Avasts been hijack please help

[mauserme]

It could be a trojan called Spam-RUCrzy. 

Please take a few minutes to run a Complete Scan with SuperAntiSpyware (I know you've done it before) and then SDFix.  Make sure to quarantine in SAS.

We may also need a scan with ComboFix afterwards.

[UK_Sean]

hi guy's

Very strange I did a search for cp1041.nls and found 2

one in my c: folder and another one in a folder  called back up i right click on the back up one and open the folder and it had

cp1041.nls   13:04:2007  01:39
ndis.sys       12:04:2007  20:12

Reason I've put the time is at 12:04:2007 at 20:12  when I believe I got infected


If you look at my post 47 I put

I believe it all started on 12/04/2007   20:12:02

after looking at some webpages

Here are some entrys from windows event viewer  "system"  at that time, I  copied all of them as i didn't know which ones might help




Event Type:   Information
Event Source:   Service Control Manager
Event Category:   None
Event ID:   7035
Date:      12/04/2007
Time:      20:12:02
User:      NT AUTHORITY\SYSTEM
Computer:   HOMEBASE
Description:
The avast! Mail Scanner service was successfully sent a stop control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And the back up folder is in the SDFix

[mauserme]

Here's a thread at the SAS Forum that seems pertinent (I need more time to go through it all)

http://forums.superantispyware.com/viewtopic.php?t=516&postdays=0&postorder=asc&start=0

Have you run SAS again yet?


EDIT:  Pleae post the entire SDFix log.

EDIT #2:  Sean - how long ago did you ran SDFix?  I need to see if there is a line in the log stating that ndis.sys has been replaced by the original version.  Again, please post the entire log, if you have it, not just the contents of the SDFix backup folder.

[T34]

Hello,

Yes i`ve got  cp1041.nls file and what`s more my AVG Antispyware has found it, but after cleaning and reeboting the file is alive again.
It says that it is SpamTool Win32.Agent.u and what is strange the recommended action by AVG is ignoring the file. It desciribe the risk as low.

I am going to try sdfx, but a bit later (no time at the moment).
Thx for support.

[mauserme]

If I've got it right ndis.sys is a trojaned version of a legitimate driver of the same name.  It it responsibile for the recurrance of cp1041.nls. There should (might) be a clean copy of ndis.sys in your your dll cache.  The thread I posted above used a manual method to fix this but I think SDFix will do it automatically.

I'm wondering, though, when UK_Sean ran SDFix.  I had asked him to run it early in this process (page 3) but he didn't post anything about it until page 7.  If he ran it early on but still kept seeing outbound then this is clearly not his fix.

T34 - please put a copy of cp1041.nls and ndis.sys in the user section of the avast! chest before running SDFix.  This way we will have a copy to send to avast! before they get deleted.


EDIT: 

It says that it is SpamTool Win32.Agent.u ...

Probably different names for the same malware.

[polonus]

Hi Mauserme,

The aliases for this malware are SpamTool.Win32.Agent.i or h; Hacktool Spammer; Spammit, Troj/Spammit-E/Troj/Spammit-H. The malware adds other software, Autostarts/Stays Resident, Connects to Internet, No Standard Uninstaller, Sends Mail. Removal information see:
http://www.sophos.com/virusinfo/analyses/trojspammith.html
The malware is distributed in various ways via email, malicious or hacked websites, IRC, p2p-networks and other means.

polonus

[UK_Sean]

Hi Guys


I ran SuperAntiSpyware and it found trojan spam.RUCrey one in memory and one was a file

When I put it in quarantine,

I noticed that on 14th when I ran SuperAntiSpyware it did there same


So I turn system restore off and booted in to safe mode and did another scan and it was back

spam.RUCrey and another one called trojan downloader-MSNETAX,

both in the memory and both had a file

spam.RUCrey = c:/cp1041.nls

downloader-MSNETAX = c:/windows/system32/HHH.DLL

I quarantined again and rebooted.


Problem now is I can't connect to the internet  (I'm on my laptop at the moment)

When I right click on network connection repair it said It couldnt get ip address.  Tried making a

new connection and at the end say's there was an error.


So it looking like a reformat and clean copy of xp

[Lisandro]

So it looking like a reformat and clean copy of xp

Overinstallation can solve the problem and you won't lose your programs, settings, data, files, etc.
Just choose 'Repair' installation of Windows and install 'over' the old installation.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;315341
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314058
http://www.webtree.ca/windowsxp/repair_xp.htm

At this time, I really suggest you install Windows over your 'old' installation.
You won't lose your programs and settings neither your data.

[mauserme]

2 UK_Sean

Open SuperAntiSpyware again but this time click the Preferences button.  Then click the Repairs tab.  Scroll down and highlight Repair Broken Network Connection (WinSock LSP Chain) and click Repair.

With a bit of luck this will fix the connection.

[T34]

I have found two files ndis.sys (second: ndis.sys(2)).
I couldn`t copy the first one to quarantanne in avast, because it was in use,
I dont known which process is using it.
I hope sdfx will help.
Now I am scanning the system with SuperAntiSpyware then I am going to use sdfx and i show you the log.

[mauserme]

Do the reverse - SDFix first, then SAS.  Keep the WinSock repair in mind if you need it.

[T34]

Anyway, SAS has found nothing, only three cookies.
I will try SDFix soon and we will see that explorer.exe will change his bad behaviour.

But there is a question if SAS show nothing before I used SDFix does it matter it show nothing after SDfix?

[mauserme]

I think SDFix will get the downloader responsible for all this while SAS might not.  But please post both logs so we can see.


EDIT:  Do I understand correctly that AVG AS removed cp1041.nls, it came back, and SAS doesn't see it?  Maybe post the AVG AS log instead.

[UK_Sean]

Hi guy's

Seems like quite a few people are infected with this in the last few weeks

IMPORTANT THIS IS WHAT I DID, ASK THE GUY'S HERE FIRST AS IT MIGHT NOT WORK FOR EVERYONE !!!

For my fix I needed a clean copy of windows SP2 Ndis.sys.

and a copy of IceSword  got it here http://www.majorgeeks.com/Icesword_d5199.html

and install it.

I got my copy of  windows SP2 Ndis.sys from my laptop,

I zip it and put it on a floppy and transfered it to my main computer and put the copy on my desktop

then I extracted it to windows/system32/drivers folder

Then I booted up into safe mode ( keep pressing F8 at start up )

Then open IceSword and on the leftside clicked the files tab and located

windows/system32/drivers/   folder then  on the rightside pane I found Ndis.sys and right click on it and

click forced delete

Then on the leftside click on to c:/   and on the rightside found cp1041.nls right click on it and

click forced delete then I exit IceSword.

Then extracted another copy of the new SP2 Ndis.sys form my desktop to windows/system32/drivers

Then I rebooted 

Then did a scan with SuperAntiSpyware

trojan spam.RUCrey had gone but trojan downloader-MSNETAX was still there

So I pressed fix with SuperAntiSpyware and rebooted and went back in to safe mode a used

SDFix

I noticed I couldnt connect to the web, So I did what mauserme had posted earlier

Open SuperAntiSpyware again but this time click the Preferences button.  Then click the Repairs tab.  Scroll down and highlight Repair Broken Network Connection (WinSock LSP Chain) and click Repair.

and it worked did another scan with SuperAntiSpyware and trojan downloader-MSNETAX had gone


Still not sure if I'm completely clean

I noticed in task manager locator.exe which I've never seen before and in my firewall log's

C:\WINDOWS\system32\svchost.exe is trying to connect to theses (I've checked and windows upadates are turned off )

au.download.windowsupdate.com [87.248.210.199]
au.download.windowsupdate.com [84.53.135.211]
rs.update.microsoft.com [84.53.135.209]

I did a search in google on au.download.windowsupdate.com

The first site said it might be a keylogger

http://www.smh.com.au/news/breaking/keylogger-fears-lead-back-to-windows-update/2005/08/30/1125302549598.html

[mauserme]

Thanks for the follow up.

For future reference (and for T34), there is a very good chance a clean ndis.sys already existed on your computer in c:\windows\system32\dllcache.  If there, SDFix would have handled a lot of the manual copy/paste/force delete for you.  So for those less "hands on" than you, yours might be considered Plan B.  Or Plan A if you really like to delve into things.

Checking the most recent IPs you posted at WhoIs shows they are not Windows Updates sites.  You need to deal with that.

You might also check these files at Virus Total, all in C:\winodws\system32 

Winlogon.exe
main.sys(if present there)
adiras.exe (if present there)
wxmst.exe(if present there)
wsctl.exe (if present there)