all MS Doc file hidden and generate exe

boon77 — Thu, 04 Dec 2008 10:29:26 +0800

Hi,

I face a problem which is similar to below threat:

Word files change into application, Suspected virus attacked
http://forum.lowyat.net/topic/836822

i've follow the way Hattori suggeted to run the command (Post#9) and all my MS doc files is able to see now,
So, i deleted the exe files, but after a while the malware/virus generate another set of exe files again.
I run the HijackThis and seems like do not have any suspicious service or process is running.
Below is my HijackThis logfile.

Appreciate if any can help me on this issue.
Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:54 AM, on 12/4/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Trend\SProtect\EarthAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\PCCSRV\web\service\ofcservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.8.1:8080
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [AuRemind] %SystemRoot%\..\dell\openmanage\remind.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sb.my.kellyasia.com
O17 - HKLM\Software\..\Telephony: DomainName = sb.my.kellyasia.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{071C78BF-FD35-49C0-96BF-CC54FAD4C215}: NameServer = 192.168.8.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FA18F2E-37EC-485A-A640-5A1C6A562914}: NameServer = 192.168.8.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sb.my.kellyasia.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{071C78BF-FD35-49C0-96BF-CC54FAD4C215}: NameServer = 192.168.8.1
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Trend ServerProtect Agent (EarthAgent) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\EarthAgent.exe
O23 - Service: Microsoft H.323 Gatekeeper (GKSVC) - Unknown owner - svchost.exe (file missing)
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - C:\PCCSRV\web\service\ofcservice.exe

--
End of file - 4716 bytes

[addedon]December 9, 2008, 9:20 am[/addedon]anyone can help me???
:'(

Aztech Dsl600EW or Dlink DSl G604T

boon77 — Mon, 08 Jan 2007 12:45:54 +0800

Hi there..

may i know which product is better? i've try to google it the review... for Dlink review mostly is negative ... for aztech review is not many...

can help me to deicde which to take???

thx in advanced..

Video Converter

boon77 — Wed, 27 Sep 2006 11:16:46 +0800

Hi there... may i know which video converter is the best? I need to convert RM or RMVB file to Mpeg4... any recommend?

Thx!!

MS EXCEL

boon77 — Thu, 13 Jul 2006 16:40:47 +0800

Dear experts,

I'm not very familiar wif excel macro. I face a problem, and i dunno whether excel macro can solve my problem or not, if can kindly advise me... thanks in advances.
I need to move a set of data from one column to another column base on the row 1 description.

e.g: For column A data is PO number and have to move to column B, and column B is Date and have to move to column A.

Is there any marco function can do this for me???

pls advise... TQTQTQ

Installe Windows server 2003 in Linux box?

boon77 — Wed, 27 Jul 2005 13:45:13 +0800

Dear all expert,

is tat possible to W2K3 server OS in a HDD which had already installed Suse Linux and make it dual-boot?
i try to google to find the solution, but seems most of the scenarion is installed Windows OS first then only installe linux OS.

can anyone help me and gimme some comments on this issues..????

thx in advanced

Lowyat.NET: Latest topics by boon77

all MS Doc file hidden and generate exe

Aztech Dsl600EW or Dlink DSl G604T

Video Converter

MS EXCEL

Installe Windows server 2003 in Linux box?