Author Topic: 3 viruses found on my pc (Read 18543 times)

altar · « **on:** May 15, 2007, 07:34:17 PM »

The following viruses were found (and hopefully cleaned) by the F-Secure Online Scan:
JS/Banload.HDR
W32/HackSrvany.A
W32/Zapchast.PL
Does anyone know them, and how serious they are?

Lisandro · « **Reply #1 on:** May 15, 2007, 09:00:23 PM »

Which OS are you using? Is it up to date?
What avast! version and VPS file (virus database) number?
Does avast detect them too?
What was the filename and path where the virus was found?

altar · « **Reply #2 on:** May 15, 2007, 10:27:24 PM »

Thank you for your answer,
I'm running xp pro sp1
Avast did not detect any of these (neither did Prevx1)
the paths are the following
C:\DOCUMENTS AND SETTINGS\SECHAN\DESKTOP\IDEES+ZIK\SCRIPTS\RENTALS RATES_FICHIERS\A_DATA\RATES.PDF (Submitted)
C:\WINDOWS\SYSTEM32\SRVANY.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\SECHAN\LOCAL SETTINGS\TEMP\MIUNST_.EXE (Submitted)

Lisandro · « **Reply #3 on:** May 15, 2007, 11:07:14 PM »

Thanks for submitting. Hope they improve detection soon.

Quote from: altar on May 15, 2007, 10:27:24 PM

I'm running xp pro sp1

Why don't you get SP2?
Which firewall do you use?

altar · « **Reply #4 on:** May 15, 2007, 11:09:54 PM »

sp2 makes problems with my music software
I removed my Sygate firewall since I use a dsl router

DavidR · « **Reply #5 on:** May 15, 2007, 11:34:38 PM »

A hardware router offers no outbound protection unless it also includes a software firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Lisandro · « **Reply #6 on:** May 15, 2007, 11:47:55 PM »

Quote from: altar on May 15, 2007, 11:09:54 PM

sp2 makes problems with my music software

I can't believe... even the last versions of this software? Which one are you using?

altar · « **Reply #7 on:** May 15, 2007, 11:57:45 PM »

no yes the pb is that they are not the latest versions
I use mainly Orion Platinum 5.5 with Kontakt and various plugins

DavidR · « **Reply #8 on:** May 16, 2007, 06:40:15 PM »

Re your question in the other topic you have now created.

Quote from: altar on May 16, 2007, 05:21:28 PM

(Sorry I can't seem to reply in the original post)
I reran an F-Secure online scan today twice and the viruses are still there.
JS/Banload.HDR
W32/HackSrvany.A
W32/Zapchast.PL
Another weird thing is that I cannot see the system restore tab even though I am the only admin on my pc, how's that possible? And why can't I get rid of these viruses?

Where are you looking for the system restore tab (Control Panel, System or right click My Computer, that is how I access mine).

We have also asked for the file name and location of these detections, that helps us to help you.

mauserme · « **Reply #9 on:** May 17, 2007, 02:56:49 AM »

I know you're having trouble posting so I'm going to mention several things which you should do in the order posted.

First, download and install Comodo Firewall (its free)

http://www.filehippo.com/download_comodo/

If you can't download this (or the following programs) on the infected computer download on a diiferent one and burn them to CD.

Once installed carefully review anything wanting an internet connection and allow only those programs you know are safe. If this interferes with your music soft we will dela with that later.

Next, download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.

Now Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

.

Since you're not currently able to post anything lengthy just attach the logs with a short, descriptive sentence. Use multiple threads if you need to.

altar · « **Reply #10 on:** May 19, 2007, 09:48:28 AM »

Hi all,
here's the SDFix report (and below it I also post the HijackThis scan report)
"Run by Sechan - Sat 05/19/2007 - 9:17:44.78

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
C:\DOCUME~1\Sechan\LOCALS~1\Temp\temp.bat - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Sechan\NetHood\ftp.sunwoo.com\Desktop.ini

Finished"

And here's the HJT report (PART 1)
"Logfile of HijackThis v1.99.1
Scan saved at 9:43:16 AM, on 5/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\HijackThis.exe

altar · « **Reply #11 on:** May 19, 2007, 09:49:49 AM »

And the rest of the report (PART 2)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\BitDownload\TorrentManager.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [remote dead info ref] C:\Documents and Settings\All Users\Application Data\PARTBOLDREMOTEDEAD\Maththat.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [flapsupport] C:\DOCUME~1\Sechan\APPLIC~1\BODYSL~1\64TIME.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://vague.ahplace.com
O15 - Trusted Zone: http://*.banktown.com
O15 - Trusted Zone: http://*.finger.co.kr
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr

altar · « **Reply #12 on:** May 19, 2007, 09:50:22 AM »

And finally part 3
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg4.cyworld.nate.com/ImageUpload/CyImage3.cab
O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {43911577-D383-44BF-B4B5-571AB61F045F} (MAWS Class) - http://www.koreacontent.org/drm/CAB/MAWSInstallCommon02.cab
O16 - DPF: {4A03A83A-7CB1-47DC-B677-5EF041E6D67C} (HanaConfig Control) - http://search.hanafos.com/trend/HanaConfig.CAB
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.buykorea.org/buykorea/front/ezxssso/install/ezxsactivex.cab
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab
O16 - DPF: {55A371D8-5447-4BC8-AB6F-1ABA660BBC23} (CommX Client Control) - https://admin.kcp.co.kr/plugin/commx/install/kcpcommx.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179403034592
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea.org/buykorea/front/ezxssso/install/ezxsinstaller.cab
O16 - DPF: {7C9EDEB2-A2E8-417A-85EC-FC10E9D64E1F} (StoneMakeIconCtrl Class) - http://inc-image.stoneradio.com/activex/stoneicon/StoneRadioIcon.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v7.0.5.0/xw_install.cab
O16 - DPF: {90227A18-E482-47B8-83F2-146CABA6ABF7} (Npwsx Control) - http://update.nprotect.net/nprotect/kb/npws/npwsx.cab
O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D348} (WebCtrl Class) - http://www.mukebox.com/MukePlayer/p3aodsvr.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9B1489B1-58D3-11BD-B52D-0000E839A1CB} (activeWEBnewszine.WEBnewszine) - http://www.kocca.or.kr/WEBnewszine/WEBnewszine.CAB
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {B33FEBDC-FF38-4D0F-9C76-58C4733947AD} (SignGATE Class) - http://download.hts.nefficient.co.kr/hts/wcom/cab/AxSignGATE.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - http://download.hts.nefficient.co.kr/hts/wcom/cab/efile_crypto.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/keb/npkcx.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://www.congnamul.com/ActiveX/ASPCab/CongnamulMap4Asp_V23.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {E34B9A43-BC77-4C42-845C-04E49BADD7AA} (Skopi_ReplyFancy Control) - http://cyimg7.cyworld.nate.com/photoPrint/pSkopi_ReplyFancy_new.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - https://pay.kcp.co.kr/plugin/file/payplus.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://kings.cachenet.com/kdfx218/kbstar/kdfense9.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://download.hts.nefficient.co.kr/hts/wcom/cab/SKCommAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: MGAFGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgafg.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe"

FreewheelinFrank · « **Reply #13 on:** May 19, 2007, 10:28:25 AM »

Hi altar,

You seem to be running an illegal copy of Windows. Is it wise to advertise this fact on a public forum, I wonder?

You have some components at least of another AV installed, AhnLab V3 antivirus. You need to make sure you have uninstalled this program properly, or use HijackThis! to remove traces.

Search for this suspicious file and submit to VirusTotal:

64TIME.exe

http://www.virustotal.com/en/indexf.html

Enable View hidden files and folders first:

http://www.bleepingcomputer.com/tutorials/tutorial62.html

If you can't use XP SP2, at least avoid using IE, which is totally insecure on SP1: use Firefox or Opera instead.

altar · « **Reply #14 on:** May 19, 2007, 10:36:39 AM »

Yes...well.. it's unintentionally that I advertised this fact.....
It's no excuse, but I bought this pc while I was living in Korea and they all come with a preinstalled illegal copy of W, and now with all the stuff I have I feel rather stuck till I buy a new pc here in Europe.
I'll follow your instruction, thanks.

P.S. a few questions: does anyone know what that system32/srvany.exe is? How does it relate to the W32/HackSrvany.A virus found by F-Secure and what should I do with it? And when I check a service in the HJT report and click on "fix checked"what's going to happen?

Author Topic: 3 viruses found on my pc (Read 18543 times)

altar

3 viruses found on my pc

Lisandro

Re: 3 viruses found on my pc

altar

Re: 3 viruses found on my pc

Lisandro

Re: 3 viruses found on my pc

altar

Re: 3 viruses found on my pc

DavidR

Re: 3 viruses found on my pc

Lisandro

Re: 3 viruses found on my pc

altar

Re: 3 viruses found on my pc

DavidR

Re: 3 viruses found on my pc

mauserme

Re: 3 viruses found on my pc

altar

Re: 3 viruses found on my pc

altar

Re: 3 viruses found on my pc

altar

Re: 3 viruses found on my pc

FreewheelinFrank

Re: 3 viruses found on my pc

altar

Re: 3 viruses found on my pc