Hi guy's
Seems like quite a few people are infected with this in the last few weeks
IMPORTANT THIS IS WHAT I DID, ASK THE GUY'S HERE FIRST AS IT MIGHT NOT WORK FOR EVERYONE !!!For my fix I needed a clean copy of windows SP2 Ndis.sys.
and a copy of IceSword got it here
http://www.majorgeeks.com/Icesword_d5199.htmland install it.
I got my copy of windows SP2 Ndis.sys from my laptop,
I zip it and put it on a floppy and transfered it to my main computer and put the copy on my desktop
then I extracted it to windows/system32/drivers folder
Then I booted up into safe mode ( keep pressing F8 at start up )
Then open IceSword and on the leftside clicked the files tab and located
windows/system32/drivers/ folder then on the rightside pane I found Ndis.sys and right click on it and
click forced delete
Then on the leftside click on to c:/ and on the rightside found cp1041.nls right click on it and
click forced delete then I exit IceSword.
Then extracted another copy of the new SP2 Ndis.sys form my desktop to windows/system32/drivers
Then I rebooted
Then did a scan with SuperAntiSpyware
trojan spam.RUCrey had gone but trojan downloader-MSNETAX was still there
So I pressed fix with SuperAntiSpyware and rebooted and went back in to safe mode a used
SDFix
I noticed I couldnt connect to the web, So I did what mauserme had posted earlier
Open SuperAntiSpyware again but this time click the Preferences button. Then click the Repairs tab. Scroll down and highlight Repair Broken Network Connection (WinSock LSP Chain) and click Repair.
and it worked did another scan with SuperAntiSpyware and trojan downloader-MSNETAX had gone
Still not sure if I'm completely clean
I noticed in task manager
locator.exe which I've never seen before and in my firewall log's
C:\WINDOWS\system32\svchost.exe is trying to connect to theses (I've checked and windows upadates are turned off )
au.download.windowsupdate.com [87.248.210.199]
au.download.windowsupdate.com [84.53.135.211]
rs.update.microsoft.com [84.53.135.209]
I did a search in google on au.download.windowsupdate.com
The first site said it might be a keylogger
http://www.smh.com.au/news/breaking/keylogger-fears-lead-back-to-windows-update/2005/08/30/1125302549598.html