scanner at Waite
O1 - Hosts: 143.216.89.232 PMCR_SHP_M450 # Sharp Copier/Scanner at Mt. Barker (Catchment Centre)
O1 - Hosts: 143.216.188.226 pirsad04
O1 - Hosts: 143.216.188.110 pirsad07
O1 - Hosts: 143.216.188.227 rampant
O1 - Hosts: 143.216.188.225 pirsaec01 PIRSAEC01-NDS XTRANET
O1 - Hosts: 143.216.188.253 pirsaec03
O1 - Hosts: 143.216.175.29 cygnus
O1 - Hosts: 143.216.188.139 adl0395
O1 - Hosts: 143.216.188.115 adl0247
O1 - Hosts: 143.216.180.249 argolis # New LOTS at DEHAA
O1 - Hosts: 143.216.161.200 DENRLOTS
O1 - Hosts: 143.216.233.3 Concept # Development Unix box at Glenside
O1 - Hosts: 143.216.233.7 Concept_Prod # Production Unix box at Glenside
O1 - Hosts: 143.216.234.2 GCC1 # IBM Mainframe @ glenside
O1 - Hosts: 143.216.150.45 WKVB # Transport SA
O1 - Hosts: 143.216.220.23 CERBERUS
O1 - Hosts: 143.216.161.120 macra # SDE server - testing
O1 - Hosts: 143.216.161.163 mestor # DEH Server (not in DNS)
O1 - Hosts: 143.216.163.84 solos # SDE server - production
O1 - Hosts: 143.216.59.13 sagemsa0001
O1 - Hosts: 143.216.59.11 sagemsbb001
O1 - Hosts: 143.216.59.10 sagemsbb004
O1 - Hosts: 143.216.59.14 sagemsbb006
O1 - Hosts: 143.216.59.21 sagemsbb007
O1 - Hosts: 143.216.59.22 sagemsbb008
O1 - Hosts: 143.216.59.17 sagemsbb010
O1 - Hosts: 143.216.59.23 sagemsg0004
O1 - Hosts: 143.216.59.26 sagemsg0005
O1 - Hosts: 143.216.59.29 sagemsg0006
O1 - Hosts: 143.216.59.30 sagemsg0007
O1 - Hosts: 143.216.59.9 sagemsg0008
O1 - Hosts: 143.216.59.8 sagemsg0009
O1 - Hosts: 143.216.59.20 sagemsg0010 sagemsa0012.sagemsmrd01.sa.gov.au
O1 - Hosts: 143.216.59.18 sagemsg0011
O1 - Hosts: 143.216.59.12 sagemsg0012
O1 - Hosts: 143.216.59.28 sagemsg0013
O1 - Hosts: 143.216.59.19 sagemsg0015
O1 - Hosts: 143.216.59.27 sagemsg0016
O1 - Hosts: 143.216.59.25 sagemsg0017
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINNT\System32\iifghij.dll (file missing)
O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {D5F9775B-F40C-4333-A8E2-4830F08C9089} - C:\WINNT\System32\khfda.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\System32\jydluaon.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\System32\xmmihqle.dll",realset
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifghij - iifghij.dll (file missing)
O20 - Winlogon Notify: khfda - C:\WINNT\System32\khfda.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: MSIEUpdater_1 (Microsoft IE Updater_1) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater1.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
 
Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINNT\System32\khfda.dll
  • Copy and paste next in the second field: C:\WINNT\System32\adfhk.*
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 
Vundo fix, new h-jack log

I don't have C:/vundofix.txt

The program did not run totally smoothly, firstly I opened it and did - scan for vundo. This was the only option.

It found the files you mentioned. I then did REMOVE VUNDO

it then said - Cannot import C:/VundoFix.reg: Error operning the file. There may be a disk or file system error.

I was then prompted to shut down which I did.

After start up - Under C:/VundoFixBackups are listed the following files:

adfhk.bak1.bad
adfhk.bak2.bad
adfhk.ini.bad
adfhk.ini2.bad
elqhimmx.nini.bad
jydluaon.dll.bad
khfda.dll.bad
xmmihqle.dll.bad

Here is the new Hi-Jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:33:28 PM, on 19/05/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\NkvMon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.kern.com.au
O1 - Hosts: ;143.216.89.4 PIRSAF09
O1 - Hosts: 143.216.174.112 PW2R_SHP_M450 # Sharp Copier/Scanner at Waite
O1 - Hosts: 143.216.89.232 PMCR_SHP_M450 # Sharp Copier/Scanner at Mt. Barker (Catchment Centre)
O1 - Hosts: 143.216.188.226 pirsad04
O1 - Hosts: 143.216.188.110 pirsad07
O1 - Hosts: 143.216.188.227 rampant
O1 - Hosts: 143.216.188.225 pirsaec01 PIRSAEC01-NDS XTRANET
O1 - Hosts: 143.216.188.253 pirsaec03
O1 - Hosts: 143.216.175.29 cygnus
O1 - Hosts: 143.216.188.139 adl0395
O1 - Hosts: 143.216.188.115 adl0247
O1 - Hosts: 143.216.180.249 argolis # New LOTS at DEHAA
O1 - Hosts: 143.216.161.200 DENRLOTS
O1 - Hosts: 143.216.233.3 Concept # Development Unix box at Glenside
O1 - Hosts: 143.216.233.7 Concept_Prod # Production Unix box at Glenside
O1 - Hosts: 143.216.234.2 GCC1 # IBM Mainframe @ glenside
O1 - Hosts: 143.216.150.45 WKVB # Transport SA
O1 - Hosts: 143.216.220.23 CERBERUS
O1 - Hosts: 143.216.161.120 macra # SDE server - testing
O1 - Hosts: 143.216.161.163 mestor # DEH Server (not in DNS)
O1 - Hosts: 143.216.163.84 solos # SDE server - production
O1 - Hosts: 143.216.59.13 sagemsa0001
O1 - Hosts: 143.216.59.11 sagemsbb001
O1 - Hosts: 143.216.59.10 sagemsbb004
O1 - Hosts: 143.216.59.14 sagemsbb006
O1 - Hosts: 143.216.59.21 sagemsbb007
O1 - Hosts: 143.216.59.22 sagemsbb008
O1 - Hosts: 143.216.59.17 sagemsbb010
O1 - Hosts: 143.216.59.23 sagemsg0004
O1 - Hosts: 143.216.59.26 sagemsg0005
O1 - Hosts: 143.216.59.29 sagemsg0006
O1 - Hosts: 143.216.59.30 sagemsg0007
O1 - Hosts: 143.216.59.9 sagemsg0008
O1 - Hosts: 143.216.59.8 sagemsg0009
O1 - Hosts: 143.216.59.20 sagemsg0010 sagemsa0012.sagemsmrd01.sa.gov.au
O1 - Hosts: 143.216.59.18 sagemsg0011
O1 - Hosts: 143.216.59.12 sagemsg0012
O1 - Hosts: 143.216.59.28 sagemsg0013
O1 - Hosts: 143.216.59.19 sagemsg0015
O1 - Hosts: 143.216.59.27 sagemsg0016
O1 - Hosts: 143.216.59.25 sagemsg0017
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {609F1E7E-1838-4724-8D83-AAC7A7375DE8} - C:\WINNT\System32\khfda.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\System32\xmmihqle.dll",realset
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifghij - iifghij.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: MSIEUpdater_1 (Microsoft IE Updater_1) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater1.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe


Thanks for your help so far, what should I do next?
 
Looks promising :)

Hit Start >Run, type services.msc.
Scroll down until you find the service MSIEUpdater_1, and double-click on it.
Hit "Stop" and change the "Startup Type" to "Disabled".
Hit "Apply", then "Ok".

Then run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Microsoft IE Updater_1 and press OK. OK any prompts, close HijackThis.

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: (no name) - {609F1E7E-1838-4724-8D83-AAC7A7375DE8} - C:\WINNT\System32\khfda.dll (file missing)
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\System32\xmmihqle.dll",realset
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: iifghij - iifghij.dll (file missing)
O23 - Service: MSIEUpdater_1 (Microsoft IE Updater_1) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater1.exe

Close all open windows and browsers, and hit "Fix Checked".

Delete these files.

C:\WINNT\web\related.htm
C:\Documents and Settings\Administrator\ie_updater1.exe

Then restart the computer and post a new Hijackthis log, and say how things are now.
 
I fix checked those files in hi-jack this - 1 was missing 023 - maybe because it was already deleted.

My computer is still opening internet pages while I am on the net. I think I may still have the virus - systemdoctor.

I can cause the cookies in internet explorer to stay on block all cookies and I no longer get the i explorer updater.exe error messages.

Here is my latest hi-jack log.

Logfile of HijackThis v1.99.1
Scan saved at 9:42:51 PM, on 19/05/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\NkvMon.exe
D:\hijackthis\scanner.exe
C:\WINNT\System32\ZoneLabs\UpdClient.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.kern.com.au
O1 - Hosts: ;143.216.89.4 PIRSAF09
O1 - Hosts: 143.216.174.112 PW2R_SHP_M450 # Sharp Copier/Scanner at Waite
O1 - Hosts: 143.216.89.232 PMCR_SHP_M450 # Sharp Copier/Scanner at Mt. Barker (Catchment Centre)
O1 - Hosts: 143.216.188.226 pirsad04
O1 - Hosts: 143.216.188.110 pirsad07
O1 - Hosts: 143.216.188.227 rampant
O1 - Hosts: 143.216.188.225 pirsaec01 PIRSAEC01-NDS XTRANET
O1 - Hosts: 143.216.188.253 pirsaec03
O1 - Hosts: 143.216.175.29 cygnus
O1 - Hosts: 143.216.188.139 adl0395
O1 - Hosts: 143.216.188.115 adl0247
O1 - Hosts: 143.216.180.249 argolis # New LOTS at DEHAA
O1 - Hosts: 143.216.161.200 DENRLOTS
O1 - Hosts: 143.216.233.3 Concept # Development Unix box at Glenside
O1 - Hosts: 143.216.233.7 Concept_Prod # Production Unix box at Glenside
O1 - Hosts: 143.216.234.2 GCC1 # IBM Mainframe @ glenside
O1 - Hosts: 143.216.150.45 WKVB # Transport SA
O1 - Hosts: 143.216.220.23 CERBERUS
O1 - Hosts: 143.216.161.120 macra # SDE server - testing
O1 - Hosts: 143.216.161.163 mestor # DEH Server (not in DNS)
O1 - Hosts: 143.216.163.84 solos # SDE server - production
O1 - Hosts: 143.216.59.13 sagemsa0001
O1 - Hosts: 143.216.59.11 sagemsbb001
O1 - Hosts: 143.216.59.10 sagemsbb004
O1 - Hosts: 143.216.59.14 sagemsbb006
O1 - Hosts: 143.216.59.21 sagemsbb007
O1 - Hosts: 143.216.59.22 sagemsbb008
O1 - Hosts: 143.216.59.17 sagemsbb010
O1 - Hosts: 143.216.59.23 sagemsg0004
O1 - Hosts: 143.216.59.26 sagemsg0005
O1 - Hosts: 143.216.59.29 sagemsg0006
O1 - Hosts: 143.216.59.30 sagemsg0007
O1 - Hosts: 143.216.59.9 sagemsg0008
O1 - Hosts: 143.216.59.8 sagemsg0009
O1 - Hosts: 143.216.59.20 sagemsg0010 sagemsa0012.sagemsmrd01.sa.gov.au
O1 - Hosts: 143.216.59.18 sagemsg0011
O1 - Hosts: 143.216.59.12 sagemsg0012
O1 - Hosts: 143.216.59.28 sagemsg0013
O1 - Hosts: 143.216.59.19 sagemsg0015
O1 - Hosts: 143.216.59.27 sagemsg0016
O1 - Hosts: 143.216.59.25 sagemsg0017
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

What should I do now?

I will run some virus scans after this post.
 
Oh yeah I forgot to say that I also deleted the following files:

C:\WINNT\web\related.htm
C:\Documents and Settings\Administrator\ie_
 
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
 
I should mention that when I go on line, Zone Alarm comes up with numerous alerts that it has blocked internet access to mygateway1.ar7 from my computer.

Here is the SmitFraudFix report.

SmitFraudFix v2.183

Scan done at 16:11:42.23, Sun 20/05/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\NkvMon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO Adapter
DNS Server Search Order: 143.216.188.203
DNS Server Search Order: 143.216.236.20

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8334F39B-9280-49B5-9D76-65D297DB8A16}: DhcpNameServer=143.216.188.203 143.216.236.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8334F39B-9280-49B5-9D76-65D297DB8A16}: DhcpNameServer=143.216.188.203 143.216.236.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8334F39B-9280-49B5-9D76-65D297DB8A16}: DhcpNameServer=143.216.188.203 143.216.236.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C591BCD8-A092-486F-8CB0-67134BBB9192}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Here is the AVG report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:18:02 PM 20/05/2007

+ Scan result:



C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\F183N9QG\bho[1] -> Adware.BHO : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\H3GFO2BG\is67347[1] -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\syst.exe -> Worm.Zhelatin.cc : Cleaned with backup (quarantined).


::Report end


Is it safe for me to be running so many anti-spyware programs? I don't know if my computer can handle it that well as it is a few years old and runs on windows 2000.

I have not had any pop-ups from systemdoctor for a while, I think that may have been fixed, I was just concerned as it seemed to leak into a lot of places.

Is it o.k to allow compaq DMI web management service access to the trusted zone? What is the trusted zone?

As for my last post, Zone Alarm is automatically stopping those connections, I don't have the option to allow it. Also I don't know if I use D-link.

Thanks for your help, it is much appreciated.
 
You must log in or register to reply here.
Back
Top