Avasts been hijack please help

system · April 22, 2007, 8:25pm

Do the reverse - SDFix first, then SAS. Keep the WinSock repair in mind if you need it.

system · April 22, 2007, 8:59pm

Anyway, SAS has found nothing, only three cookies.
I will try SDFix soon and we will see that explorer.exe will change his bad behaviour.

But there is a question if SAS show nothing before I used SDFix does it matter it show nothing after SDfix?

system · April 22, 2007, 9:29pm

I think SDFix will get the downloader responsible for all this while SAS might not. But please post both logs so we can see.

EDIT: Do I understand correctly that AVG AS removed cp1041.nls, it came back, and SAS doesn’t see it? Maybe post the AVG AS log instead.

system · April 23, 2007, 1:37pm

Hi guy’s

Seems like quite a few people are infected with this in the last few weeks

IMPORTANT THIS IS WHAT I DID, ASK THE GUY’S HERE FIRST AS IT MIGHT NOT WORK FOR EVERYONE !!!

For my fix I needed a clean copy of windows SP2 Ndis.sys.

and a copy of IceSword got it here http://www.majorgeeks.com/Icesword_d5199.html

and install it.

I got my copy of windows SP2 Ndis.sys from my laptop,

I zip it and put it on a floppy and transfered it to my main computer and put the copy on my desktop

then I extracted it to windows/system32/drivers folder

Then I booted up into safe mode ( keep pressing F8 at start up )

Then open IceSword and on the leftside clicked the files tab and located

windows/system32/drivers/ folder then on the rightside pane I found Ndis.sys and right click on it and

click forced delete

Then on the leftside click on to c:/ and on the rightside found cp1041.nls right click on it and

click forced delete then I exit IceSword.

Then extracted another copy of the new SP2 Ndis.sys form my desktop to windows/system32/drivers

Then I rebooted

Then did a scan with SuperAntiSpyware

trojan spam.RUCrey had gone but trojan downloader-MSNETAX was still there

So I pressed fix with SuperAntiSpyware and rebooted and went back in to safe mode a used

SDFix

I noticed I couldnt connect to the web, So I did what mauserme had posted earlier

Open SuperAntiSpyware again but this time click the Preferences button. Then click the Repairs tab. Scroll down and highlight Repair Broken Network Connection (WinSock LSP Chain) and click Repair.

and it worked did another scan with SuperAntiSpyware and trojan downloader-MSNETAX had gone

Still not sure if I’m completely clean

I noticed in task manager locator.exe which I’ve never seen before and in my firewall log’s

C:\WINDOWS\system32\svchost.exe is trying to connect to theses (I’ve checked and windows upadates are turned off )

au.download.windowsupdate.com [87.248.210.199]
au.download.windowsupdate.com [84.53.135.211]
rs.update.microsoft.com [84.53.135.209]

I did a search in google on au.download.windowsupdate.com

The first site said it might be a keylogger

http://www.smh.com.au/news/breaking/keylogger-fears-lead-back-to-windows-update/2005/08/30/1125302549598.html

system · April 23, 2007, 2:54pm

Thanks for the follow up.

For future reference (and for T34), there is a very good chance a clean ndis.sys already existed on your computer in c:\windows\system32\dllcache. If there, SDFix would have handled a lot of the manual copy/paste/force delete for you. So for those less “hands on” than you, yours might be considered Plan B. Or Plan A if you really like to delve into things.

Checking the most recent IPs you posted at WhoIs shows they are not Windows Updates sites. You need to deal with that.

You might also check these files at Virus Total, all in C:\winodws\system32

Winlogon.exe
main.sys(if present there)
adiras.exe (if present there)
wxmst.exe(if present there)
wsctl.exe (if present there)

system · April 23, 2007, 8:11pm

Hi,

Below the report from sdfix. As you can see it failed to fix the system and remove ndis.sys
And AVG AntiSpyware found cp1041.nls. again, at once after sdfix finished work. Now I am trying superantispyware, but i am not expecting anything, as before.

I will try to remove it manually as UK Sean did.
I

SDFix: Version 1.79

Run by T34 - 2007-04-23 - 21:41:47,23

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version…

Unable To Replace Patched File!

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
C:\CP1041.NLS - Deleted
C:\DOCUME~1\Olek\USTAWI~1\Temp\setup.exe - Deleted

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
:{4B9A1497-0817-47C4-9612-D6A1C53ACF57} 12
Total size: 12 bytes.

system32: deleted 12 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

                             Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\WINDOWS\SMINST\Scheduler.exe”="C:\WINDOWS\SMINST\Scheduler.exe::Enabled:Scheduler "
“C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe”=“C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe::Enabled:SmartFTP Client 2.0"
“C:\Program Files\uTorrent\utorrent.exe”="C:\Program Files\uTorrent\utorrent.exe::Enabled:µTorrent”
“C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe::Enabled:hpqtra08.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe::Enabled:hpqste08.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe::Enabled:hpofxm08.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe”="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe::Enabled:hposfx08.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe::Enabled:hposid01.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqscnvw.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqscnvw.exe::Enabled:hpqscnvw.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe::Enabled:hpqkygrp.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqCopy.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqCopy.exe::Enabled:hpqcopy.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpfccopy.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpfccopy.exe::Enabled:hpfccopy.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe::Enabled:hpzwiz01.exe”
“C:\Program Files\Hp\Digital Imaging\Unload\HpqPhUnl.exe”=“C:\Program Files\Hp\Digital Imaging\Unload\HpqPhUnl.exe::Enabled:hpqphunl.exe"
“C:\Program Files\Hp\Digital Imaging\Unload\HpqDIA.exe”="C:\Program Files\Hp\Digital Imaging\Unload\HpqDIA.exe::Enabled:hpqdia.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe::Enabled:hpoews01.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqnrs08.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqnrs08.exe::Enabled:hpqnrs08.exe”
“C:\Documents and Settings\Olek\Moje dokumenty\Unreal\System\UnrealTournament.exe”=“C:\Documents and Settings\Olek\Moje dokumenty\Unreal\System\UnrealTournament.exe::Enabled:UnrealTournament.exe"
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe::Enabled:Skype”
“C:\WINDOWS\explorer.exe”=“C:\WINDOWS\explorer.exe:*:Enabled:Explorer”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

Remaining Files:

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT98.tmp

                             Finished

system · April 23, 2007, 8:20pm

I will try to remove it manually as UK Sean did.
Is ndis.sys responsible for creating cp1041.nls?
I`ve got two ndis.sys - 179kb and 275kb. The second is created in the day i got infected. By the way, 179kb - is it a right size for this file?

Any other suggestions?
Greetings

system · April 23, 2007, 8:26pm

Hi T34

I did it 5 times with SuperAntiSpyware with out success see pic

3 times with SDFix

Thats why I did it manually

system · April 23, 2007, 8:34pm

p.s the clean ndis.sys was 179 kb

system · April 23, 2007, 8:36pm

Hi,

Superantispyware has found nothing at my system.
I am really curious what will happening after my manually action. Will it the end or not…

I wanna scan the system by ewido on-line before this action and maybe other scanners…

system · April 23, 2007, 8:39pm

T34

did you do a full scan, when a did a quick one nothing showed up

system · April 23, 2007, 9:07pm

Nothing found (only cookies) I would rather check that other dangerous staff is here.
Fortunately not.
I am going to do it manually now.

system · April 23, 2007, 9:55pm

Lucky? I hope so…

I used IceSword to delete those 2 files. I used GMER to check the process and it seemed to be fine. I applied SDfix just in case.
And explorer.exe doesn`t want to connect to internet anymore (after 9779 trialas blocked by firewall).

Uk-Sean and others - great work and support.
I think that the key was identyfying the sick files, unfortunately any antivir could do it. But AVG AntiSpyware pointed one file, even it recommendation was to ignore it.

SDfix removed one file CMMGR32.EXE- why? Is it dangerous?
Any comments or advice?

SDFix: Version 1.79

Run by T34 - 2007-04-23 - 23:35:08,76

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

                             Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\WINDOWS\SMINST\Scheduler.exe”="C:\WINDOWS\SMINST\Scheduler.exe::Enabled:Scheduler "
“C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe”=“C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe::Enabled:SmartFTP Client 2.0"
“C:\Program Files\uTorrent\utorrent.exe”="C:\Program Files\uTorrent\utorrent.exe::Enabled:µTorrent”
“C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe::Enabled:hpqtra08.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe::Enabled:hpqste08.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe::Enabled:hpofxm08.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe”="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe::Enabled:hposfx08.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe::Enabled:hposid01.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqscnvw.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqscnvw.exe::Enabled:hpqscnvw.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe::Enabled:hpqkygrp.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqCopy.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqCopy.exe::Enabled:hpqcopy.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpfccopy.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpfccopy.exe::Enabled:hpfccopy.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe::Enabled:hpzwiz01.exe”
“C:\Program Files\Hp\Digital Imaging\Unload\HpqPhUnl.exe”=“C:\Program Files\Hp\Digital Imaging\Unload\HpqPhUnl.exe::Enabled:hpqphunl.exe"
“C:\Program Files\Hp\Digital Imaging\Unload\HpqDIA.exe”="C:\Program Files\Hp\Digital Imaging\Unload\HpqDIA.exe::Enabled:hpqdia.exe”
“C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe”=“C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe::Enabled:hpoews01.exe"
“C:\Program Files\Hp\Digital Imaging\bin\hpqnrs08.exe”="C:\Program Files\Hp\Digital Imaging\bin\hpqnrs08.exe::Enabled:hpqnrs08.exe”
“C:\WINDOWS\Explorer.EXE”=“C:\WINDOWS\Explorer.EXE::Enabled:Explorer"
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe::Enabled:Skype”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

Remaining Files:

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT98.tmp

                             Finished

system · April 23, 2007, 10:13pm

hi T34

good to hear,

Do you get any of these trying to access the web

au.download.windowsupdate.com [87.248.210.199]
au.download.windowsupdate.com [84.53.135.211]
rs.update.microsoft.com [84.53.135.209]

system · April 23, 2007, 10:26pm

Rather no, not any new applications wants to get to internet. no new strange processess
Probably you have other stuff…after my infection I scanned the system by 3 on-line scanners, avast in F8 tribe and everyone had found other viruses, 4 or 5 different types in a number files.
I think my system is fine now, but who knows for sure. I will scanning it anayway with different stuff for next few days
i hope you will find solution soon with little help and luck
dont give up

system · April 23, 2007, 10:55pm

Plan B it is, then …

Thanks for the SDFix logs, T34. Its nice to actually have a look at them

Did you notice C:\WINDOWS\SYSTEM32\CMMGR32.EXE was deleted with both runs of SDFix? You may still have a downloader at work.

If you can find this file

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT98.tmp

you might want to scan it and CMMGR32.EXE at Virus Total.

system · April 24, 2007, 12:46am

hi mauserme

I still think something is on my system

here’s my last SDFix logs

SDFix: Version 1.78

Run by Sean - 23/04/2007 - 1:55:38.34

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

No Trojan Files Found…

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

                             Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Program Files\Miranda IM\miranda32.exe”=“C:\Program Files\Miranda IM\miranda32.exe::Enabled:Miranda IM"
“C:\WINDOWS\system32\sessmgr.exe”="C:\WINDOWS\system32\sessmgr.exe::Disabled:@xpsp2res.dll,-22019”
“C:\Program Files\The All-Seeing Eye\eye.exe”=“C:\Program Files\The All-Seeing Eye\eye.exe::Enabled:The All-Seeing Eye"
“C:\WINDOWS\system32\dpnsvr.exe”="C:\WINDOWS\system32\dpnsvr.exe::Enabled:Microsoft DirectPlay8 Server”
“C:\Program Files\Quake III Arena\quake3.exe”=“C:\Program Files\Quake III Arena\quake3.exe::Enabled:quake3"
“C:\Program Files\Return to Castle Wolfenstein\WolfMP.exe”="C:\Program Files\Return to Castle Wolfenstein\WolfMP.exe::Enabled:WolfMP”
“C:\Program Files\MotoGP2\motogp2.exe”=“C:\Program Files\MotoGP2\motogp2.exe::Disabled:motogp2"
“C:\Roger Wilco\ROGER.EXE”="C:\Roger Wilco\ROGER.EXE::Enabled:ROGER”
“C:\Program Files\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe”=“C:\Program Files\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe::Enabled:Far Cry"
“C:\Program Files\Wolfenstein - Enemy Territory\ET.exe”="C:\Program Files\Wolfenstein - Enemy Territory\ET.exe::Enabled:ET”
“C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe”=“C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe::Enabled:Ad-aware.exe"
“C:\Program Files\Ubisoft\Crytek\Far Cry\Pb\pbweb.exe”="C:\Program Files\Ubisoft\Crytek\Far Cry\Pb\pbweb.exe::Enabled:pbweb.exe”
“C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe”=“C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe::Enabled:BF1942"
“C:\Program Files\Valve\Steam\Steam.exe”="C:\Program Files\Valve\Steam\Steam.exe::Enabled:Steam”
“C:\Program Files\Valve\Steam\SteamApps\uk_sean\counter-strike source\hl2.exe”=“C:\Program Files\Valve\Steam\SteamApps\uk_sean\counter-strike source\hl2.exe::Enabled:hl2"
“C:\WINDOWS\system32\dpvsetup.exe”="C:\WINDOWS\system32\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test”
“C:\Program Files\Valve\Steam\SteamApps\uk_sean\half-life 2 deathmatch\hl2.exe”=“C:\Program Files\Valve\Steam\SteamApps\uk_sean\half-life 2 deathmatch\hl2.exe::Enabled:hl2"
“C:\Program Files\Codemasters\Colin McRae Rally 04\cmr4.exe”="C:\Program Files\Codemasters\Colin McRae Rally 04\cmr4.exe::Enabled:Colin McRae Rally 04 Application”
“C:\WINDOWS\system32\wjview.exe”=“C:\WINDOWS\system32\wjview.exe::Enabled:Microsoft® VM Command Line Interpreter"
“C:\Program Files\Internet Explorer\iexplore.exe”="C:\Program Files\Internet Explorer\iexplore.exe::Enabled:Internet Explorer”
“C:\Program Files\Real\RealPlayer\realplay.exe”=“C:\Program Files\Real\RealPlayer\realplay.exe::Enabled:RealPlayer"
“C:\WINDOWS\system32\mmc.exe”="C:\WINDOWS\system32\mmc.exe::Enabled:Microsoft Management Console”
“C:\Program Files\teamspeak2_RC2\TeamSpeak.exe”=“C:\Program Files\teamspeak2_RC2\TeamSpeak.exe::Enabled:TeamSpeak 2 RC2"
“C:\Program Files\GSB\gsb.exe”="C:\Program Files\GSB\gsb.exe::Enabled:GiveSomeBack”
“C:\WINDOWS\system32\rundll32.exe”=“C:\WINDOWS\system32\rundll32.exe::Disabled:Run a DLL as an App"
“C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe”="C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe::Enabled:Dreamweaver MX 2004”
“C:\Program Files\DAP\DAP.exe”=“C:\Program Files\DAP\DAP.exe::Enabled:Download Accelerator Plus (DAP)"
“C:\Program Files\WM Recorder\WMR90.exe”="C:\Program Files\WM Recorder\WMR90.exe::Enabled:Windows Media ™ Stream Recorder”
“C:\Program Files\America’s Army\System\ArmyOps.exe”=“C:\Program Files\America’s Army\System\ArmyOps.exe::Enabled:ArmyOps"
“C:\Program Files\Windows Media Player\wmplayer.exe”="C:\Program Files\Windows Media Player\wmplayer.exe::Enabled:Windows Media Player”
“C:\Documents and Settings\Sean\Desktop\utorrent.exe”=“C:\Documents and Settings\Sean\Desktop\utorrent.exe::Enabled:µTorrent"
“C:\Program Files\MSN Messenger\msncall.exe”="C:\Program Files\MSN Messenger\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)”
“C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe::Enabled:Skype"
“C:\Program Files\Kontiki\KService.exe”="C:\Program Files\Kontiki\KService.exe::Enabled:Delivery Manager Service”
“C:\Program Files\ABC\abc.exe”=“C:\Program Files\ABC\abc.exe::Disabled:ABC"
“C:\Program Files\BitComet\BitComet.exe”="C:\Program Files\BitComet\BitComet.exe::Disabled:BitComet - a BitTorrent Client”
“C:\Program Files\mIRC\mirc.exe”=“C:\Program Files\mIRC\mirc.exe:*:Disabled:mIRC”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\MSN Messenger\msncall.exe”="C:\Program Files\MSN Messenger\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)”

system · April 24, 2007, 12:47am

Remaining Files:

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Sean\NetHood\ftp.f-secure.com\Desktop.ini
C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\hijackthis\HiJackThis_v2.exe
C:\Hostfile\Hosts.exe.txt
C:\Program Files\messengerbak\msmsgs.exe
C:\Program Files\Messengerold\msmsgs.exe
C:\Pc-Check\Eurodos.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0f1d9525936bd5663571785a751b32e3\BIT31.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\1677bddc08fb72da2e81378c43c92308\download\BIT8.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\172a12d8728d24242cc986274c5879c4\BIT23.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2599f89a22d2a65299ffec348453588c\download\BIT45.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\35cce4c0c04512d0bce9f3bf12fcbdee\download\BIT4.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\36a2d56bfaf653641b67e8413870534a\BIT35.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\37eaf99bd2ebf4838afe42fd80f89dc5\BIT1E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3e8d5b713517659e134047f6c6f814a6\BIT2E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\437c027c64a0cdea5e7269513ccd1066\BIT30.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\573bf64c61e63a82e837c932e348b15c\BIT5.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\73b38e6399921b83cdcc05584d085f4b\BIT2F.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7a0b2e29d3aa48d4be478bc6a367b3b1\download\BIT7.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7df587b4c3dd29899de0720914884fb1\BIT21.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\80340438e0f91553e7f1455bc22fd0b7\BIT24.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9dbaac1e50a4706a8b8dbd434a19e435\BIT34.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a47321bdd5009003a9abdb62d9a718c7\BIT33.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a79f67dfc44240ad90ea6f3c28f4cd87\download\BIT5.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b68cb38dc8dc3be185a274d0a0d9edc5\BIT28.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bd2c412f5748f6bd7110bae5c7f908e8\BIT1F.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ccf16a349964b0c1db2aca1fe8adaff2\download\BIT6.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\dd6fb811ad5e3cbc24ccdf6b54fa528a\BIT20.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e42ed9b4c83ab2e200b2e2b67275edef\BIT2C.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e6c3db259a836f1550d18daa86b32f0b\BIT1D.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ea92db909e4eaac0ffac5c735e40cc3e\BIT2D.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ec4bd1527b43d202e7c5588f67b971f6\BIT32.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa4f65ff7c7106a46457f558c01dcc94\BIT22.tmp

                             Finished

system · April 24, 2007, 12:50am

all so a new HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 01:49:59, on 24/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DocPad\docpad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 - Trusted Zone: img.bleepingcomputer.com
O15 - Trusted Zone: www.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

system · April 24, 2007, 2:49am

Hi UK_Sean,

The only things obvious to me in your hjt log are the two download accelerators - Download Accelerator Plus (DAP) and HiDownload. DAP can be a source of trojans and A-Squared identifies HiDownload as adware. If they are listed in Add/Remove programs you could consider uninstalling them.

Why don’t you update me on your current symptoms. Does explorer.exe still try to connect to the internet? Was it svchost.exe trying to connect to those update-like web sites? Is that still occurring?

Have you had chance to scan these files at Virus Total?

C:\windows\system32\

Winlogon.exe
main.sys(if present)
adiras.exe (if present)
wxmst.exe(if present)
wsctl.exe (if present)

You should add C:\Hostfile\Hosts.exe.txt and a few random C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ … \BITxx.tmp files to the Virus Total scans. If anything is identified with these scans please post the results, or at least confirm that the scan was clean.

Also, did you add this to your trusted sites

O15 - Trusted Zone: img.bleepingcomputer.com

Avasts been hijack please help

Remaining Services:

Remaining Files:

Remaining Services:

Remaining Files:

Remaining Services:

Remaining Files:

Announcements