Author Topic: Avasts been hijack please help  (Read 82992 times)

0 Members and 1 Guest are viewing this topic.

UK_Sean

  • Guest
Avasts been hijack please help
« on: April 18, 2007, 04:40:49 PM »
Hi

main problem is something keeps tring to access the internet using window explorer not internet explorer

I've blocked it with sygate,  but not sure as when i boot up it puts a reg key in which I remove


Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

Which I found out about with spybot.

Using Spyster these are trying to access the internet

ones now accessing
( 63.170.10.51:80 ) checkip.dyndns.org                               state SYN_SENT
(204.13.250.51:80) checkip.dyndns.org                               state SYN_SENT
(204.13.249.51:80) checkip.dyndns.org                              state SYN_SENT
(64.62.243.3:8081) 3.64-62-243.reverse.mccolo.com:8081  state SYN_SENT  
(204.13.250.51:80) 3.64-62-243.reverse.mccolo.com:80      state SYN_SENT

when I noticed something was connecting to the net all the time so I opened Sygate Log and found these entries
copperbase.info (62.62.243.3 )
copperbase.info (63.62.243.3 )
copperbase.info (64.62.243.3 )
checkip.dyndns.org (204.13.249.51)

The ones below had been using avast which I've diabled now

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)


I think this is when avast got hijack using window event viewer

04/14/2007 16:13:26   Allowed   3   Outgoing   TCP   alt2.gmail-smtp-in.l.google.com [72.14.205.27]   00-0D-88-61-FD-19   25   192.168.0.2   B2-E6-AF-F7-8B-2A   1037   C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe   Sean   HOMEBASE   Normal   1   04/14/2007 16:12:21   04/14/2007 16:12:21   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe   




REQUEST_METHOD = GET
REMOTE_HOST =
REMOTE_ADDR = 81.86.171.72
HTTP_REFERER= http://www.google.co.uk/search?hl=en&q=ip+checker&meta=
HTTP_USER_AGENT= Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

I've tried all the spyware scanners and online ones


Heres my lastest hijackthis log


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:38:06, on 18/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyster 1.0.19\Spyster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 - Trusted Zone: www.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5351 bytes






UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #1 on: April 18, 2007, 04:41:29 PM »
StartupList report, 18/04/2007, 15:39:26
StartupList version: 1.52.2
Started from : C:\hijackthis\HiJackThis_v2.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyster 1.0.19\Spyster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DU Meter = C:\Program Files\DU Meter\DUMeter.exe
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
nwiz = nwiz.exe /install
NvMediaCenter = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Run StartupMonitor = StartupMonitor.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\Gammadyne DocPad\shell\open\command

(Default) = "C:\Program Files\DocPad\docpad.exe" "%1"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[SentinelVE3D Class]
InProcServer32 = C:\Program Files\Virtual Earth 3D\SentinelVirtualEarth3D.dll
CODEBASE = http://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab

[TmHcmsX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TmHcmsX.ocx
CODEBASE = http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,084 bytes
Report generated in 0.047 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #2 on: April 18, 2007, 08:40:18 PM »
I see a couple minor issues with download managers that you may or may not want to keep, and an old version of Java, but your unexplained internet connections may be coming from KService.exe.  This is an application that installs with Sky Broadband Service that allows you to download movies to your computer. 

The problem is KService also acts as a P2P server, uploading the content you downloaded to other users who request it (saving Sky from supporting all that bandwidth, of course).  Here's a quote from their Terms and Conditions

http://www.skymovies.com/skybybroadband/termsandconditions#Terms

Quote
7. Uploading Content

If you download and save content to your computer system (a "File"), during the license period for the relevant File, we may upload parcels of content from the File from your computer system for the purpose of transferring Files to other users of the Service.

Apparently they don't mention this when you install the service, and removing Sky does not automatically remove KService.

The privacy section is also dicey

Quote
8. Computer ID

During the installation process for the Sky by broadband Application, we will detect and store the machine name, KontikiNodeId, CPU, PC bios, videocard, network card and IDE Controller information specific to your computer system, for the purposes of identifying your computer system and your eligibility to access and use the Service each time you log-in to the Service. If three or more of these features of your computer system change at any time, you will no longer be able to access the Service via that computer system and you will have to contact the Sky by broadband call centre on +44 (0)870 6094508.

Since it installs as a service you could try setting it to manual or disabled to see if your unexplained connections end.  If you decide to uninstall it there are directions here

http://www.skymovies.com/skybybroadband/articles/article04

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #3 on: April 18, 2007, 10:49:23 PM »
hi mauserme thankyou for helping

I had disabled channel 4's on demand

KService.exe  and  khost.exe

Since you post i've uninstalled channel 4 on demand and run  KClean to get rid of all traces of Kontiki

from my computer to see if that was the problem and it wasnt.

Something has hijack WINDOW EXPLORER which is tying to connect to theses ip's

( 63.170.10.51:80 ) checkip.dyndns.org                               state SYN_SENT
(204.13.250.51:80) checkip.dyndns.org                               state SYN_SENT
(204.13.249.51:80) checkip.dyndns.org                               state SYN_SENT
(64.62.243.3:8081) 3.64-62-243.reverse.mccolo.com:8081     state SYN_SENT 
(204.13.250.51:80) 3.64-62-243.reverse.mccolo.com:80        state SYN_SENT

Also hijack AVAST which i've had to stop or AVAST try's to send to these

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)

AVAST has never tried to send to these before ???


I've done online scans nothing

I've used all spyware scanners in safe mode

boot scan with AVAST
Lavasoft Ad-Aware SE Personal
SUPERAntiSpyware
AVG Anti-Spyware 7.5
CWShredder
CCleaner
Spybot - Search & Destroy
AVG Anti-Rootkit
hijackthis

lastest hijackthis


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:36:24, on 18/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 - Trusted Zone: img.bleepingcomputer.com
O15 - Trusted Zone: www.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5271 bytes



Also it's strange that you said i got an old version of Java

when i downloaded and installed the lastest version on 13 April 2007 ?

from the sun java site :   java 6u1-windows-i586-p.exe

















mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #4 on: April 18, 2007, 11:30:41 PM »
Also it's strange that you said i got an old version of Java
when i downloaded and installed the lastest version on 13 April 2007 ?
from the sun java site :   java 6u1-windows-i586-p.exe
Sorry - its OK.  I read the 6 as a 5.  It's been a long day.

I'lll be away from a computer for several hours but will try to take a closer look later this evening.

In the mean time would you install AVG AntiRootKit and see if that turns up anything?

http://free.grisoft.com/doc/5390


EDIT:  Also have Virus Total scan C:\WINDOWS\explorer.exe and post the log

http://www.virustotal.com/en/indexf.html

And I'm trying to make sense of some of those ip's.  Your ip is dynamic, right?  Not static?

Do you see a lot of actiivity - like emails being sent possibly?
« Last Edit: April 18, 2007, 11:51:46 PM by mauserme »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Avasts been hijack please help
« Reply #5 on: April 19, 2007, 12:19:17 AM »
Quote from: UK_Sean
Also hijack AVAST which i've had to stop or AVAST try's to send to these

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)

AVAST has never tried to send to these before

Avast has on capacity to send emails what you may be seeing is avast's email scanner scanning outgoing email because it intercepts email, scans it and passes it on.

One of the problems with Sygate is it is unable to tell the difference between a localhost proxy 'ashMaiSv.exe' and the application that is using the proxy. This is a known issue with Sygate (localhost loopback) and if you allow the proxy any traffic that uses it will also be allowed through.

So effectively Sygate isn't protecting against outbound connections by applications that use the localhost proxies used by avast. I would seriously consider another firewall, since sygate is no longer being developed since the buy out.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #6 on: April 19, 2007, 05:13:33 AM »
I assume you're saying ashMaiSv.exe has probably not been infected and I think you're right.  But the next logical question is why ashMaiSV.exe enters into this if UK_Sean was not sending email?

And then there's these

( 63.170.10.51:80 ) checkip.dyndns.org                               state SYN_SENT
(204.13.250.51:80) checkip.dyndns.org                               state SYN_SENT
(204.13.249.51:80) checkip.dyndns.org                               state SYN_SENT
(64.62.243.3:8081) 3.64-62-243.reverse.mccolo.com:8081     state SYN_SENT 
(204.13.250.51:80) 3.64-62-243.reverse.mccolo.com:80        state SYN_SENT

These sites seem dedicated to checking one's own IP address which I originally thought was part of the way Kontiki functions if the user has a dynamic address.  But Kontiki has been removed yet these continue.

@UK_Sean - Do you ever see that SYN/ACK is received or ACK sent?  Or is it always only SYN sent?

Are you able to confirm that you were not sending email when you saw the ashMaiSV.exe connection?  Do you use web based or client based email?

I am anxious to see the Virus Total results for C:\WINDOWS\explorer.exe

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #7 on: April 19, 2007, 12:07:37 PM »
Hi Guy's

I've not sent or received any mail since the infection.

Thats why I knew something was wrong when avast was sending to them ip's
because i'd never seen it do it before.

Also Window Explorer trying to access the net to the other sites


STATUS: FINISHEDComplete scanning result of "explorer.exe", received in VirusTotal at 04.19.2007, 11:54:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007  no virus found
AntiVir 7.3.1.53 04.19.2007  no virus found
Authentium 4.93.8 04.18.2007  no virus found
Avast 4.7.981.0 04.19.2007  no virus found
AVG 7.5.0.447 04.18.2007  no virus found
BitDefender 7.2 04.19.2007  no virus found
CAT-QuickHeal 9.00 04.18.2007  no virus found
ClamAV devel-20070416 04.19.2007  no virus found
DrWeb 4.33 04.19.2007  no virus found
eSafe 7.0.15.0 04.18.2007  no virus found
eTrust-Vet 30.7.3579 04.19.2007  no virus found
Ewido 4.0 04.19.2007  no virus found
FileAdvisor 1 04.19.2007  No threat detected
Fortinet 2.85.0.0 04.19.2007  no virus found
F-Prot 4.3.2.48 04.18.2007  no virus found
F-Secure 6.70.13030.0 04.19.2007  no virus found
Ikarus T3.1.1.5 04.19.2007  no virus found
Kaspersky 4.0.2.24 04.19.2007  no virus found
McAfee 5012 04.18.2007  no virus found
Microsoft 1.2405 04.19.2007  no virus found
NOD32v2 2203 04.19.2007  no virus found
Norman 5.80.02 04.19.2007  no virus found
Panda 9.0.0.4 04.19.2007  no virus found
Prevx1 V2 04.19.2007  no virus found
Sophos 4.16.0 04.17.2007  no virus found
Sunbelt 2.2.907.0 04.07.2007  no virus found
Symantec 10 04.19.2007  no virus found
TheHacker 6.1.6.088 04.09.2007  no virus found
VBA32 3.11.3 04.18.2007  no virus found
VirusBuster 4.3.7:9 04.18.2007  no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found

Aditional Information
File size: 1032192 bytes
MD5: a0732187050030ae399b241436565e64
SHA1: 69f33740413da112630be73ebb805a23b69f2f7f
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=a0732187050030ae399b241436565e64

Is there away to sent you some pictures to show you it's window explorer trying to access web.

Using spyster, Process Explorer, and Active Ports  monitor

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #8 on: April 19, 2007, 01:46:54 PM »
Not exactly the results I'd hoped for.

Is there away to sent you some pictures to show you it's window explorer trying to access web.
Faststone Capture is a good screen capture program.  Use the Additional Options .. link when you post in order to attached the image.

http://www.faststone.org/download.htm


Quote
Also hijack AVAST which i've had to stop or AVAST try's to send to these

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)
Have you disabled all providers or just the Internet Mail provider?  You need to keep the Standard Shield active at the very least.

If you've already disabled the Internet Mail provider (if you haven't, briefly do so) and see if a different process is identified as sending email.  Then turn it back on an set the heuristics to High.

I would also like you to run Deckard's System Scanner.  This will duplicate some of the information you already posted using a different version of HijackThis.  It will also give us some information on file creation dates that might be useful.

Download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.


Did you install Remote Packet Capture Protocol v.0?

Have you had a chance to run AVG AntiRootKit?
« Last Edit: April 19, 2007, 02:03:27 PM by mauserme »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Avasts been hijack please help
« Reply #9 on: April 19, 2007, 02:03:25 PM »
Hi Guy's

I've not sent or received any mail since the infection.

Thats why I knew something was wrong when avast was sending to them ip's
because i'd never seen it do it before.

Even if your aren't sending or receiving email if something else on your system and it is using the email port 25 then avast will scan it. So there may be a possibility something else is using the email ports. But it could be process injection, see below.

The explorer.exe file may be fine if there is some process injection then the version in memory would be the infected version, many of the latest firewalls detect and block (if you don't authorise it) process injection.

Hopefully the DSS will sniff out the underlying application.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #10 on: April 19, 2007, 02:09:11 PM »
... many of the latest firewalls detect and block (if you don't authorise it) process injection.
Sygate clearly isn't containing this so it does make sense to try another firewall.

I'm partial to Comodo, but do you have any other recommendations? 

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #11 on: April 19, 2007, 02:13:55 PM »
hi again heres some more info


I've blocked window explorer in sygate, but when I ran spybot I saw this Registry value.

Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe


I deleted the two above with regedit, but when the computer restarts or reboots the first one comes back.
I delete it everytime i start the computer.

 So i'm not sure if sygate is blocking these two below ?



04/19/2007 12:45:59   Blocked   3   Outgoing   TCP   copperbase.info [64.62.243.3]   00-0D-88-61-FD-19   8081   192.168.0.2   B2-E6-AF-F7-8B-2A   2378   C:\WINDOWS\explorer.exe   Sean   HOMEBASE   Normal   13   04/19/2007 12:43:38   04/19/2007 12:45:58   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\explorer.exe   





04/19/2007 12:45:59   Blocked   3   Outgoing   TCP   checkip.dyndns.org [204.13.250.51]   00-0D-88-61-FD-19   80   192.168.0.2   B2-E6-AF-F7-8B-2A   2376   C:\WINDOWS\explorer.exe   Sean   HOMEBASE   Normal   18   04/19/2007 12:42:28   04/19/2007 12:45:57   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\explorer.exe   




Here's one of sygates entry for one of the mail ones



04/14/2007 16:13:26   Allowed   3   Outgoing   TCP   alt2.gmail-smtp-in.l.google.com [72.14.205.27]   00-0D-88-61-FD-19   25   192.168.0.2   B2-E6-AF-F7-8B-2A   1037   C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe   Sean   HOMEBASE   Normal   1   04/14/2007 16:12:21   04/14/2007 16:12:21   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe   




REQUEST_METHOD = GET
REMOTE_HOST =
REMOTE_ADDR = 81.86.171.72
HTTP_REFERER= http://www.google.co.uk/search?hl=en&q=ip+checker&meta=
HTTP_USER_AGENT= Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)



« Last Edit: April 19, 2007, 02:43:15 PM by UK_Sean »

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #12 on: April 19, 2007, 02:22:10 PM »
Please post the DSS and AVG AntiRootKit logs.

Any luck identifying the process with the Internet Mail provider off?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Avasts been hijack please help
« Reply #13 on: April 19, 2007, 02:38:45 PM »
... many of the latest firewalls detect and block (if you don't authorise it) process injection.
Sygate clearly isn't containing this so it does make sense to try another firewall.

I'm partial to Comodo, but do you have any other recommendations? 

I have been using Outpost pro for some years now with no major issues and its is very good on the Anti-leak and Component control. But it can be a bit overwhelming when first installed but Comodo (I've never used it) has good responses in the forums if it can handle process injection and the price can't be beaten, free, gratis, nada, zilch ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #14 on: April 19, 2007, 03:06:44 PM »
hi
had problem with pics had to compress them