| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 101927 | 2009-08-01 00:23:00 | Win32:SysPatch(wrm) Help | cowboy stu (7021) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 797016 | 2009-08-01 00:23:00 | Has anyone got a quick fix to rid of this alert. Is it a problem ? XP SP3 Avast |
cowboy stu (7021) | ||
| 797017 | 2009-08-01 01:35:00 | Disable SR. Right Click My Computer>properties>system restore tab>tick disable SR on all drives. Download HijackThis and post a log here www.trendsecure.com Then download MBAM and run a full scan. www.malwarebytes.org Also, this might help you remove any leftovers: TECHNICAL DETAILS When executed, the worm copies itself as the following files: %System%\ntpl.bin %System%\sbmf.ln It also drops the following files, which are copies of Backdoor.Zapinit: %System%\cc.ln %System%\lght.ln %System%\msnf.ln %System%\nvrsma.dll %System%\pryx.ln It also creates the following log file: %Windir%\sys.log Next, the worm modifies the following files so that it changes which registry entries are queried when Windows starts: %System%\dllcache\user32.dll %System%\user32.dll It then creates the following registry entry so that it runs whenever Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"pjpInit_Dlls" = "nvrsma" Note: The above registry entry is queried by the modified user32.dll files. Note: The original user32.dll files are copied as the following file: %System%\[RANDOM FILE NAME] It also creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"st" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"mid" = "[HEXADECIMAL CHARACTERS]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"dwn" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"ccnt" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"nhr" = "1" It also creates the following registry subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\1 HKEY_LOCAL_MACHINE\SOFTWARE\6 HKEY_LOCAL_MACHINE\SOFTWARE\7 HKEY_LOCAL_MACHINE\SOFTWARE\8 HKEY_LOCAL_MACHINE\SOFTWARE\9 The worm then attempts to connect to the following URLs: []66.36.241.45 []66.36.241.45 The worm spreads by copying itself to network shares using the following logon details: User name: Administrator Password: One of the following: !@# 0 00 1 11 1212 123 123456 13 1313 666 777 adm admin administrator asa pass password q qaz qazxsw qqq qwerty test zaq zaqwsx zzz ///////////////////////////// pol Blam |
Blam (54) | ||
| 797018 | 2009-08-01 01:56:00 | Thanks.. underway Logfile of HijackThis v1.99.1 Scan saved at 12:51:47 p.m., on 01/08/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Intel\AMT\atchk.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe C:\WINDOWS\system32\HotfixQ0306270.exe C:\WINDOWS\system32\taskswitch.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\AMT\atchksrv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Intel\AMT\LMS.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\AMT\UNS.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Downloads\Shareware\FoxitReader.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Google\Picasa3\PicasaPhotoViewer.exe C:\Downloads\Shareware\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bordernet.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.directlink.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:9202;https=localhost:9202;socks=loc alhost:9203 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [ADATA_PLUtil] C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O11 - Options group: [TABS] Tabbed Browsing O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - platformdl.adobe.com O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: FirebirdGuardianDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE O23 - Service: FirebirdServerDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InterBaseGuardian - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE O23 - Service: InterBaseServer - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe |
cowboy stu (7021) | ||
| 797019 | 2009-08-01 03:12:00 | Malwarebytes reports no issues. All good do you think ?? |
cowboy stu (7021) | ||
| 797020 | 2009-08-01 03:22:00 | Seems like it. HJT log i clean, few unneeded entries but speedy can advice on what is unneeded. But look in the registry and C drive for files and keys I listed above. And try running this: www.spywareterminator.com Blam |
Blam (54) | ||
| 797021 | 2009-08-01 04:21:00 | thanks will do | cowboy stu (7021) | ||
| 797022 | 2009-08-01 06:28:00 | Disable system restore tick these then tick fix checked Close browsers Since trojan remover is installed make suire its up to date then scan, then select all options under utils O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe This file will be the prob O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" If you dont use nero home tick this O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" |
Speedy Gonzales (78) | ||
| 797023 | 2009-08-01 06:45:00 | C:\Program Files\Intel\AMT\atchk . exe atchksrv . exe - This service will automatically start when Windows* boots . This service takes care of the administrator privileges needed by the "non-administrator" users to make use of the Intel® AMT Status application . C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor . exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr . exe C:\Program Files\Intel\AMT\LMS . exe part of Intel(R) Active Management Technology Local Manageability Service . The program listens for or sends data on open ports to LAN or Internet . C:\WINDOWS\system32\IoctlSvc . exe Utterly useless and occasionally problematic background service installed when a user installs the CD that comes with some USB thumb drives (Memory sticks / Flash memory / USB memory / Pen Drive) . From our tests, and from our experience, despite using very little memory this service performs no function other than seriously impact the performance of some PCs . On some PCs this service will often cause PC slowness or random freezes . C:\Program Files\Intel\AMT\UNS . exe O4 - HKLM\ . . \Run: [atchk] "C:\Program Files\Intel\AMT\atchk . exe" O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck . exe O4 - HKLM\ . . \Run: [ADATA_PLUtil] C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon . exe O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv . exe O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS . exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc . - C:\WINDOWS\system32\IoctlSvc . exe O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS . exe All comletely unnecessary too . Why do you run all this clutter? |
pctek (84) | ||
| 797024 | 2009-08-01 06:49:00 | re clutter ... got no idea will deal to it Did as Speedy says except my unpaid version of trojan remover is no use . Still getting warning of Win32:SysPatch [Wrm] thanks for help will persist |
cowboy stu (7021) | ||
| 797025 | 2009-08-01 07:15:00 | What is the best way to edit registry as advised by Blam please ? Is this is what is required ?? |
cowboy stu (7021) | ||
| 1 2 | |||||