Problems: Home Search Assistant, Win32: Trojano-1218 and 1175

Unknown · April 2005

Title says it all.

I tried the help guide, but I couldn't find the R0 bogus-services...here's my log. Plz help me out!

Grtz

Logfile of HijackThis v1.99.1
Scan saved at 15:55:57, on 26/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\FDF\FAST2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7C121035-5121-FC97-9150-A3A543AADFC9} - C:\WINDOWS\netiy32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B1FE7D6-CD9D-4F3C-A47F-90160F3BCE40}: NameServer = 195.238.2.21 195.238.2.22
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Get Active Services got me this:

These are the Current Active Services:

Application Layer Gateway-service: ALG
C:\WINDOWS\System32\alg.exe

avast! iAVS4 Control Service: aswUpdSv
"C:\Program Files\Avast4\aswUpdSv.exe"

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Services voor cryptografie: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Service voor het rapporteren van fouten: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+-gebeurtenissysteem: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Compatibiliteit voor Snelle gebruikerswisseling: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help en ondersteuning: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Verbindingsbeheer voor RAS: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Windows Firewall (WF) / Internet-verbinding delen (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Thema's: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Security Center: wscsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Automatische updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration-service: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

avast! Antivirus: avast! Antivirus
"C:\Program Files\Avast4\ashServ.exe"

avast! Mail Scanner: avast! Mail Scanner
"C:\Program Files\Avast4\ashMaiSv.exe" /service

avast! Web Scanner: avast! Web Scanner
"C:\Program Files\Avast4\ashWebSv.exe" /service

C-DillaCdaC11BA: C-DillaCdaC11BA
C:\WINDOWS\system32\drivers\CDAC11BA.EXE

DCOM Server Process Launcher: DcomLaunch
C:\WINDOWS\system32\svchost -k DcomLaunch

Terminal Services: TermService
C:\WINDOWS\System32\svchost -k DComLaunch

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP Discovery-service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

NVIDIA Display Driver Service: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

IPSEC-services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

SNMP-service: SNMP
C:\WINDOWS\System32\snmp.exe

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

Windows User Mode Driver Framework: UMWdf
C:\WINDOWS\system32\wdfmgr.exe

Buckeye_Sam · April 2005

Please disable Spybot's Teatimer as it can interfer with the fix by Hijackthis.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pqwew.dll/sp.html#94115
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7C121035-5121-FC97-9150-A3A543AADFC9} - C:\WINDOWS\netiy32.dll

Delete these two files, if found.

C:\WINDOWS\netiy32.dll
C:\WINDOWS\pqwew.dll

Reboot and post a new hijackthis log.

NiRVeS · May 2005

How can I disable the teatimer? Can't seem to find a way to do this.

NiRVeS · May 2005

I did as you said, but I couldn't find the netiy32.dll file. This is my log now:

Logfile of HijackThis v1.99.1
Scan saved at 16:39:38, on 3/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\FDF\FAST2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

In C:\Windows, there are also a bunch of exe-files with names like netuy32.exe and netxw32.exe (5 perhaps random characters + "32") and also some exe-files with 5 character names that could be random too (neteo.exe, nethl.exe, ...). Are these files bad too?

Another thing I noticed: Home Search Assistent, Search Extender and Shopping Wizard are still present in my Software-list

.

Grtz

Buckeye_Sam · May 2005

Follow the instructions at this link to manually remove those entries from your Add/Remove programs list.

http://support.microsoft.com/?kbid=314481

It's possible that those files are bad. The ones you listed are definitely bad.

Please run at least two of these online scans.
Make sure they are set to clean automatically:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://www.bitdefender.com/scan/licence.php

http://housecall.trendmicro.com/housecall/start_corp.asp

There will be files that these scans will not remove. Please include that information in your next post.

NiRVeS · May 2005

I'm removed the keys from my register and HSA/SE/SW are no longer in my software list.

Currently, I'm scanning with BitDefender and HouseCall.

Things I noticed:
- When I tried scanning with PandaSoftware, Avast told me that a dll-file on an online location (www.panda....com/....) was infected by the Win32: Kuan Virus...That's not a good thing for an online virusscanner isn't it? I disconnected with panda immidiately.
- BitDefender told me that a ****load of files in my "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\" folder were "password protected (all .reg and .ini files).

I'll post again when the scans are finished.

Grtz

NiRVeS · May 2005

BitDefender gave me the following result (apart from the crapload of "password protected files" from SpyBot I mentioned in an earlier post):

C:\Documents and Settings\Tuur.KOMPJOETER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-6b42b541-42d7e490.class: infected with Java.Trojan.ClassLoader.K
C:\Documents and Settings\Tuur.KOMPJOETER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-6b42b541-42d7e490.class: disinfection failed
C:\Documents and Settings\Tuur.KOMPJOETER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-28980169-1097c2cd.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Tuur.KOMPJOETER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-28980169-1097c2cd.class: disinfection failed
C:\Documents and Settings\Tuur.KOMPJOETER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\in_s.class-18cddad8-58c89c26.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Tuur.KOMPJOETER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\in_s.class-18cddad8-58c89c26.class: disinfection failed
=> these infections were also noticed by Housecall, I removed them manually.

C:\Documents and Settings\Tuur.KOMPJOETER\Local Settings\Temp\THI702.tmp\preInsln.exe: infected with Trojan.Bispy
C:\Documents and Settings\Tuur.KOMPJOETER\Local Settings\Temp\THI702.tmp\preInsln.exe: disinfection failed
C:\WINDOWS\Downloaded Program Files\CABEDialer.dll: infected with Trojan.Dialer.FE
C:\WINDOWS\Downloaded Program Files\CABEDialer.dll: disinfection failed
C:\WINDOWS\msgplus.exe: infected with Backdoor.Delf.NA
C:\WINDOWS\msgplus.exe: disinfection failed
C:\WINDOWS\preInsln.exe: infected with Trojan.Bispy
C:\WINDOWS\preInsln.exe: disinfection failed
C:\WINDOWS\system32\msdlupd.dll: infected with Trojan.Downloader.Dyfuca.CU
C:\WINDOWS\system32\msdlupd.dll: disinfection failed
C:\WINDOWS\system32\msgplus.exe: infected with Backdoor.Delf.NA
C:\WINDOWS\system32\msgplus.exe: disinfection failed
C:\WINDOWS\system32\shellexp.exe: infected with Trojan.DropAndAutoRun.A
C:\WINDOWS\system32\shellexp.exe: disinfection failed
C:\WINDOWS\system32\srv.exe: infected with Trojan.Dialer.CP
C:\WINDOWS\system32\srv.exe: disinfection failed
C:\WINDOWS\system32\xztlg.dll: infected with Trojan.StartPage.563
C:\WINDOWS\system32\xztlg.dll: deleted
C:\WINDOWS\test.hta=>(VBSCRIPT 1): infected with Exploit.ADODB.Stream2.Gen
C:\WINDOWS\test.hta=>(VBSCRIPT 1): disinfection failed
C:\WINDOWS\zip1.tmp=>(BASE64): infected with Win32.Netsky.P@mm
C:\WINDOWS\zip1.tmp=>(BASE64): deleted
C:\WINDOWS\zip2.tmp=>(BASE64): infected with Win32.Netsky.P@mm
C:\WINDOWS\zip2.tmp=>(BASE64): deleted
=> I haven't done anything to these infections yet.

In the meanwhile, I made a list with the suspicious exe-files in my windows directory. They are all executables with size "0 kb" (if you check the files' properties; my program to list the dir shows it as "1 kb"). They were all created in the same period and it doesn't take a genious to see that there is some pattern in the file-names. In general, all names are 4, 5 or 6 random characters, sometimes followed by a 32. There are a couple of different "structures", each with the same starting letters (2,3 or 4 characters). Within these "structures", the last 2 letters vary.

addea.exe -- 1 KB 2/04/2005 03:30:06 PM
addez32.exe -- 1 KB 13/04/2005 11:10:10 PM
addjh.exe -- 1 KB 31/03/2005 08:15:00 PM
addjo.exe -- 1 KB 4/04/2005 06:40:58 PM
addkx.exe -- 1 KB 31/03/2005 10:43:34 AM
addlz32.exe -- 1 KB 8/04/2005 01:25:02 PM
addmn32.exe -- 1 KB 4/04/2005 04:09:46 PM
addnh.exe -- 1 KB 19/04/2005 03:41:44 AM
addnj.exe -- 1 KB 12/04/2005 09:48:44 PM
addnn32.exe -- 1 KB 10/04/2005 08:49:00 AM
addqg32.exe -- 1 KB 19/04/2005 04:28:50 PM
addwm.exe -- 1 KB 20/04/2005 02:20:58 PM
addzm.exe -- 1 KB 8/04/2005 11:38:44 AM
addzo32.exe -- 1 KB 24/04/2005 12:08:52 PM
apifp.exe -- 1 KB 24/04/2005 01:43:20 AM
apigj32.exe -- 1 KB 29/03/2005 11:16:02 AM
apikg.exe -- 1 KB 28/03/2005 06:20:22 PM
apikl.exe -- 1 KB 29/03/2005 11:57:10 PM
apili32.exe -- 1 KB 8/04/2005 02:02:22 AM
apime32.exe -- 1 KB 1/04/2005 03:13:08 AM
apinr.exe -- 1 KB 7/04/2005 12:31:46 PM
apipt32.exe -- 1 KB 21/04/2005 11:08:12 PM
apipu.exe -- 1 KB 24/04/2005 07:48:02 PM
apitf.exe -- 1 KB 26/04/2005 09:10:58 AM
apivp.exe -- 1 KB 8/04/2005 04:20:56 PM
apiyf.exe -- 1 KB 31/03/2005 07:39:34 PM
apiys32.exe -- 1 KB 26/03/2005 11:56:44 AM
appey32.exe -- 1 KB 14/04/2005 02:00:18 AM
apphn32.exe -- 1 KB 18/04/2005 08:26:58 PM
appil.exe -- 1 KB 16/04/2005 12:43:04 PM
appit32.exe -- 1 KB 22/04/2005 03:02:42 PM
apprf.exe -- 1 KB 21/04/2005 12:24:04 AM
appuj.exe -- 1 KB 23/04/2005 06:09:28 AM
appzb32.exe -- 1 KB 19/04/2005 08:38:02 AM
appzs32.exe -- 1 KB 1/04/2005 11:31:26 AM
atlcd32.exe -- 1 KB 2/04/2005 05:52:50 PM
atlei.exe -- 1 KB 14/04/2005 01:53:28 PM
atlem32.exe -- 1 KB 2/04/2005 09:08:24 PM
atlib.exe -- 1 KB 3/04/2005 07:51:46 AM
atlsa32.exe -- 1 KB 18/04/2005 08:48:30 AM
atltx.exe -- 1 KB 4/04/2005 11:08:24 PM
atlwh.exe -- 1 KB 15/04/2005 06:06:00 AM
atlxt.exe -- 1 KB 3/04/2005 01:42:04 AM
cral32.exe -- 1 KB 8/04/2005 12:39:40 AM
crcv32.exe -- 1 KB 8/04/2005 02:03:36 PM
crdx32.exe -- 1 KB 23/04/2005 07:32:46 PM
crdy.exe -- 1 KB 11/04/2005 02:28:30 PM
crha.exe -- 1 KB 19/04/2005 04:32:06 AM
cril.exe -- 1 KB 1/04/2005 02:06:34 PM
crlv.exe -- 1 KB 12/04/2005 03:19:50 AM
crsn.exe -- 1 KB 25/04/2005 06:43:22 PM
crvc32.exe -- 1 KB 28/04/2005 05:10:02 AM
crwh32.exe -- 1 KB 21/04/2005 10:33:48 AM
crwp.exe -- 1 KB 7/04/2005 05:47:34 PM
crws.exe -- 1 KB 30/03/2005 05:29:40 PM
crxn.exe -- 1 KB 3/04/2005 01:14:20 AM
d3ee32.exe -- 1 KB 5/04/2005 05:50:40 AM
d3gf.exe -- 1 KB 9/04/2005 09:16:30 AM
d3ha32.exe -- 1 KB 24/04/2005 03:22:24 AM
d3io32.exe -- 1 KB 20/04/2005 08:28:58 PM
d3ky.exe -- 1 KB 23/04/2005 06:22:18 AM
d3ln32.exe -- 1 KB 7/04/2005 01:19:42 AM
d3mc32.exe -- 1 KB 10/04/2005 05:37:12 PM
d3pr.exe -- 1 KB 20/04/2005 03:42:38 PM
d3qg.exe -- 1 KB 10/04/2005 03:33:14 PM
d3vw32.exe -- 1 KB 1/04/2005 02:19:48 PM
d3xb32.exe -- 1 KB 3/04/2005 10:32:28 PM
d3yj32.exe -- 1 KB 17/04/2005 07:37:58 PM
iebo32.exe -- 1 KB 14/04/2005 09:03:42 PM
iedl32.exe -- 1 KB 5/04/2005 02:57:34 PM
iedw32.exe -- 1 KB 31/03/2005 08:00:48 PM
ieef32.exe -- 1 KB 19/04/2005 12:21:40 AM
iefr32.exe -- 1 KB 15/04/2005 04:32:54 PM
ieha32.exe -- 1 KB 31/03/2005 09:31:48 PM
iehg32.exe -- 1 KB 6/04/2005 08:09:34 AM
ieic32.exe -- 1 KB 17/04/2005 12:05:44 AM
ielq32.exe -- 1 KB 14/04/2005 04:09:22 AM
ieoh32.exe -- 1 KB 24/04/2005 10:53:14 AM
ieoq.exe -- 1 KB 19/04/2005 01:11:06 AM
ieov32.exe -- 1 KB 17/04/2005 01:26:18 AM
ierj.exe -- 1 KB 9/04/2005 01:53:44 AM
iews.exe -- 1 KB 5/04/2005 03:00:18 AM
iexb.exe -- 1 KB 7/04/2005 05:34:14 PM
ipab.exe -- 1 KB 29/03/2005 07:59:28 PM
iphk.exe -- 1 KB 13/04/2005 07:23:24 PM
ipie.exe -- 1 KB 24/04/2005 03:56:48 PM
ipim32.exe -- 1 KB 31/03/2005 08:06:26 AM
ipji.exe -- 1 KB 17/04/2005 05:14:42 PM
ipjy32.exe -- 1 KB 10/04/2005 06:29:42 AM
iplr.exe -- 1 KB 21/04/2005 07:42:00 AM
ipmn.exe -- 1 KB 25/04/2005 02:10:06 PM
ipmx.exe -- 1 KB 22/04/2005 11:34:12 AM
iprg32.exe -- 1 KB 16/04/2005 02:04:48 PM
ipse.exe -- 1 KB 29/03/2005 04:45:20 AM
ipug.exe -- 1 KB 22/04/2005 05:50:52 PM
ipur.exe -- 1 KB 12/04/2005 01:42:18 PM
ipwx.exe -- 1 KB 12/04/2005 01:51:08 AM
ipyg.exe -- 1 KB 5/04/2005 01:27:06 AM
ipzs32.exe -- 1 KB 20/04/2005 02:53:32 PM
ipzv.exe -- 1 KB 14/04/2005 08:02:06 AM
javadw.exe -- 1 KB 20/04/2005 01:50:14 PM
javaej.exe -- 1 KB 29/03/2005 08:54:12 AM
javafa32.exe -- 1 KB 8/04/2005 08:07:00 PM
javagk32.exe -- 1 KB 8/04/2005 02:03:32 AM
javamq.exe -- 1 KB 27/03/2005 08:54:48 AM
javamx.exe -- 1 KB 13/04/2005 07:39:40 AM
javaqn.exe -- 1 KB 23/04/2005 10:25:30 AM
javasa.exe -- 1 KB 21/04/2005 07:01:42 AM
javatg32.exe -- 1 KB 21/04/2005 02:46:54 AM
javauj32.exe -- 1 KB 17/04/2005 09:44:36 AM
javazf32.exe -- 1 KB 20/04/2005 10:10:32 PM
javazu32.exe -- 1 KB 27/03/2005 03:57:28 AM
mfcca32.exe -- 1 KB 12/04/2005 06:42:26 AM
mfcci.exe -- 1 KB 4/04/2005 09:51:24 PM
mfcgh.exe -- 1 KB 30/03/2005 06:52:24 PM
mfcgn.exe -- 1 KB 29/03/2005 03:42:30 PM
mfcid32.exe -- 1 KB 26/04/2005 02:59:46 PM
mfckv32.exe -- 1 KB 22/04/2005 04:22:34 AM
mfcmu32.exe -- 1 KB 16/04/2005 06:23:26 PM
mfcol.exe -- 1 KB 10/04/2005 02:12:42 AM
mfcsl.exe -- 1 KB 11/04/2005 03:25:22 AM
mfcte32.exe -- 1 KB 16/04/2005 05:04:14 AM
mfcwk.exe -- 1 KB 30/03/2005 01:43:38 PM
msau.exe -- 1 KB 17/04/2005 04:43:12 PM
msbp.exe -- 1 KB 8/04/2005 03:30:20 PM
msbt32.exe -- 1 KB 11/04/2005 07:19:44 AM
msck.exe -- 1 KB 6/04/2005 08:04:30 AM
msem.exe -- 1 KB 5/04/2005 03:32:24 AM
msen.exe -- 1 KB 7/04/2005 08:26:10 PM
msgf32.exe -- 1 KB 11/04/2005 07:10:28 PM
sgt32.exe -- 1 KB 4/04/2005 01:33:38 AM
msnj.exe -- 1 KB 31/03/2005 10:59:12 AM
msqm32.exe -- 1 KB 27/03/2005 06:32:44 AM
msrs.exe -- 1 KB 13/04/2005 05:02:14 AM
mssi.exe -- 1 KB 10/04/2005 10:49:44 AM
msty32.exe -- 1 KB 1/04/2005 07:27:04 PM
msyc.exe -- 1 KB 22/04/2005 04:26:52 PM
mszc.exe -- 1 KB 29/03/2005 07:10:34 AM
mszq32.exe -- 1 KB 7/04/2005 12:54:12 AM
netaa32.exe -- 1 KB 2/04/2005 11:41:02 AM
netbn.exe -- 1 KB 8/04/2005 09:45:18 PM
netbw32.exe -- 1 KB 25/04/2005 08:41:26 AM
netcx32.exe -- 1 KB 12/04/2005 10:20:24 AM
netdq.exe -- 1 KB 23/04/2005 07:36:04 AM
neteg.exe -- 1 KB 7/04/2005 11:22:10 PM
netel32.exe -- 1 KB 16/04/2005 08:46:50 AM
neteo.exe -- 1 KB 30/03/2005 02:47:00 AM
nethl.exe -- 1 KB 20/04/2005 09:15:46 PM
netnr32.exe -- 1 KB 1/04/2005 10:58:58 AM
netuy32.exe -- 1 KB 5/04/2005 11:31:40 PM
netxw32.exe -- 1 KB 10/04/2005 12:23:18 AM
netyx32.exe -- 1 KB 1/04/2005 07:32:44 AM
ntcz.exe -- 1 KB 6/04/2005 05:26:02 PM
ntik32.exe -- 1 KB 31/03/2005 03:31:02 AM
ntmx.exe -- 1 KB 1/04/2005 08:27:58 AM
ntqo32.exe -- 1 KB 22/04/2005 04:02:46 PM
ntsm32.exe -- 1 KB 23/04/2005 07:54:56 PM
ntsu32.exe -- 1 KB 25/04/2005 01:28:32 PM
sdkaf.exe -- 1 KB 30/03/2005 06:04:08 PM
sdkau.exe -- 1 KB 22/04/2005 10:39:56 AM
sdkbs.exe -- 1 KB 11/04/2005 01:07:20 AM
sdkef.exe -- 1 KB 7/04/2005 09:18:14 PM
sdkew32.exe -- 1 KB 19/04/2005 03:28:28 PM
sdkhk.exe -- 1 KB 20/04/2005 02:31:52 PM
sdkhs.exe -- 1 KB 3/04/2005 05:08:42 AM
sdkjz.exe -- 1 KB 10/04/2005 09:01:10 AM
sdkko32.exe -- 1 KB 9/04/2005 04:13:56 PM
sdkkt32.exe -- 1 KB 9/04/2005 05:38:58 AM
sdkku32.exe -- 1 KB 10/04/2005 01:08:58 PM
sdkmm.exe -- 1 KB 29/03/2005 05:38:38 AM
sdkpd.exe -- 1 KB 4/04/2005 07:05:34 PM
sdksq32.exe -- 1 KB 10/04/2005 10:45:24 AM
sdktu32.exe -- 1 KB 3/04/2005 10:09:20 AM
sdktv32.exe -- 1 KB 14/04/2005 08:33:12 PM
sdkuj.exe -- 1 KB 10/04/2005 11:10:46 PM
sdkuz.exe -- 1 KB 12/04/2005 04:13:54 AM
sdkwy.exe -- 1 KB 9/04/2005 04:42:12 PM
sdkyf32.exe -- 1 KB 15/04/2005 09:53:54 AM
sysbg.exe -- 1 KB 8/04/2005 09:01:16 PM
sysck.exe -- 1 KB 23/04/2005 11:50:00 PM
sysex.exe -- 1 KB 20/04/2005 03:28:04 PM
syshg32.exe -- 1 KB 25/04/2005 08:10:44 AM
sysjv32.exe -- 1 KB 26/04/2005 10:19:16 PM
sysjy.exe -- 1 KB 19/04/2005 06:14:44 AM
syskg32.exe -- 1 KB 17/04/2005 01:00:46 AM
syskm.exe -- 1 KB 21/04/2005 11:48:48 PM
sysnu32.exe -- 1 KB 30/03/2005 01:42:56 PM
sysoy.exe -- 1 KB 18/04/2005 08:33:36 AM
sysqi32.exe -- 1 KB 4/04/2005 04:44:14 PM
sysqn.exe -- 1 KB 12/04/2005 10:50:34 AM
sysxp32.exe -- 1 KB 27/03/2005 03:56:46 PM
sysxu32.exe -- 1 KB 11/04/2005 09:44:22 AM
winao32.exe -- 1 KB 8/04/2005 05:50:14 PM
winck.exe -- 1 KB 17/04/2005 06:19:14 AM
windp32.exe -- 1 KB 25/03/2005 08:45:38 AM
winkh32.exe -- 1 KB 30/03/2005 10:41:30 PM
winmx32.exe -- 1 KB 23/04/2005 12:11:34 PM
winnt32.exe -- 1 KB 23/04/2005 10:58:04 AM
winrm32.exe -- 1 KB 10/04/2005 04:21:30 AM
wintc32.exe -- 1 KB 5/04/2005 05:03:40 AM
wintq32.exe -- 1 KB 31/03/2005 11:07:04 AM
wintr.exe -- 1 KB 23/04/2005 03:48:10 AM
winvo32.exe -- 1 KB 10/04/2005 06:56:50 AM
winwf.exe -- 1 KB 6/04/2005 01:12:06 AM
winxc.exe -- 1 KB 7/04/2005 05:04:18 AM
winya32.exe -- 1 KB 21/04/2005 07:18:32 PM

WHAT IS WONG WITH MY COMPUTER?!

*sigh*

Hope you can help me out...

Grtz

NiRVeS · May 2005

To make matters worse, another security issue has surfaced now: a couple of links to some adult pages and a folder called "links" keeps on appearing in my bookmarks ('favorites')...

And of course, everything i do is going mighty mighty slooooow...

*sigh*

Greetings

Buckeye_Sam · May 2005

Download and run Stinger. Let me know what it finds.
http://download.nai.com/products/mcafee-avert/stinger.exe

Reboot and post a new hijackthis log.

NiRVeS · May 2005

Stinger didn't find anything; here's the log file it created:
McAfee AVERT Stinger Version 2.5.4 built on May 2 2005

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on May 2 2005.
Ready to scan for 53 viruses, trojans and variants.
Scan initiated on Sun May 08 11:40:03 2005
Number of clean files: 334445

My Hijackthislog looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 15:22:23, on 8/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\FDF\FAST2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

After I rebooted, Windows popped up an error window (you know, the one that lets you report problems), telling me that there was a problem with "Generic host process for Win32 Services.

HSA/SE/SW appear to be gone and Avast hasn't popped up alerts for a few days now, so I think you've managed to fix it...the only thing I'm a bit worried about is that crapload of exe's in my windows directory. Do you have any idea what they are and if it would be ok to simply manually remove them?

Thanks for all the help you've given so far - you guys are the best...

Grtz

Buckeye_Sam · May 2005

I wouldn't delete them all, just in case there's a legitimate file in there somewhere. Quarantine them. Here's more info.
http://www.short-media.com/forum/showpost.php?p=173532&postcount=5

NiRVeS · May 2005

I did and everything is going splendid so far. Guess it weren't legitimate files...hopefully they won't come back. This 'll be my last post (unless my computer goes banana again), thanks for your expertise, it's very appreciated.

Grtz

Buckeye_Sam · May 2005

Glad we could help out.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Problems: Home Search Assistant, Win32: Trojano-1218 and 1175

Comments