Author Topic: Avasts been hijack please help (Read 85531 times)

T34 · « **Reply #120 on:** April 24, 2007, 08:50:41 AM »

mauserme,

I noticed that Sdfix cleaned two times cmmgr32.exe.

No any, even hidden file at C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT98.tmp
only BIT98.tmp but it has 0kb and no cmmgr 32 at all at the system. What`s funny this is a file which belong to system, but I think I won`t need it.

I will observe my system and scan
Once more thank you all for assistance and support.
And I believe that UK-Sean clean the system very soon, he needs find and destroy the harmful files or registry keys
By the way, do I need to clean registry after this or this malware didn`t change the registry?

UK-Sean I think you should scan computer by antyvir in safe mode one more time, just to exclude any known by antyviurus harmfull staff and check that any hidden downloader sucessfully working and taking any new staff from web.

mauserme · « **Reply #121 on:** April 24, 2007, 02:02:24 PM »

Quote from: T34 on April 24, 2007, 08:50:41 AM

I noticed that Sdfix cleaned two times cmmgr32.exe.

What`s funny this is a file which belong to system, but I think I won`t need it.

We can probably find a copy to download if you find you need it, but it would be interesting to see a Virus Total scan on one of those now located in your SDFix backup folder. This file can get infected just as ndis.sys did.

Quote from: T34 on April 24, 2007, 08:50:41 AM

By the way, do I need to clean registry after this or this malware didn`t change the registry?

If you post a HijackThis log we can look for keys specific to the malware - might see other things as well. It would be a good double check.

T34 · « **Reply #122 on:** April 24, 2007, 04:20:11 PM »

Hi,

Both files cmmgr.exe in sdfix backup folder has 0 kb, so there is nothing to scan on Virus Total. I will try Sdfix once more for some time and then I will see that it find and remove it again.
There is my log from Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 16:18:24, on 2007-04-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Olek\Moje dokumenty\Aplikacje\HijackThis 1.99.1\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Down2Home.lnk = C:\Program Files\Down2Home\Down2Home.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

polonus · « **Reply #123 on:** April 24, 2007, 04:43:09 PM »

Czesc T34,

Nie wiem o tym: Visitor's assessment Analyzerdetails Unknown
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule

Unknown application. Wzystko OK,

pozdrawiam,

polonus

T34 · « **Reply #124 on:** April 24, 2007, 05:13:39 PM »

Thanks a lot for all once more.
Cognizance seems fine...

UK_Sean · « **Reply #125 on:** April 24, 2007, 08:22:20 PM »

hi Guys

Heres my update

Download Accelerator Plus - if you didn't pay for it use to have ad's in it and HiDownload I've had for quiet a bit with no problems.

I think it will be a false positive by A-Squared as no other scanners have flagged it and over the last week, i've used most off them.

Since doing it manually explorer.exe has stopped.

Virus Total scan

C:\windows\system32\

Winlogon.exe Scanned and was clean
main.sys(if present) not present
adiras.exe (if present) not present
wxmst.exe(if present) not present
wsctl.exe (if present) not present

C:\Hostfile\Hosts.exe.txt I'd already deleted it

Also scanned C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ ... \BITxx.tmp

The first two files Virus Total scan wouldnt scan saying 0 kbs

third one all said no virus found apart from one ( Fortinet 2.85.0.0 04.24.2007 suspicious )

I'll do some more later tonight as Virus Total scan site gets busy

You asked did you add this to your trusted sites O15 - Trusted Zone: img.bleepingcomputer.com

Yes I did, Had a problem accessing the site when this infection started.

Was it svchost.exe trying to connect to those update-like web sites? Is that still occurring?

I notice these sites only try and connect when i'm using something else, So if I wasnt keeping an

eye on my filewall traffic logs I wouldnt of known.

Here's a quick summary of what service the update-like web sites used

avgas.exe turned it off

avgas.exe swapped to svchost.exe

Then I blocked theres services in my firewall

NT Kernel and system
LSA Shell (Export Version)
Generic Host Process For Win32 Service
Application Layer Gateway Service

Then it swapped from svhost.exe to ashWebSv.exe

I turned off Avast and it swapped to iexplore.exe

I looked in Services in Administrative Tools

Found GMGSNLREI google it found nothing disabled it picture below
Found MHU google it found nothing disabled it picture below

Did three Online scans all clean

I noticed in hijackthis log that 2 files was missing for avast So I did a repair in add/remove

Then check to see if there was a program update, Which there was so updated.

It still says in hijackthis log that 2 avast files are missing

Today

Did a boot scan with Avast clean
SuperAntiSpyware clean
AVG Anti-Spyware 7.5 clean

Not sure whats stopped them but nothing today so far.

I'll post my firewall logs I've broken it down to just the update-like web sites entries.

Also i'll post a new hijackthis log.

UK_Sean · « **Reply #126 on:** April 24, 2007, 08:24:35 PM »

Firewall log

04/23/2007 19:27:05   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   3966   C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe   Sean   HOMEBASE   Normal   22   04/23/2007 19:25:59   04/23/2007 19:26:03   Ask all running apps

This one used AVG Anti-Spyware 7.5\avgas.exe. There was a few more but used svchost.exe

04/23/2007 20:42:35   Blocked   3   Outgoing   TCP   au.download.windowsupdate.com [87.248.210.197]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   4137   C:\WINDOWS\system32\svchost.exe   Sean   HOMEBASE   Normal   3   04/23/2007 20:41:25   04/23/2007 20:41:34   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe

04/23/2007 20:42:58   Blocked   3   Outgoing   TCP   rs.update.microsoft.com [84.53.135.209]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   4140   C:\WINDOWS\system32\svchost.exe   Sean   HOMEBASE   Normal   3   04/23/2007 20:42:00   04/23/2007 20:42:08   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe

04/23/2007 20:42:58   Blocked   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.201]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   4143   C:\WINDOWS\system32\svchost.exe   Sean   HOMEBASE   Normal   6   04/23/2007 20:42:20   04/23/2007 20:42:50   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe

04/23/2007 20:44:16   Blocked   3   Outgoing   TCP   rs.update.microsoft.com [84.53.135.209]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   4144   C:\WINDOWS\system32\svchost.exe   Sean   HOMEBASE   Normal   3   04/23/2007 20:43:02   04/23/2007 20:43:11   GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe

Then I blocked theres services in my firewall

NT Kernel and system
LSA Shell (Export Version)
Generic Host Process For Win32 Service
Application Layer Gateway Service

Then nothing till it swapped svhost.exe to ashWebSv.exe

04/23/2007 23:47:20   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1130   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe   Sean   HOMEBASE   Normal   20   04/23/2007 23:48:23   04/23/2007 23:48:24   Ask all running apps

04/23/2007 23:47:26   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1139   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe   Sean   HOMEBASE   Normal   4   04/23/2007 23:48:30   04/23/2007 23:48:30   Ask all running apps

04/23/2007 23:48:16   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.211]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1152   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe   Sean   HOMEBASE   Normal   1   04/23/2007 23:49:20   04/23/2007 23:49:20   Ask all running apps

04/23/2007 23:49:29   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1157   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe   Sean   HOMEBASE   Normal   1   04/23/2007 23:50:37   04/23/2007 23:50:37   Ask all running apps

04/23/2007 23:49:34   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1161   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe   Sean   HOMEBASE   Normal   2   04/23/2007 23:50:37   04/23/2007 23:50:37   Ask all running apps

04/24/2007 00:06:31   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.211]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1203   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe   Sean   HOMEBASE   Normal   1   04/24/2007 00:07:35   04/24/2007 00:07:35   Ask all running apps

Then I turned off Avast and it swapped to iexplore.exe

04/24/2007 00:08:01   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.211]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1206   C:\Program Files\Internet Explorer\iexplore.exe   Sean   HOMEBASE   Normal   1   04/24/2007 00:09:06   04/24/2007 00:09:06   Ask all running apps

04/24/2007 00:11:17   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1289   C:\Program Files\Internet Explorer\iexplore.exe   Sean   HOMEBASE   Normal   40   04/24/2007 00:12:22   04/24/2007 00:12:24   Ask all running apps

04/24/2007 00:11:22   Allowed   3   Outgoing   TCP   rs.update.microsoft.com [84.53.135.209]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1293   C:\Program Files\Internet Explorer\iexplore.exe   Sean   HOMEBASE   Normal   3   04/24/2007 00:12:26   04/24/2007 00:12:26   Ask all running apps

04/24/2007 00:11:22   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1288   C:\Program Files\Internet Explorer\iexplore.exe   Sean   HOMEBASE   Normal   2   04/24/2007 00:12:27   04/24/2007 00:12:27   Ask all running apps

04/24/2007 00:12:33   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1295   C:\Program Files\Internet Explorer\iexplore.exe   Sean   HOMEBASE   Normal   1   04/24/2007 00:13:37   04/24/2007 00:13:37   Ask all running apps

04/24/2007 00:13:40   Allowed   3   Outgoing   TCP   au.download.windowsupdate.com [84.53.135.210]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1298   C:\Program Files\Internet Explorer\iexplore.exe   Sean   HOMEBASE   Normal   3   04/24/2007 00:14:43   04/24/2007 00:14:43   Ask all running apps

04/24/2007 00:25:52   Allowed   3   Outgoing   TCP   rs.update.microsoft.com [84.53.135.209]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   1301   C:\Program Files\Internet Explorer\iexplore.exe   Sean   HOMEBASE   Normal   2   04/24/2007 00:27:00   04/24/2007 00:27:00   Ask all running apps

Then nothing since this last entry above

I really appreciate all the help you guy's

UK_Sean · « **Reply #127 on:** April 24, 2007, 08:36:58 PM »

New Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 19:33:28, on 24/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

I don't understand why 2 Avast files are missing ? As I've done a repair then a program update.

mauserme · « **Reply #128 on:** April 24, 2007, 08:50:30 PM »

I'll try sort through all this a little later, but for now I can tell you the missing avast! files are nothing to worry about. Its a glitch with HijackThis - it doesn't report them correctly.

The switching between iexplore.exe and ashWebSv.exe is OK too. The avast! web scanner acts as a proxy, funneling all http through it for analysis so your firewall will see it, instead of internet explorer, when avast! is running.

mauserme · « **Reply #129 on:** April 24, 2007, 10:10:00 PM »

Is this thread at bleepingcomputer yours too?

http://www.bleepingcomputer.com/forums/topic88525.html

If it isn't the similarities, even in the hjt logs, are amazing.

Can't help but notice Snowhite also recommends removing DAP and HiDownload, as did essexboy in our thread. I called them minor issues when we first started this process but I really feel now they need to be removed - if for no other reason than to exclude them from the list of possible problems. If they can't be removed with Add/Remove Programs we can do it with HijackThis.

Also, does Modern Humanitarian University (MHU) ring any bells? They have web based television and you seem very media oriented, so its worth asking the question even if its a long shot. Their programming originates in the Russian Federation.

UK_Sean · « **Reply #130 on:** April 24, 2007, 10:43:48 PM »

Hi mauserme,

Quote

Is this thread at bleepingcomputer yours too?

Yes it was mine

I had problems connecting to bleepingcomputer website that's why I tried it in trusted zone,

It just wouldn't load.

I'll uninstall DAP and HiDownload

Do you know of any good download manager without ad's

Quote

Also, does Modern Humanitarian University (MHU) ring any bells? They have web based television and you seem very media oriented

About 3 weeks ago I was checking out web based TV

I bought DVB T USB DONGLE So I could watch digital TV on my pc, But the only channels I got where

BBC1 BBC2 BBC news 24 that was it

So I uninstalled it

I don't remember signing up for any web based tv just looked.

essexboy · « **Reply #131 on:** April 24, 2007, 10:57:09 PM »

Download manager safe and secure http://www.leechget.net/en/

UK_Sean · « **Reply #132 on:** April 24, 2007, 11:03:14 PM »

HI guy's

Thxs essexboy i'll check it out

Just uninstalled DAP and HiDownload

This is the new log

Logfile of HijackThis v1.99.1
Scan saved at 21:59:49, on 24/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\RunOnce: [DAP Cleanup] C:\DOCUME~1\Sean\LOCALS~1\Temp\DAPREMOVE.EXE /CLEANUP /DIR="C:\PROGRA~1\DAP"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Lisandro · « **Reply #133 on:** April 24, 2007, 11:34:20 PM »

Quote from: essexboy on April 24, 2007, 10:57:09 PM

Download manager safe and secure http://www.leechget.net/en/

Or Free Download Manager: http://www.freedownloadmanager.org/download.htm

UK_Sean · « **Reply #134 on:** April 24, 2007, 11:42:42 PM »

Hi guy's

Cheers essexboy for the link for the Download manager looks as good or better than dap

I've just noticed in my firewall traffic log 3 explorer.exe entries, But not the same as before it didn't

appear in my firewall trying to access the web like last time. nothing since 19.35

these are the entries

04/24/2007 19:33:07   Blocked   3   Outgoing   TCP   csc3-2004-crl.verisign.com [64.94.110.11]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   2994   C:\WINDOWS\explorer.exe   Sean   HOMEBASE   Normal   1   04/24/2007 19:34:12   04/24/2007 19:34:12   Ask all running apps

04/24/2007 19:33:13   Blocked   3   Outgoing   TCP   csc3-2004-crl.verisign.com [64.94.110.11]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   2994   C:\WINDOWS\explorer.exe   Sean   HOMEBASE   Normal   1   04/24/2007 19:34:15   04/24/2007 19:34:15   Ask all running apps

04/24/2007 19:33:18   Blocked   3   Outgoing   TCP   csc3-2004-crl.verisign.com [64.94.110.11]   00-0D-88-61-FD-19   80   192.168.0.3   00-0C-6E-85-8C-E8   2994   C:\WINDOWS\explorer.exe   Sean   HOMEBASE   Normal   1   04/24/2007 19:34:21   04/24/2007 19:34:21   Ask all running apps

Author Topic: Avasts been hijack please help (Read 85531 times)

T34

Re: Avasts been hijack please help

mauserme

Re: Avasts been hijack please help

T34

Re: Avasts been hijack please help

polonus

Re: Avasts been hijack please help

T34

Re: Avasts been hijack please help

UK_Sean

Re: Avasts been hijack please help

UK_Sean

Re: Avasts been hijack please help

UK_Sean

Re: Avasts been hijack please help

mauserme

Re: Avasts been hijack please help

mauserme

Re: Avasts been hijack please help

UK_Sean

Re: Avasts been hijack please help

essexboy

Re: Avasts been hijack please help

UK_Sean

Re: Avasts been hijack please help

Lisandro

Re: Avasts been hijack please help

UK_Sean

Re: Avasts been hijack please help