ok, finally done with it all. I ran Ewido, Ad Aware, Spysweeper. Spysweeper found the trojan and dealt with it together with a few other things. If I recall right, nothing was found on Ewido & Ad Aware so everything should be good. Some logs here...
Logfile of HijackThis v1.99.1
Scan saved at 20:29:03, on 13-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Fraps] E:\Fraps\FRAPS.EXE
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) -
http://quickfix2.chello.nl/quickfix2/as ... nstall.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.0.69.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupda ... 1470190796
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) -
http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -
http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99312C79-D439-473D-89CC-9CAA9D6F4542}: NameServer = 212.142.28.66,212.142.28.130
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
********
18:24: | Start of Session, zondag 13 november 2005 |
18:24: Spy Sweeper started
18:24: Sweep initiated using definitions version 572
18:24: Found Trojan Horse: trojan-downloader-2pursuit
18:24: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\st3\ || dllname (ID = 910576)
18:24: q3696203.dll (ID = 910576)
18:24: Starting Memory Sweep
18:25: Detected running threat: C:\WINDOWS\q3696203.dll (ID = 188588)
18:25: Memory Sweep Complete, Elapsed Time: 00:00:46
18:25: Starting Registry Sweep
18:25: HKCR\clsid\{1b68470c-2def-493b-8a4a-8e2d81be4ea5}\ (5 subtraces) (ID = 910438)
18:25: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {1b68470c-2def-493b-8a4a-8e2d81be4ea5} (ID = 910513)
18:25: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\st3\ (10 subtraces) (ID = 910519)
18:25: HKLM\software\classes\clsid\{1b68470c-2def-493b-8a4a-8e2d81be4ea5}\ (5 subtraces) (ID = 910556)
18:25: Found Adware: easyerror
18:25: HKCR\clsid\{16875e09-927b-4494-82bd-158a1cd46ba0}\ (4 subtraces) (ID = 927633)
18:25: HKLM\software\classes\clsid\{16875e09-927b-4494-82bd-158a1cd46ba0}\ (4 subtraces) (ID = 927655)
18:25: HKCR\clsid\{826b2228-bc09-49f2-b5f8-42ce26b1b711}\ (5 subtraces) (ID = 971337)
18:25: HKLM\software\classes\clsid\{826b2228-bc09-49f2-b5f8-42ce26b1b711}\ (5 subtraces) (ID = 971360)
18:25: HKU\WRSS_Profile_S-1-5-21-796845957-343818398-839522115-500\software\microsoft\style32\ (5 subtraces) (ID = 910485)
18:25: HKU\S-1-5-21-796845957-343818398-839522115-1003\software\microsoft\gg\conf\ (369 subtraces) (ID = 802702)
18:25: HKU\S-1-5-21-796845957-343818398-839522115-1003\software\microsoft\st3\ (11 subtraces) (ID = 910473)
18:25: HKU\S-1-5-21-796845957-343818398-839522115-1003\software\microsoft\ppp\c\ (5 subtraces) (ID = 920182)
18:25: HKU\S-1-5-21-796845957-343818398-839522115-1003\software\microsoft\sxsoft\ (25 subtraces) (ID = 920198)
18:25: Registry Sweep Complete, Elapsed Time:00:00:09
18:25: Starting Cookie Sweep
18:25: Found Spy Cookie: 66.230.183 cookie
18:25: kim@66.230.183[2].txt (ID = 1993)
18:25: Found Spy Cookie: about cookie
18:25: kim@about[2].txt (ID = 2037)
18:25: Found Spy Cookie: adknowledge cookie
18:25: kim@adknowledge[2].txt (ID = 2072)
18:25: Found Spy Cookie: adlegend cookie
18:25: kim@adlegend[2].txt (ID = 2074)
18:25: Found Spy Cookie: cd freaks cookie
18:25:
kim@ads.cdfreaks[2].txt (ID = 2371)
18:25: Found Spy Cookie: atwola cookie
18:25: kim@atwola[1].txt (ID = 2255)
18:25: Found Spy Cookie: banners cookie
18:25: kim@banners[2].txt (ID = 2282)
18:25: Found Spy Cookie: bizrate cookie
18:25: kim@bizrate[2].txt (ID = 2308)
18:25: Found Spy Cookie: dealtime cookie
18:25: kim@dealtime[1].txt (ID = 2505)
18:25: Found Spy Cookie: fe.lea.lycos.com cookie
18:25:
kim@fe.lea.lycos[2].txt (ID = 2660)
18:25: Found Spy Cookie: gamespy cookie
18:25: kim@gamespy[1].txt (ID = 2719)
18:25: Found Spy Cookie: howstuffworks cookie
18:25: kim@howstuffworks[2].txt (ID = 2805)
18:25: Found Spy Cookie: monstermarketplace cookie
18:25: kim@monstermarketplace[1].txt (ID = 3006)
18:25:
kim@movies.about[1].txt (ID = 2038)
18:25: Found Spy Cookie: mp3downloadhq cookie
18:25: kim@mp3downloadhq[1].txt (ID = 3014)
18:25: Found Spy Cookie: touchclarity cookie
18:25:
kim@msn.touchclarity[1].txt (ID = 3566)
18:25: Found Spy Cookie: pricegrabber cookie
18:25: kim@pricegrabber[2].txt (ID = 3185)
18:25: Found Spy Cookie: servlet cookie
18:25: kim@servlet[2].txt (ID = 3345)
18:25: kim@servlet[3].txt (ID = 3345)
18:25:
kim@stat.dealtime[1].txt (ID = 2506)
18:25: Found Spy Cookie: tracking cookie
18:25: kim@tracking[2].txt (ID = 3571)
18:25: Found Spy Cookie: xsex cookie
18:25:
kim@www.strony.xsex[1].txt (ID = 3726)
18:25: Found Spy Cookie: xiti cookie
18:25: kim@xiti[1].txt (ID = 3717)
18:25: Found Spy Cookie: xren_cj cookie
18:25: kim@xren_cj[1].txt (ID = 3723)
18:25: Cookie Sweep Complete, Elapsed Time: 00:00:05
18:25: Starting File Sweep
18:27: q3696203.dll (ID = 188588)
18:32: File Sweep Complete, Elapsed Time: 00:06:17
18:32: Full Sweep has completed. Elapsed time 00:07:21
18:32: Traces Found: 494
18:32: Removal process initiated
18:32: Quarantining All Traces: trojan-downloader-2pursuit
18:32: trojan-downloader-2pursuit is in use. It will be removed on reboot.
18:32: q3696203.dll is in use. It will be removed on reboot.
18:32: q3696203.dll is in use. It will be removed on reboot.
18:32: C:\WINDOWS\q3696203.dll is in use. It will be removed on reboot.
18:32: Quarantining All Traces: easyerror
18:32: Quarantining All Traces: 66.230.183 cookie
18:32: Quarantining All Traces: about cookie
18:32: Quarantining All Traces: adknowledge cookie
18:32: Quarantining All Traces: adlegend cookie
18:32: Quarantining All Traces: atwola cookie
18:32: Quarantining All Traces: banners cookie
18:32: Quarantining All Traces: bizrate cookie
18:32: Quarantining All Traces: cd freaks cookie
18:32: Quarantining All Traces: dealtime cookie
18:32: Quarantining All Traces: fe.lea.lycos.com cookie
18:32: Quarantining All Traces: gamespy cookie
18:32: Quarantining All Traces: howstuffworks cookie
18:32: Quarantining All Traces: monstermarketplace cookie
18:32: Quarantining All Traces: mp3downloadhq cookie
18:32: Quarantining All Traces: pricegrabber cookie
18:32: Quarantining All Traces: servlet cookie
18:32: Quarantining All Traces: touchclarity cookie
18:32: Quarantining All Traces: tracking cookie
18:32: Quarantining All Traces: xiti cookie
18:32: Quarantining All Traces: xren_cj cookie
18:32: Quarantining All Traces: xsex cookie
18:32: Warning: Launched explorer.exe
18:32: Warning: Quarantine process could not restart Explorer.
18:33: Removal process completed. Elapsed time 00:00:38
********
18:12: | Start of Session, zondag 13 november 2005 |
18:12: Spy Sweeper started
18:13: Your spyware definitions have been updated.
18:14: BHO Shield: found: -- BHO installation allowed at user request
18:17: Memory Shield: Found: Memory-resident threat trojan-downloader-2pursuit, version 1.0.0.0
18:17: Detected running threat: trojan-downloader-2pursuit
18:18: Ignored memory-resident threat: trojan-downloader-2pursuit