Screwed by Win32:Siveras [Expl]

I need help I just don’t know how to eliminate this virus…
below on the spoiler is my avast log file.

01/05/2009 17:53:55 SYSTEM 1568 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C5YRCH6N\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 01/05/2009 17:55:55 SYSTEM 1568 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file. 01/05/2009 18:19:53 SYSTEM 236 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 01/05/2009 19:22:57 SYSTEM 236 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41Y3WTIF\Newer[2].Exe\[BeRoEXE]\[RLPack]" file. 01/05/2009 20:25:27 SYSTEM 236 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 01/05/2009 21:28:04 SYSTEM 236 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41Y3WTIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 01/05/2009 22:01:18 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 01/05/2009 22:02:14 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file. 01/05/2009 23:02:53 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W1A38XYF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 0:04:42 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 0:34:42 SYSTEM 1996 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W1A38XYF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 0:47:40 SYSTEM 1836 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 1:48:38 SYSTEM 1836 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 1:54:44 SYSTEM 1836 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 2:43:28 SYSTEM 1568 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41Y3WTIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 2:52:11 SYSTEM 1628 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 2:53:06 SYSTEM 1628 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 3:17:00 SYSTEM 1600 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 3:21:26 SYSTEM 1600 Sign of "Win32:Agent-AERY [trj]" has been found in "C:\WINDOWS\system32\bJPRqUsV\A001.exe\[UPX]" file. 02/05/2009 18:19:18 SYSTEM 1584 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 18:28:02 SYSTEM 1584 Sign of "Win32:Agent-AERY [trj]" has been found in "C:\WINDOWS\system32\KqdpUoTk\A001.exe\[UPX]" file. 02/05/2009 19:20:41 SYSTEM 1620 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 21:05:23 SYSTEM 1564 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F2QTG3BU\Newer[1].Exe\[BeRoEXE]\[RLPack]" file. 02/05/2009 21:10:08 SYSTEM 1564 Sign of "Win32:Agent-AERY [trj]" has been found in "C:\WINDOWS\system32\fvOoJMUy\A001.exe\[UPX]" file. 02/05/2009 21:11:49 SYSTEM 1564 Sign of "Win32:Agent-UWD [trj]" has been found in "C:\WINDOWS\system32\fywd.dll" file. 02/05/2009 21:11:50 SYSTEM 1564 Sign of "Win32:Agent-UWD [trj]" has been found in "C:\WINDOWS\system32\fywd.dll" file.
THis virus come in random after I delete one it will come another with different name but same virus. I try to use zone alarm firewall and when this virus become active it will call c:\windows\ftp.exe I also try to use bit defender dc cleaner
http://download.bitdefender.com/resources/files/Download/en/dcleaner.zip

But it just not working.

I just can’t found the mother of this virus.

I’m sorry for my terrible english and I hope I can found some CLEAR instruction here on how to eliminate this virus since I’m not very expert in english.

Thank you very much for your help and attention in advance.

Hijackthis log file

Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bmwebcfg.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\Desktop\smss.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\COMODO\SafeSurf\cssurf.exe C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe C:\WINDOWS\system32\wbem\unsecapp.exe D:\Master\squid\sbin\squid.exe c:\squid\libexec\unlinkd.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\ShowNetworkActivity.exe C:\Program Files\Opera\opera.exe C:\Program Files\Alwil Software\Avast4\ashSimpl.exe C:\Program Files\Alwil Software\Avast4\ashChest.exe C:\WINDOWS\system32\fvOoJMUy\J001.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashLogV.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\Master\avast antivirus\HiJackThis.exe

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [COMODO SafeSurf] “C:\Program Files\COMODO\SafeSurf\cssurf.exe” -s
O4 - HKLM..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don’t filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MS Mediar Control eCenter (MediaeCenterrr) - Unknown owner - C:\WINDOWS\system32\goxp.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: Squid - SQUID Web Proxy Cache - http://www.squid-cache.org/ - D:\Master\squid\sbin\squid.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

If anyone want to download the virus sampe here it is

http://www.4shared.com/file/102831412/b752c213/Newer1.html

Welcome joeni

Please post a complete HijackThis log the next time as the header information is missing.

Looks like you have Ask tracking malware on your system so go th Add/Remove Programs and un-install it.

Download Malwarebytes’ Anti-Malware then install it then get the updated definition by using its Update function then run a Quick scan and let it remove whatever it finds plus a reboot may be necessary to remove any locked files:
http://www.malwarebytes.org/mbam.php

This entry in the log is malware:
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe

Also the entry C:\WINDOWS\system32\fvOoJMUy\J001.exe

Yokenny what do you make of the entry C:\WINDOWS\system32\Desktop\smss.exe ?

This entry should not be running from program files O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe

Where are you running HJT from ? D:\Master\avast antivirus\HiJackThis.exe

This is the complete Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:33:04, on 02/05/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 SP3 (7.00.5730.0013) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Desktop\smss.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
D:\Master\squid\sbin\squid.exe
c:\squid\libexec\unlinkd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\ShowNetworkActivity.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Master\avast antivirus\HiJackThis.exe

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [COMODO SafeSurf] “C:\Program Files\COMODO\SafeSurf\cssurf.exe” -s
O4 - HKLM..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don’t filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MS Mediar Control eCenter (MediaeCenterrr) - Unknown owner - C:\WINDOWS\system32\goxp.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: Squid - SQUID Web Proxy Cache - http://www.squid-cache.org/ - D:\Master\squid\sbin\squid.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe


End of file - 6307 bytes


I’ve tried to fix this one O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe on hijackthis but it just keep coming back and avast seems can’t do anything about it and not detecting it as virus. Maybe my avast is damage?

Yes I run hijackthis from drive D since this tool is stand alone exe

I don’t make all of those entries. I’ve clicking fix on hijackthis tools and it seems no effect on the virus it changing name only. I always update my avast regularly everyday and maybe every 2 hours when i’m online.

Send these files to virustotal
smss.exe C:\WINDOWS\system32\Desktop\smss.exe
goxp.exe C:\WINDOWS\system32\goxp.exe
Slsvc.exe C:\Program Files\R_Server\Slsvc.exe
cn.exe C:\Program Files\PROGRAM\sver.com.cn.exe

http://www.virustotal.com/

File smss.exe received on 05.02.2009 17:09:41 (CET)
Current status: finished
Result: 7/38 (18.42%)

a-squared 4.0.0.101 2009.05.02 -
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.05.02 TR/Dropper.Gen
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.01 -
Avast 4.8.1335.0 2009.05.01 -
AVG 8.5.0.327 2009.05.01 -
BitDefender 7.2 2009.05.02 -
CAT-QuickHeal 10.00 2009.05.02 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.05.02 -
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.02 -
eSafe 7.0.17.0 2009.04.30 Suspicious File
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.01 -
Fortinet 3.117.0.0 2009.05.02 -
GData 19 2009.05.02 -
Ikarus T3.1.1.49.0 2009.05.02 -
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.02 -
McAfee 5602 2009.05.01 -
McAfee+Artemis 5602 2009.05.01 -
McAfee-GW-Edition 6.7.6 2009.05.02 Trojan.Dropper.Gen
Microsoft 1.4602 2009.05.02 -
NOD32 4049 2009.05.01 probably unknown NewHeur_PE
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 -
Panda 10.0.0.14 2009.05.02 Suspicious file
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 PAK_Generic.001
VBA32 3.12.10.4 2009.05.02 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.01 -

File sver.com.cn.exe received on 05.02.2009 17:16:27 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 21/40 (52.5%)

a-squared 4.0.0.101 2009.05.02 Backdoor.Win32.Hupigon!IK
AhnLab-V3 5.0.0.2 2009.05.01 Win-Trojan/Hupigon.317122
AntiVir 7.9.0.160 2009.05.02 BDS/Hupigon.bhi
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.01 W32/Hupigon.J.gen!Eldorado
Avast 4.8.1335.0 2009.05.01 -
AVG 8.5.0.327 2009.05.01 -
BitDefender 7.2 2009.05.02 GenPack:Backdoor.Hupigon.AYUZ
CAT-QuickHeal 10.00 2009.05.02 Backdoor.Hupigon.gen
ClamAV 0.94.1 2009.05.02 Trojan.Packed-18
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.02 BackDoor.Pigeon.194
eSafe 7.0.17.0 2009.04.30 Suspicious File
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.01 W32/Hupigon.J.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.02 -
Fortinet 3.117.0.0 2009.05.02 -
GData 19 2009.05.02 GenPack:Backdoor.Hupigon.AYUZ
Ikarus T3.1.1.49.0 2009.05.02 Backdoor.Win32.Hupigon
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.02 -
McAfee 5603 2009.05.02 BackDoor-AWQ!hv.c
McAfee+Artemis 5602 2009.05.01 BackDoor-AWQ!hv.c
McAfee-GW-Edition 6.7.6 2009.05.02 Trojan.Backdoor.Hupigon.bhi
Microsoft 1.4602 2009.05.02 Backdoor:Win32/Hupigon.gen!B
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 Backdoor/W32.Hupigon.322312.C
Panda 10.0.0.14 2009.05.02 Suspicious file
PCTools 4.4.2.0 2009.05.02 Packed/NSPack
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 Possible_HPGN-2
VBA32 3.12.10.4 2009.05.02 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.01 -

wow… I am virus farmer :o

Send these Slsvc.exe C:\Program Files\R_Server\Slsvc.exe
goxp.exe C:\WINDOWS\system32\goxp.exe

Slsvc
http://www.virustotal.com/analisis/b533d29d9d0b62f447a320b550823278

for goxp file is already deleting itself and no longer available when i’m restarting my comp

Fix
C:\WINDOWS\system32\Desktop\smss.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe
Unknown
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)

O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe

Reboot

Then read the instructions very clearly and run Combofix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It just can’t be deleted, keep coming and spreading more of itself. ???

Ok , I have no more answers, did you try Combofix ?My only other suggestion is trying Avira rescue disc

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html
tutorial http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

If you have no success with those two programs, hopefully someone else may help you :slight_smile:

Hi joeni,

Removal instructions,

The malcode will then create the following registry entry so that its dropped copy will be executed upon system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft DNSx = “%System%\mdnex.exe"

  1. Terminate the following malcode process:

    mdnex.exe

    Note: Since the malcode also attempts to terminate the task manager, the task manager program (%System%\taskmgr.exe) can be copied to a different file-name and then executed. Also, several process management tools are available from the Internet: An example is Process Explorer from Sysinternals: http://www.sysinternals.com/Utilities/ProcessExplorer.html

  2. Delete the following malcode file:

    %System%\mdnex.exe

    (Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32)

If found also Delete the following file: %systemdir%\winsvcx.exe
Delete the following registry value: stoner

polonus

There is no file called mdnex.exe in drive c: also in windows. I’ve search all over the place including hidden files.

2. Delete the following malcode file:
  %System%\mdnex.exe

  (Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32)

If found also Delete the following file: %systemdir%\winsvcx.exe
Delete the following registry value: stoner

polonus

there is no winsvcx.exe, same as above.
Searching the registry 10 times there is no entry stoner.

by the way thank you very much for the help and for anyone in this forum… maybe I should wait untill the cure for this virus founded.

Hi joeni,

You might have another variety of the malcode then. Is your taskmanager working properly and does that come up when you press Ctrl + Alt + Del,
can you run this tool and give the contents of the result file txt as an attached txt file:
http://www.niksoft.at/download/startdreck.htm

polonus

I have seen a very similar program: goxp.exe… It claims to be part of the product " Rising AntiVirus 2009" although i’ve never heard or used that product. I ran it on a virtual pc and logged what it did and i’m pretty certain it’s a virus although avast doesn’t detect it. It moves itself to c:\windows\system32\goxp.exe and starts itself from a self created service. It then reads registry keys and sends packets to some server in china. to top it off, this sucker eats 100% cpu after a while.

if someone wants to investigate it then I can upload it somewhere.

I believe risining AV is a legit AV from China

Yes, the antivirus is legitimate however I don’t believe that file is. I also don’t have Rising AV, so I don’t know why I would have a file claiming to be part of it. Also, Rising AntiVirus also found the file to be “suspicious”, which I don’t think it would do if it were one of the scanners components.