3 viruses found on my pc

The following viruses were found (and hopefully cleaned) by the F-Secure Online Scan:
JS/Banload.HDR
W32/HackSrvany.A
W32/Zapchast.PL
Does anyone know them, and how serious they are?

Which OS are you using? Is it up to date?
What avast! version and VPS file (virus database) number?
Does avast detect them too?
What was the filename and path where the virus was found?

Thank you for your answer,
I’m running xp pro sp1
Avast did not detect any of these (neither did Prevx1)
the paths are the following
C:\DOCUMENTS AND SETTINGS\SECHAN\DESKTOP\IDEES+ZIK\SCRIPTS\RENTALS RATES_FICHIERS\A_DATA\RATES.PDF (Submitted)
C:\WINDOWS\SYSTEM32\SRVANY.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\SECHAN\LOCAL SETTINGS\TEMP\MIUNST_.EXE (Submitted)

Thanks for submitting. Hope they improve detection soon.

Why don’t you get SP2?
Which firewall do you use?

sp2 makes problems with my music software
I removed my Sygate firewall since I use a dsl router

A hardware router offers no outbound protection unless it also includes a software firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

I can’t believe… even the last versions of this software? Which one are you using?

no yes the pb is that they are not the latest versions
I use mainly Orion Platinum 5.5 with Kontakt and various plugins

Re your question in the other topic you have now created.

Where are you looking for the system restore tab (Control Panel, System or right click My Computer, that is how I access mine).

We have also asked for the file name and location of these detections, that helps us to help you.

I know you’re having trouble posting so I’m going to mention several things which you should do in the order posted.

First, download and install Comodo Firewall (its free)

http://www.filehippo.com/download_comodo/

If you can’t download this (or the following programs) on the infected computer download on a diiferent one and burn them to CD.

Once installed carefully review anything wanting an internet connection and allow only those programs you know are safe. If this interferes with your music soft we will dela with that later.

Next, download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.

Now Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

.

Since you’re not currently able to post anything lengthy just attach the logs with a short, descriptive sentence. Use multiple threads if you need to.

Hi all,
here’s the SDFix report (and below it I also post the HijackThis scan report)

"Run by Sechan - Sat 05/19/2007 - 9:17:44.78

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
C:\DOCUME~1\Sechan\LOCALS~1\Temp\temp.bat - Deleted

Removing Temp Files…

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

                             Final Check:

Remaining Services:

Remaining Files:

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Sechan\NetHood\ftp.sunwoo.com\Desktop.ini

                             Finished"

And here’s the HJT report (PART 1)
"Logfile of HijackThis v1.99.1
Scan saved at 9:43:16 AM, on 5/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\HijackThis.exe

And the rest of the report (PART 2)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\BitDownload\TorrentManager.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM..\Run: [Matrox PowerDesk 8] C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM..\Run: [SoundMAX] “C:\Program Files\Analog Devices\SoundMAX\smax4.exe” /tray
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [AHNSD] “C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [PrevxOne] “C:\Program Files\Prevx1\PXConsole.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [remote dead info ref] C:\Documents and Settings\All Users\Application Data\PARTBOLDREMOTEDEAD\Maththat.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [flapsupport] C:\DOCUME~1\Sechan\APPLIC~1\BODYSL~1\64TIME.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://vague.ahplace.com
O15 - Trusted Zone: http://.banktown.com
O15 - Trusted Zone: http://
.finger.co.kr
O15 - Trusted Zone: http://.kcp.co.kr
O15 - Trusted Zone: http://
.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr

And finally part 3
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg4.cyworld.nate.com/ImageUpload/CyImage3.cab
O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {43911577-D383-44BF-B4B5-571AB61F045F} (MAWS Class) - http://www.koreacontent.org/drm/CAB/MAWSInstallCommon02.cab
O16 - DPF: {4A03A83A-7CB1-47DC-B677-5EF041E6D67C} (HanaConfig Control) - http://search.hanafos.com/trend/HanaConfig.CAB
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.buykorea.org/buykorea/front/ezxssso/install/ezxsactivex.cab
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab
O16 - DPF: {55A371D8-5447-4BC8-AB6F-1ABA660BBC23} (CommX Client Control) - https://admin.kcp.co.kr/plugin/commx/install/kcpcommx.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179403034592
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea.org/buykorea/front/ezxssso/install/ezxsinstaller.cab
O16 - DPF: {7C9EDEB2-A2E8-417A-85EC-FC10E9D64E1F} (StoneMakeIconCtrl Class) - http://inc-image.stoneradio.com/activex/stoneicon/StoneRadioIcon.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v7.0.5.0/xw_install.cab
O16 - DPF: {90227A18-E482-47B8-83F2-146CABA6ABF7} (Npwsx Control) - http://update.nprotect.net/nprotect/kb/npws/npwsx.cab
O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D348} (WebCtrl Class) - http://www.mukebox.com/MukePlayer/p3aodsvr.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9B1489B1-58D3-11BD-B52D-0000E839A1CB} (activeWEBnewszine.WEBnewszine) - http://www.kocca.or.kr/WEBnewszine/WEBnewszine.CAB
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {B33FEBDC-FF38-4D0F-9C76-58C4733947AD} (SignGATE Class) - http://download.hts.nefficient.co.kr/hts/wcom/cab/AxSignGATE.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - http://download.hts.nefficient.co.kr/hts/wcom/cab/efile_crypto.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/keb/npkcx.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://www.congnamul.com/ActiveX/ASPCab/CongnamulMap4Asp_V23.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {E34B9A43-BC77-4C42-845C-04E49BADD7AA} (Skopi_ReplyFancy Control) - http://cyimg7.cyworld.nate.com/photoPrint/pSkopi_ReplyFancy_new.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - https://pay.kcp.co.kr/plugin/file/payplus.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://kings.cachenet.com/kdfx218/kbstar/kdfense9.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://download.hts.nefficient.co.kr/hts/wcom/cab/SKCommAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: MGAFGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgafg.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe"

Hi altar,

You seem to be running an illegal copy of Windows. Is it wise to advertise this fact on a public forum, I wonder?

You have some components at least of another AV installed, AhnLab V3 antivirus. You need to make sure you have uninstalled this program properly, or use HijackThis! to remove traces.

Search for this suspicious file and submit to VirusTotal:

64TIME.exe

http://www.virustotal.com/en/indexf.html

Enable View hidden files and folders first:

http://www.bleepingcomputer.com/tutorials/tutorial62.html

If you can’t use XP SP2, at least avoid using IE, which is totally insecure on SP1: use Firefox or Opera instead.

Yes…well… it’s unintentionally that I advertised this fact…
It’s no excuse, but I bought this pc while I was living in Korea and they all come with a preinstalled illegal copy of W, and now with all the stuff I have I feel rather stuck till I buy a new pc here in Europe.
I’ll follow your instruction, thanks.

P.S. a few questions: does anyone know what that system32/srvany.exe is? How does it relate to the W32/HackSrvany.A virus found by F-Secure and what should I do with it? And when I check a service in the HJT report and click on "fix checked"what’s going to happen?

system32/srvany.exe seems to be legit:

http://www.liutilities.com/products/wintaskspro/processlibrary/srvany/

What happens when you click ‘fix’ varies according to the entry. This tutorial will give you details about what HijackThis! does for each entry:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

For example:

When you fix O4 entries, Hijackthis will not delete the files associated with the entry. You must delete these manually afterwards, usually by having the user reboot into safe mode. The Global Startup and Startup entries work a little differently. HijackThis will delete the shortcuts found in these entries, but not the file they are pointing to. If an actual executable resides in the Global Startup or Startup directories then the offending WILL be deleted.

When did you regain the ability to post in the forum again?

Have you added these entries to your trusted zone?

O15 - Trusted Zone: http:// vague.ahplace.com
O15 - Trusted Zone: http://.banktown.com
O15 - Trusted Zone: http://
.finger.co.kr
O15 - Trusted Zone: http://.kcp.co.kr
O15 - Trusted Zone: http://
.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr

Also, please look though the list of 016 entries in your HijackThis log and see if you recognize the URLs. I’ve tried to check these but much of the information is in Korean.

In addition to C:\DOCUME~1\Sechan\APPLIC~1\BODYSL~1\64TIME.exe (mentioned by FwFrank) upload this file to Virus total for analysis

C:\Documents and Settings\All Users\Application Data\PARTBOLDREMOTEDEAD\Maththat.exe

Please post the Virus Total results for both files and then run a complete scan with the free version of SuperAntiSpyware

http://www.superantispyware.com/

The log it produces can also be posted.

Is there a reason you didn’t install a firewall?

Thanks a lot for your help.
First, the folders containing these suspect files appear empty when I browse them, could the files be hidden?

“When did you regain the ability to post in the forum again?”
After following Mauserme’s instructions about SDFix etc, but I can’t be sure there’s a direct causal link or if it was just because I waited the next morning to try posting again(but all that posting thing was very weird)
Otherwise about the entries in the trusted zone, yes I know them all, they are bank payment modules from when I create a small e-commerce site in Korea.

I took down my sygate firewall because it was advised by my internet provider when I installed my dsl router. The argument was that there already is an internal firewall in the router (?)
Yesterday I tried to install Comodo but there was an immediate conflict with Prevx1 (I guess) that froze my pc and I couldn’t do anything except reboot in safe mode and uninstall Comodo.

Here’s a Superantispyware scan log:
SUPERAntiSpyware Scan Log
Generated 05/19/2007 at 05:08 PM

Application Version : 3.3.1020

Core Rules Database Version : 3191
Trace Rules Database Version: 1201

Scan type : Complete Scan
Total Scan Time : 00:06:50

Memory items scanned : 489
Memory threats detected : 0
Registry items scanned : 5748
Registry threats detected : 0
File items scanned : 1674
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Sechan\Cookies\sechan@tribalfusion[1].txt

That looks encouraging.

At some point you mentioned that the original malware was recurring. Is that still a problem or is it gone now?

And don’t forget the Virus Total scans and a review of the 016 entries (those are all downloaded program files).

I took down my sygate firewall because it was advised by my internet provider when I installed my dsl router. The argument was that there already is an internal firewall in the router (?) Yesterday I tried to install Comodo but there was an immediate conflict with Prevx1 (I guess) that froze my pc and I couldn't do anything except reboot in safe mode and uninstall Comodo.
A dsl router provides inbound protection but not outbound. If a trojan finds its way onto your computer it will have free reign as for as the router is concerned. I would find a software firewall you like to augment the router protection even if it means removing Prevx.

I just ran an F-Secure scan (after the Superantispyware scan that found nothing), and he still finds 2 of the 3 viruses I originally had. So SDFix didn’t get rid of those. Should I install Kapersky?
Here’s the F-Secure scan log:
Result: 3 malware found

JS/Banload.HDR (virus)
* C:\DOCUMENTS AND SETTINGS\SECHAN\DESKTOP\IDEES+ZIK\SCRIPTS\RENTALS RATES_FICHIERS\A_DATA\RATES.PDF (Submitted)

Tracking Cookie (spyware)
* System (Disinfected)

W32/HackSrvany.A (virus)
* C:\WINDOWS\SYSTEM32\SRVANY.EXE (Submitted)

Statistics
Scanned:
* Files: 45519
* System: 5344
* Not scanned: 3
Actions:
* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 2
Files not scanned:
* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\IB2
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT