Hi Kevin,
Thanks for your help. I've done everything you said.
1. HJT could not find the SPDAUTH service.
2. The winauthm was not running in the services either.
3. Trend housecall didn't find anything.
4. Panda scan found 1 spyware, see report below:
Incident Status Location
Adware:adware/block-checker No disinfected Windows Registry
5. AVG started it's own scheduled scan on my pc and found 22 viruses. See report below:
Trojan horse Generic.BJX C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004344.dll 2-10-2005 8:30:54 A0004344.dll 20.5 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004370.dll 2-10-2005 8:30:54 A0004370.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004385.dll 2-10-2005 8:30:54 A0004385.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004422.dll 2-10-2005 8:30:54 A0004422.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004435.dll 2-10-2005 8:30:54 A0004435.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005436.dll 2-10-2005 8:30:55 A0005436.dll 4 KB
Trojan horse Generic.BJX C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005919.dll 2-10-2005 8:30:55 A0005919.dll 20.5 KB
Trojan horse Generic.BJV C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005974.exe 2-10-2005 8:30:55 A0005974.exe 128 KB
Trojan horse Dropper.Agent.PV C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005976.exe 2-10-2005 8:30:55 A0005976.exe 156 KB
Trojan horse IRC/BackDoor.SdBot.LPV C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0006085.pif 2-10-2005 8:30:55 A0006085.pif 120 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP71\A0006797.sys 2-10-2005 8:30:55 A0006797.sys 7 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP71\A0006802.sys 2-10-2005 8:30:55 A0006802.sys 7 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP71\A0006808.sys 2-10-2005 8:30:55 A0006808.sys 7 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006818.exe 2-10-2005 8:30:55 A0006818.exe 57.5 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006819.sys 2-10-2005 8:30:55 A0006819.sys 7 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006820.exe 2-10-2005 8:30:55 A0006820.exe 57.5 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006821.sys 2-10-2005 8:30:55 A0006821.sys 7 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP73\A0006873.exe 2-10-2005 8:30:55 A0006873.exe 57.5 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP73\A0006922.exe 2-10-2005 8:30:55 A0006922.exe 57.5 KB
Trojan horse Generic.BJT C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP73\A0006943.EXE 2-10-2005 8:30:55 A0006943.EXE 220 KB
Trojan horse BackDoor.Generic.OFP C:\WINDOWS\system32\winjava.exe 2-10-2005 8:30:55 winjava.exe 20 KB
6. Here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:38:10, on 2-10-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\win.pif
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Edward\Mijn documenten\Install software\Virus hulpprogrammas\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.nl/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Windows Security] win.pif
O4 - HKLM\..\RunServices: [Windows Security] win.pif
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Security] win.pif
O4 - HKCU\..\RunServices: [Windows Security] win.pif
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg...l_v1-0-3-24.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1127940839562O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft...free/asinst.cabO16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) -
http://www.superadbl...ivex/sabspx.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
There's still something wrong on my pc. I've got 4 users, and when I do a fast user switch and try to log in under one of the users, it starts asking me for a password. But I don't have a passwords set to any of the users. I can't log in then and have of restart my pc. Also if my pc has run for a few hours, it's not possible anymore to open the taskmanager. It will open but only as an icon in the systemtray.
Hope you can help me any further.
Edward