Virus Win 32 Trojan-gen multiple infections - Hijack this log listed

M

Minko

New Member
Logfile of HijackThis v1.99.1
Scan saved at 2:14:25 AM, on 19/11/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\NkvMon.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.kern.com.au
O1 - Hosts: ;143.216.89.4 PIRSAF09
O1 - Hosts: 143.216.174.112 PW2R_SHP_M450 # Sharp Copier/Scanner at Waite
O1 - Hosts: 143.216.89.232 PMCR_SHP_M450 # Sharp Copier/Scanner at Mt. Barker (Catchment Centre)
O1 - Hosts: 143.216.188.226 pirsad04
O1 - Hosts: 143.216.188.110 pirsad07
O1 - Hosts: 143.216.188.227 rampant
O1 - Hosts: 143.216.188.225 pirsaec01 PIRSAEC01-NDS XTRANET
O1 - Hosts: 143.216.188.253 pirsaec03
O1 - Hosts: 143.216.175.29 cygnus
O1 - Hosts: 143.216.188.139 adl0395
O1 - Hosts: 143.216.188.115 adl0247
O1 - Hosts: 143.216.180.249 argolis # New LOTS at DEHAA
O1 - Hosts: 143.216.161.200 DENRLOTS
O1 - Hosts: 143.216.233.3 Concept # Development Unix box at Glenside
O1 - Hosts: 143.216.233.7 Concept_Prod # Production Unix box at Glenside
O1 - Hosts: 143.216.234.2 GCC1 # IBM Mainframe @ glenside
O1 - Hosts: 143.216.150.45 WKVB # Transport SA
O1 - Hosts: 143.216.220.23 CERBERUS
O1 - Hosts: 143.216.161.120 macra # SDE server - testing
O1 - Hosts: 143.216.161.163 mestor # DEH Server (not in DNS)
O1 - Hosts: 143.216.163.84 solos # SDE server - production
O1 - Hosts: 143.216.59.13 sagemsa0001
O1 - Hosts: 143.216.59.11 sagemsbb001
O1 - Hosts: 143.216.59.10 sagemsbb004
O1 - Hosts: 143.216.59.14 sagemsbb006
O1 - Hosts: 143.216.59.21 sagemsbb007
O1 - Hosts: 143.216.59.22 sagemsbb008
O1 - Hosts: 143.216.59.17 sagemsbb010
O1 - Hosts: 143.216.59.23 sagemsg0004
O1 - Hosts: 143.216.59.26 sagemsg0005
O1 - Hosts: 143.216.59.29 sagemsg0006
O1 - Hosts: 143.216.59.30 sagemsg0007
O1 - Hosts: 143.216.59.9 sagemsg0008
O1 - Hosts: 143.216.59.8 sagemsg0009
O1 - Hosts: 143.216.59.20 sagemsg0010 sagemsa0012.sagemsmrd01.sa.gov.au
O1 - Hosts: 143.216.59.18 sagemsg0011
O1 - Hosts: 143.216.59.12 sagemsg0012
O1 - Hosts: 143.216.59.28 sagemsg0013
O1 - Hosts: 143.216.59.19 sagemsg0015
O1 - Hosts: 143.216.59.27 sagemsg0016
O1 - Hosts: 143.216.59.25 sagemsg0017
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: ICF - Unknown owner - C:\WINNT\System32\svchost.exe:exe.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
 
1. Please download this file - Combofix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
 
Where can I get an updated copy of COMBOFIX,
the link sends me to an outdated copy which doesn't work.
 
That should be the latest version, but you can try one of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

If that doesn't work, we'll do this another way:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
SDFix: Version 1.115

Run by administrator on Mon 2007-11-19 at 21:23

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ICF

Path:
C:\WINNT\System32\svchost.exe:exe.exe

ICF - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\SYSTEM32\HELPER.XML - Deleted
C:\Temp\autorun.inf - Deleted
C:\Temp\install.exe - Deleted
C:\Temp\TMP4.tmp - Deleted
C:\Temp\TMP5.tmp - Deleted
C:\Temp.htm - Deleted
C:\WINNT\system32\RunOnce1.t__ - Deleted
C:\WINNT\system32\RunOnce1.tm_ - Deleted
C:\WINNT\Temp\$_2341235.TMP - Deleted
C:\WINNT\Temp\$b17a2e8.tmp - Deleted
C:\WINNT\Temp\removalfile.bat - Deleted




Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
: ADS Found!

svchost.exe: deleted 24064 bytes in 1 streams.

Checking for remaining Streams

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 21:31:12
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 10 May 1980 34,816 ...H. --- "C:\~WRL0001.tmp"
Sat 19 Apr 1980 132,608 ...H. --- "C:\~WRL0002.tmp"
Sat 10 May 1980 19,456 ...H. --- "C:\~WRL0816.tmp"
Sat 10 May 1980 31,744 ...H. --- "C:\~WRL3826.tmp"
Mon 8 May 2006 249,856 A..H. --- "C:\Program Files\BabasChess\BabasCrashReport.exe"
Sat 3 Feb 2001 48,640 A..H. --- "C:\Program Files\BabasChess\timeseal.exe"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Sat 3 Jul 2004 89,088 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0319.tmp"
Sat 3 Jul 2004 86,016 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0534.tmp"
Sat 3 Jul 2004 78,336 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0546.tmp"
Sat 10 May 1980 32,256 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL0640.tmp"
Sat 10 May 1980 33,280 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL1543.tmp"
Sat 3 Jul 2004 78,848 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL1927.tmp"
Sat 3 Jul 2004 90,624 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2007.tmp"
Sat 10 May 1980 29,696 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2199.tmp"
Sat 10 May 1980 36,864 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2611.tmp"
Sat 10 May 1980 23,040 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL2679.tmp"
Sat 3 Jul 2004 88,064 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3347.tmp"
Sat 3 Jul 2004 90,624 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3363.tmp"
Sat 10 May 1980 27,136 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3540.tmp"
Sat 3 Jul 2004 88,064 ...H. --- "C:\Documents and Settings\EXECLCL\Application Data\Microsoft\Word\~WRL3632.tmp"

Finished!


Logfile of HijackThis v1.99.1
Scan saved at 21:41, on 2007-11-19
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\NkvMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.kern.com.au
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pirsa.sa.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
 
Excellent, SDFix has killed that infection, how are things now?

It appears you were using a custom hosts file. SDFix restores hosts files to their default values, as they're often used by malware, so we'll need to put yours back.

Please copy C:\SDFix\backups\HOSTS to C:\winnt\system32\drivers\etc\HOSTS, overriding the existing file. To do so:
  • Navigate to C:\SDFix\backups
  • Right click on HOSTS and choose Copy
  • Navigate to C:\winnt\system32\drivers\etc\
  • Click on Edit -> Paste
  • When asked whether you want to replace the existing file, answer Yes
 
Things are well I am not getting any more virus alerts.

I think the computer was a bit different after the clean up but restoring the hosts might change this.

Thanks for the help it is much appreciated.
 
You're welcome. There are a few updates I suggest you install to help prevent future infections.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > Add or Remove Programss.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it:
    javaicon.gif

    Select it and click Remove.
  • Then Download and install the newest version from here:

I strongly suggest you update to Service Pack 4, as it contains some very important security updates. You can obtain Service Pack 4 from http://update.microsoft.com/

Once you've updated to Service Pack 4, please also download all critical updates from http://update.microsoft.com/
 
I have noticed that since doing SDFix none of my files show their extensions anymore, e.g. there is no .doc, .mpg, .jpg, or .flv displayed, only the name and then in another column it says what type of file it is. How do I get this back to normal.

Also I think the clock changed to 24 hour.

I installed the latest version of Java, the Service Pack 4 and Microsoft updates.

Thanks for the help.
 
Minko said:
I have noticed that since doing SDFix none of my files show their extensions anymore, e.g. there is no .doc, .mpg, .jpg, or .flv displayed, only the name and then in another column it says what type of file it is. How do I get this back to normal.
Click to expand...
Open up My Computer (or any other folder) and click on Tools -> Folder Options -> View. Untick Hide extensions for known file types and click OK.

Also I think the clock changed to 24 hour.
Click to expand...
That sounds like Combofix. To change it back:

In Control Panel, click Date, Time, Language, and Regional Options.
Click Regional and Language Options.
Click Customize.
Click the Time tab.
Do one of the following:
Change Time format to hh:mm:ss tt
 
Actually there is one other thing, after downloading service pack 4 and microsoft updates it seems I cannot get access to the internet without allowing -

services and controller app (services.exe) and LSA Executable and Server DLL (Export Version) [LSASS.EXE] access to the internet.

Why is this? Is this safe?
 
It's likely that these files were originally cleared for access in your firewall, but the update to Service Pack 4 has probably updated these files as well. Most firewalls will prompt you whether you want to allow a file to access the Internet whenever that file has changed since previously being allowed access.

Both are legitimate Windows files and should be allowed access.
 
You must log in or register to reply here.
Back
Top