In Windows XP, if c:\windows\system32\sfc.dll goes missing a copy will immediately be retrieved from c:\windows\system32\dllcache\. I believe Windows 2000 will do the same but I do not have a Windows 2000 computer to test this on. So, put a known clean, known compatable copy of sfc.dll in C:\WINNT\system32\dllcache\ and then rename C:\WINNT\system32\sfc.dll to C:\WINNT\system32\sfc.old. If my theory is correct you will now find a clean sfc.dll in the same directory (probably at the bottom of the list); if not you will have to copy it there after the rename.
We are doing this because I would now like you to run ComboFix and SDFix on the infected machine(s), and post both logs. My concern is that if C:\WINNT\system32\sfc.dll gets re-infected before these programs are run, then deletion by either of these programs without having a clean replacement could give you boot problems. Ideally this deletion
will occur and Windows will automatically replace the deleted file with the clean one you put in the dll cache. But check manually before the reboot.
Here's a link and directions for SDFix:
Download
SDFix and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Also, keep in mind that the computers must be isolated, clean from infected, in order to prevent reinfection.
EDIT: Corrected some file paths.
